AEMaaCS and Audit Log | Community
Skip to main content
D
dmerchang
New Member
April 17, 2025

AEMaaCS and Audit Log

  • April 17, 2025
  • 1 reply
  • 691 views

Hello AEM community,

 

We are looking for compliance and monitoring in our security team with our AEMaaCS solution.

I have some questions about the Audit Log and best practices on externalising it as "surprisingly for us" this is JCR nodes instead of a log file.

 

  • I have found the Audit Log just logs Assets, Replication, Pages events... however it lacks users permissions or ACLs changes or basically any User Management events. Where this information is Audit? I know there are some logs which may contain this information. If anyone has a listing on which specific logs to enable in INFO or DEBUG mode are recommended for auditing will be great.

  • Anyone can share any experience on externalising the Audit Log? Best practices on how to take this out to an external system.

  • Maintenance Tasks. I have seen that Adobe is changing the strategy of 7 years of keeping Audit Log to 7 days and purging. I suppose is because performance issues in the JCR due to the amount of content that can be generated. Can anyone share if keeping 3 years of data can make the system unstable? Any recommendation?

I have read multiple articles online already, this means I am looking for personal experiences.


Regards.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

-
Adobe Employee
---achimAdobe Employee
Adobe Employee
April 17, 2025

just to widen the discussion… not to give a definitive answer: Access auditing has three facets:

 

  • User management: Provision / decommission accounts 
  • Group assignments: Add users to groups
  • Access control: Add ACLs to groups

User and group management is done typically in external, centralized  IDPs in larger orgs. Thus, the audit trail would be found there.

 

Personally, I stopped using the AEM UI to manage ACLs years ago… I instead use the actool from netcentric.  This captures the rules in Yaml files. The Yaml files are stored and deployed via Git - and that’s where the audit trail is. That’s not 100% perfect. An admin could still add ACEs in the UI.. and “ad-hoc” access control via page properties is not covered. I usually reduce the number of admins to mitigate the former… and limit access to the permission tab in the page props for the latter. 

Auditability is just a side effect though. Main reason , why I use the tool is to be able to test on lower envs and to have all ACLs in one place.

 

 

    D
    dmerchangAuthor
    New Member
    April 17, 2025

    Hello and thanks for the experience shared.

     

    I understand that the best solution would be the usage of an external federated IdP and take it from there. However, currently our customer is not ready for that and it is scheduled for later in the roadmap to Federate all the users. Unfortunately, we have to survive with the Adobe ID users in the Adobe Admin Console for a period of time.

     

    Our current setup is that Adobe IMS User Groups are mapped to particular permissions already pre-setup according to our permission matrix in AEM. So, users are just added or removed from Adobe IMS User Groups according to this.

    For this initial phase, we are struggling as the  Adobe Admin Console "looks to do not have" or I did not found how to extract the Audit Logs via API (rather than the console).

     

    In the case of AEM, we are already externalising the logs to Splunk, but this is just for incident management. We received the question about the AEM audit logs about keeping for multiple years what people performed to what within AEM. In this case the Audit Log of AEM is the responsible of recording and tracking this.


    We were thinking on externalising this as well, but the question I had is that I wanted to understand a bit better the AEM Audit Log which is stored in JCR nodes under /var/audit.

    In addition, I saw some blog posts which recommends some traces of logs to be in INFO for having better traceability in terms of user management or if any policy changes within AEM itself.

     

    About https://github.com/Netcentric/accesscontroltool I will check with my AEM team as I am more involved in infrastructure or security things right now rather than AEM itself. I will check if they use / used or if this tool can be good for us. Thanks a lot for sharing it

    Terms & ConditionsAccessibility statement

    Loading footer...