Expand my Community achievements bar.

Introducing Adobe LLM Optimizer: Own your brand’s presence in AI-Powered search and discovery
Learn More

AEMaaCS and Audit Log

Avatar

Level 1
Level 1
4/17/25 12:44:38 AM

Hello AEM community,

 

We are looking for compliance and monitoring in our security team with our AEMaaCS solution.

I have some questions about the Audit Log and best practices on externalising it as "surprisingly for us" this is JCR nodes instead of a log file.

 

  • I have found the Audit Log just logs Assets, Replication, Pages events... however it lacks users permissions or ACLs changes or basically any User Management events. Where this information is Audit? I know there are some logs which may contain this information. If anyone has a listing on which specific logs to enable in INFO or DEBUG mode are recommended for auditing will be great.

  • Anyone can share any experience on externalising the Audit Log? Best practices on how to take this out to an external system.

  • Maintenance Tasks. I have seen that Adobe is changing the strategy of 7 years of keeping Audit Log to 7 days and purging. I suppose is because performance issues in the JCR due to the amount of content that can be generated. Can anyone share if keeping 3 years of data can make the system unstable? Any recommendation?

I have read multiple articles online already, this means I am looking for personal experiences.


Regards.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager as a Cloud Service

Views

376

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Employee
Employee
4/17/25 2:06:26 AM

just to widen the discussion… not to give a definitive answer: Access auditing has three facets:

 

  • User management: Provision / decommission accounts 
  • Group assignments: Add users to groups
  • Access control: Add ACLs to groups

User and group management is done typically in external, centralized  IDPs in larger orgs. Thus, the audit trail would be found there.

 

Personally, I stopped using the AEM UI to manage ACLs years ago… I instead use the actool from netcentric.  This captures the rules in Yaml files. The Yaml files are stored and deployed via Git - and that’s where the audit trail is. That’s not 100% perfect. An admin could still add ACEs in the UI.. and “ad-hoc” access control via page properties is not covered. I usually reduce the number of admins to mitigate the former… and limit access to the permission tab in the page props for the latter. 

Auditability is just a side effect though. Main reason , why I use the tool is to be able to test on lower envs and to have all ACLs in one place.

 

 

Views

356

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
4/17/25 2:32:28 AM
In response to -ash

Hello and thanks for the experience shared.

 

I understand that the best solution would be the usage of an external federated IdP and take it from there. However, currently our customer is not ready for that and it is scheduled for later in the roadmap to Federate all the users. Unfortunately, we have to survive with the Adobe ID users in the Adobe Admin Console for a period of time.

 

Our current setup is that Adobe IMS User Groups are mapped to particular permissions already pre-setup according to our permission matrix in AEM. So, users are just added or removed from Adobe IMS User Groups according to this.

For this initial phase, we are struggling as the  Adobe Admin Console "looks to do not have" or I did not found how to extract the Audit Logs via API (rather than the console).

 

In the case of AEM, we are already externalising the logs to Splunk, but this is just for incident management. We received the question about the AEM audit logs about keeping for multiple years what people performed to what within AEM. In this case the Audit Log of AEM is the responsible of recording and tracking this.


We were thinking on externalising this as well, but the question I had is that I wanted to understand a bit better the AEM Audit Log which is stored in JCR nodes under /var/audit.

In addition, I saw some blog posts which recommends some traces of logs to be in INFO for having better traceability in terms of user management or if any policy changes within AEM itself.

 

About https://github.com/Netcentric/accesscontroltool I will check with my AEM team as I am more involved in infrastructure or security things right now rather than AEM itself. I will check if they use / used or if this tool can be good for us. Thanks a lot for sharing it

Views

344

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to run a specific HTL Snippet in Dev and Stage Instance only and not in prod Solved

Views

79

Likes

0

Replies

5
AEM CaaS: How to Restrict Workflow Payload Path to only certain folders and its children Solved

Views

90

Likes

0

Replies

1
dispatcher, cloud-service, Content Security Policies, and configuration

Views

210

Likes

0

Replies

3
How to Capture Tag Edit, Merge, and Delete Events in AEM?

Views

106

Likes

0

Replies

2
Unlock the power of AEM Content Hub – Centralize, reuse, and activate on-brand content for internal and external teams

Views

110

Like

1

Replies

0