Beta Version

AuditHawk is currently in beta. Contact us to become a beta user and help guide the product's direction to fulfill your specific needs.

Get Notified

Want to know when AuditHawk is formally released? Sign up below and we'll send you an email when it's ready.

Email: Privacy Policy

You can also subscribe to the blog for product information and security tips.

Zecura AuditHawk®

The Problem

Your application server generates thousands or millions of audit log events per day. There are far too many log files to track manually. There are too many opportunities for integrity compromise. For example:

  • How would you know if one event in a log was modified?
  • How about if an event was removed?
  • Finally, would you even notice if an entire log file disappeared?

These are tough questions whose answers should not reflect poorly on your system administrators or auditors. The job is simply too hard because they don't have the tools needed to answer those questions in a positive way. Fortunately, AuditHawk has the answer.

AuditHawk Overview

Hawkeye

AuditHawk is the secure audit logging solution for WebLogic Application Server 9 and above. It can tell you when an event is added, modified, or removed. It can also alert you to missing log files. Essentially, AuditHawk tells you if a log file changed in any way. It also maintains a set of "checks and balances" for knowing the correct state of the system at any given time.

AuditHawk functions as a WebLogic security provider and snaps into the server quickly and easily. Users interact normally with secure applications which leverage the security framework for granting or denying access. This process creates audit events which AuditHawk intercepts and securely writes to a log file.

The following figure shows where AuditHawk fits in a WebLogic deployment:

AuditHawk in WLS

You can be up and running with AuditHawk in a matter of minutes. More importantly, you won't have to pay for a professional services engineer to install it for you.

Features

AuditHawk has the following features:

Tamper-Evident Security Event Logs

WebLogic has a default audit provider which you can use if your environment precludes the need for security event integrity. Not having that integrity is risky but at least the events are logged.

Luckily, AuditHawk is a drop-in replacement for the default audit provider. AuditHawk will link an event to the previous event and then digitally sign it using a standard signature algorithm. This technique allows the following scenarios to be detected:

  • An event is modified
  • An event is removed
  • An event is added

These problems and others are detected upon running the log file verification tool which you can use at any time and as often as you like. Early detection allows you to more easily find the culprit while the trail is still fresh.

Meticulously Tracked Log Metadata

Stone chess set

AuditHawk uses metadata to keep track of system state and to provide an extra cross-check to the contents of log files. Each log file has an associated metadata file which describes its corresponding log file in several ways. Here's what you can see at a glance concerning your log files:

  • Start and stop times
  • Number of events
  • Roll status (e.g., Active or Rolled)
  • And many more details...

While this data is useful for humans, it's also used by AuditHawk as a sanity check against the contents of log files. Zecura will leverage this powerful metadata even more in future releases.

Tamper-Evident Metadata

If you read the previous section on AuditHawk's use of metadata, you probably quickly realized that the integrity of the metadata is as critical as the log files. You're right, of course. That's why we also digitally sign the metadata and detect any discrepancies via the log file verifier.

Configuration via WebLogic Console or JMX

Building blocks

AuditHawk is implemented as an audit provider which plugs into the WebLogic security framework. As such, it is configured in the same way as any other security provider which can be via:

  • The WebLogic Administration console
  • The WebLogic Scripting Tool (WLST)
  • Programmatic JMX calls

Non-Proprietary Log Format

Events are logged as XML data with an easily readable structure. While the logs can be read by a human or with grep as usual, their structure readily allows processing by standard XML technologies. For example, you can harness the power of XSLT or XPath to transform or query your logs. Imagine querying your logs with the SQL-like richness of XQuery!

We worked hard to strike a balance between human readability and machine friendly structure to make the logs approachable by humans while allowing easy manipulation with your choice of XML technologies. We hope you'll see the potential of your logs in a whole new light. But perhaps the most important aspect of our open log format is this: Your precious security event data is never held hostage by AuditHawk.

Log File Verification

Tamper-evident logs are useless without the ability to tell if they were modified. AuditHawk's Log File Verifier is a command line tool for checking log file and metadata integrity. It can process one log file or an entire log file directory and specify what, if anything, is wrong with the data.

Because it works from the command line, you can automate the Log File Verifier with a script or cron job.

Integration with Log Analysis and Collection Tools

Stacked logs

AuditHawk logs can be a source for the log analysis and collection tools you use in your enterprise today. Thanks to its open format, AuditHawk logs can easily be processed and scrutinized like any other log source under your watchful eye.

Performance

Roadmap

Road

Zecura has big plans for AuditHawk and intends to rapidly add features. Sign up for email notifications or subscribe to the blog to keep up with the latest developments.

We'd love for you to sign up for the beta program and see how AuditHawk can work for you. Please contact us with any questions or suggestions you have.

Thank you for considering AuditHawk for your secure audit logging needs.