1. Technical Field
This disclosure relates generally to software components used in a multi-product distributed computing environment, where such components produce audit logs for various management operations, and such logs are used for the purposes of compliance analysis, problem determination, and forensics, among others.
2. Background of the Related Art
Certain computing systems are known to generate and store a log of records that are used for auditing system functions and activities. In particular, each audit record captures information related to a corresponding event of interest to the computing system. Depending upon the particular implementation, an event of interest may comprise a positive action or a negative action (or lack of action when an action is anticipated) that is to be audited. As a few illustrative examples, an audit record may capture information identifying the status and/or performance of a particular transaction or transaction type, the execution (or lack thereof) of a system process or the occurrence of an activity or state within the system or component(s) thereof. Each audit record may also capture information such as the identity of the person or process that triggered the event, a time stamp corresponding to the event and/or other relevant information associated with the occurrence of the corresponding event itself. Moreover, the organization of the audit records into a corresponding audit log typically preserves the chronological order of the recorded events.
In general terms, the log of audit records allows an administrator to determine who has done what on which system component(s), application(s), etc., and when the audit generating activity occurred.
Identity-based auditing, however, is difficult in the context of a “multi-product” software solution that comprises several existing products or applications, where each product or application has its own respective authentication mechanism and identity registry. In this context, an operation performed by a user may span several of these products, and it may be important (e.g., from an accounting, security or compliance point of view) to audit the actual identity of the user in all of the products affected by the operation. An existing approach to this problem involves mapping of identities at the boundary between individual products, and then capturing this mapping in the audit records. With this approach, however, the determination of the actual user who performed the operation requires mining of these mapped audit records, which is complex, costly and inefficient.