T44.1: Implements Audit Log

InterSystems IRIS provides comprehensive auditing capabilities that allow administrators to track system and user activities. Auditing is controlled through the Management Portal's Auditing page, accessible via System Administration > Security > Auditing. The system organizes audit events into categories based on their source, primarily %System (core system events) and %Ensemble (integration events).

Administrators can enable or disable auditing at multiple levels: globally for all events, by source category, or for individual event types. This granular control allows organizations to focus auditing efforts on security-critical events while minimizing performance impact and storage requirements. When you enable or disable an event, the change takes effect immediately without requiring a system restart.

Key system audit events include:

• Login/Logout: Tracks authentication attempts and session termination
• Protect: Records changes to security settings and protected resources
• DirectMode: Monitors direct system access and programmer mode usage
• UserChange: Logs modifications to user accounts and credentials
• ConfigChange: Tracks configuration changes to system settings

The audit database (IRISAUDIT) stores all audit records, and proper configuration ensures that security-relevant activities are captured for compliance, forensic analysis, and security monitoring purposes.

The IRISAUDIT database serves as the central repository for all audit events in InterSystems IRIS. This dedicated database ensures that audit data remains separate from application data and can be protected with appropriate access controls. The Management Portal provides a user-friendly interface for viewing and analyzing audit records through the View Audit Database page.

When reviewing audit logs, administrators can apply various filters to narrow down the records of interest. Common search criteria include:

• Date and time ranges to focus on specific periods
• Event types to track particular categories of activity
• Usernames to investigate actions by specific users
• Event sources to distinguish between system and application events
• Success or failure status to identify security incidents

Each audit record provides comprehensive details about the audited event. The Elements of an Audit Event include:

• EventType: The category of event (e.g., Login, Protect, UserChange)
• EventData: Specific details about what occurred
• EventSource: The source code or component that generated the event
• Username: The user account associated with the event
• Roles: The roles active at the time of the event
• ClientIPAddress: The network address of the client
• SystemIPAddress: The IP address of the IRIS instance
• UTCTimeStamp: The precise time the event occurred in UTC

For advanced analysis, administrators can use SQL queries directly against the audit database tables. This enables complex reporting, trend analysis, and integration with security information and event management (SIEM) systems.

Effective security monitoring requires not just collecting audit data, but analyzing it to understand the root causes of events and identify potential security issues. Each audit record in InterSystems IRIS contains multiple fields designed to help administrators perform root cause analysis.

The EventData field is particularly valuable as it contains event-specific information that explains what actually occurred. For example:

• For Login events, EventData shows whether authentication succeeded or failed and the authentication method used
• For Protect events, it identifies which resource or security setting was modified
• For UserChange events, it details what aspects of the user account were altered
• For ConfigChange events, it records which configuration parameters were modified

The EventSource field helps identify where in the system the event originated. This might be a specific class, routine, or system component. Understanding the source helps determine whether the event was triggered by legitimate administrative activity, application behavior, or potentially unauthorized access.

Root cause analysis often requires examining multiple related audit records to establish a timeline and pattern. For instance, a series of failed login attempts from the same IP address followed by a successful login might indicate a brute-force attack. A UserChange event creating a new privileged account outside normal business hours could signal unauthorized activity.

Key security events that warrant investigation include:

• Multiple failed authentication attempts
• Privilege escalation or role assignment changes
• Access to sensitive resources outside normal patterns
• Configuration changes to security settings
• DirectMode access, especially from unexpected users or locations

By correlating audit data with system logs and understanding normal operational patterns, administrators can distinguish between routine activities and genuine security incidents requiring response.

The audit database grows continuously as InterSystems IRIS records events, making regular maintenance essential for system performance and storage management. The Management Portal provides several operations for audit database administration, accessible through System Administration > Security > Auditing.

Copy Audit Database: This operation allows administrators to duplicate audit records from the IRISAUDIT database to another namespace. The copy operation is useful for creating working copies of audit data for analysis without affecting the production audit database. You can specify date ranges to copy only relevant records, and the operation preserves all audit record details and relationships.

Export Audit Database: Exporting creates external files containing audit records, enabling long-term archival and compliance with data retention policies. InterSystems IRIS supports multiple export formats:

• XML format for platform-independent storage and easy parsing
• Custom formats for integration with external audit analysis tools
• The export operation can filter records by date range, event type, and other criteria

Exported audit files can be stored on secure external media, transferred to centralized log management systems, or retained for compliance purposes. Many organizations implement policies requiring audit data retention for specific periods (e.g., 7 years for financial data).

Purge Audit Database: The purge operation permanently removes audit records from the IRISAUDIT database based on specified criteria, typically date ranges. Purging is essential to prevent unbounded database growth, but must be performed carefully:

• Always export or copy data before purging if retention is required
• Verify that purge criteria match your organization's data retention policies
• Test purge operations on non-production systems first
• Document purge activities for compliance auditing

Maintenance Best Practices:

• Establish a regular maintenance schedule (weekly, monthly, or based on database size)
• Monitor IRISAUDIT database size and growth trends
• Automate export and purge operations where possible
• Maintain exported audit data in secure, backed-up locations
• Document your audit retention and maintenance policies
• Test restore procedures for exported audit data periodically

Proper audit database maintenance ensures that auditing remains effective without degrading system performance or exhausting storage resources.