Business Audit log - recommended library or approach? [closed]

问题

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 5 years ago.

do you know any good Java library for audit logging? Or at least good book/article to help choose good approach to build audit log for an application?

Library requirements:
- define common audit metadata (userId, time, IP, ...)
- define audit message types (transaction sent, message received, ...)
- lock/sign individual audit messages (for non-repudiation)
- search audit log based on metadata
- etc.

Edit:
I'm not looking for automated solution, I'm perfectly happy with calling something like:

AuditEvent event = new TransactionSentEvent(userId, account, amount, ...)
AuditLog.audit(auditEvent);

The point is to have the infrastructure behind it - safe storage to database, non-reputability etc.

回答1:

what about this https://github.com/dima767/inspektr I have almost the same requirements as you described above, and am digging into inspektr.

回答2:

So, if you are looking for a framework, you could try logback-audit. It is by the folks who are behind the Java logging library, logback.

回答3:

If you are using Java, one way is to use springframework and aop. This is the most flexible option. Here is an example

You can also do it at database level using hibernate (more info)

回答4:

You can use AscpectJ library without Spring, via annotations

回答5:

A good approach to business/operation level logging is to determine what exactly you need to log. You have already done that.

You don't really need any new framework or AOP to add. However, you have some extra requirements which prevent you from using the common logging frameworks such as Log4J or java.util.logging without creating more work.

The easiest approach I can think of you can do is to have a Audit class that has a JDBC connection injected or configured in it. This can be done through Spring if you are already using that framework. If you don't have a DI container then you need to define this as a singleton.

Another thing you need is a capability of signing. Java has a java.security.Signature to sign and verify data.

As I said earlier you have requirements that prevent you from using the available logging frameworks. That is:

• search audit log based on metadata

For you to facilitate searching you need to store data in a database as writing to a text file will be difficult to do. Using the logging frameworks you have to learn the API and be tied to the framework which is not part of the standard.

来源：https://stackoverflow.com/questions/3778281/business-audit-log-recommended-library-or-approach