Logging and auditing

i2 Analyze provides mechanisms for logging two types of information that the system generates during normal execution. You can control what information is sent to the system logs, and audit the commands that users invoke.

System logging

The components that make up the i2 Analyze server all contain instrumentation that sends information about the health of the system to log files or the console. You can control the locations of the log files, and the volume of information that the system sends, by editing the log4j2.xml files in the deployment toolkit.

The information that i2 Analyze can log through this mechanism includes detail about warnings and errors that users see in their client software, and incremental status reports about long-running processes such as ingestion.

The ZooKeeper component of i2 Analyze uses Logback for logging. The Logback configuration is in the i2analyze\deploy\zookeeper\conf directory.

For more information about system logging, see the deployment and configuration guides for i2 Analyze, or the Apache Log4j website.

User activity logging

When a user runs an authenticated command against any of its services, i2 Analyze can record information about the user who ran the command, and full details of the command that they ran. For example, you might use this functionality to audit the frequency with which different users make requests for the data that i2 Analyze manages, or to track searches with particular patterns. i2 Analyze handles user activity logging for the i2 Connect gateway separately from the Information Store and the Chart Store.

Note: Depending on the volume of data, enabling user activity logging might affect the performance of i2 Analyze.

Information Store and Chart Store

i2 Analyze supports user activity logging for all of the main analysis operations against the Information Store and (where relevant) the Chart Store. For example, you can configure separate logging (or no logging at all) for search, expand, and find path operations. You can also arrange for logging to occur when records and charts are created or modified.

To audit user activity, including activity due to Analyst's Notebook Premium and the Investigate Add-On, you write a class that implements the IAuditLogger interface and specify it in the ApolloServerSettingsMandatory.properties file in the deployment toolkit.

At startup, i2 Analyze calls IAuditLogger to discover what activities to log information about. Later, it calls again with information such as the time of the activity, the name and security clearance of the user, and the parameters that they supplied.

For more information and an example of how to implement IAuditLogger, see i2 Analyze Developer Essentials.

i2 Connect gateway

To log operations against external sources through the i2 Connect gateway, i2 Analyze uses the same IAuditLogger interface that it uses for the Information Store and chart store. However, all such operations are logged through a single method on the IAuditLogger interface.