alfresco Administration Auditing


Auditing is an Alfresco feature that allows the user to trace and log some specific events during ECM platform usage.

Enable auditing

To enable auditing you have to add some lines of configuration to the file, which resides in tomcat/shared/classes/

audit.enabled = true

You have to save changes to the file and restart the Alfresco server, in order to enable auditing.

Auditing default configuration

Here the complete list of configuration properties that can be overridden modifying the file:

# Audit configuration                                                                                                                                                                       

# Setting this flag to true will force startup failure when invalid audit configurations are detected                                                                                       

# Audit map filter for AccessAuditor - restricts recorded events to user driven events. In this case it neglect events issued by a System or a null user, the content or folder path is under /sys:archivedItem or under /ver: and the node type is not cm:folder, cm:content or st:site                                                                                                     

#The default to preserve all cm:auditable data on a node when the process is not directly driven by a user action                                                                                        

#Specific control of how the FileFolderService treats cm:auditable data when performing moves                                                                                                            

#Specific control of whether ACL changes on a node trigger the cm:auditable aspect                                                                                                                       

As usual you have to save changes to the file and restart the Alfresco server, in order to enable these modifications.

Audit filters

Audit filters are properties that specify the strategy used to filter audit events by using particular regular expression to include or exclude events. Both custom and default audit filters can be added as overrides in the configuration file.

The anatomy of an audit filter property is the following:


where <data-producer> is one of the Alfresco built-in data producers:

  1. alfresco-access: a wide group of high level events such as logins (both successful and failed), property updates, CRUD on nodes, content reads/updates, aspect addition and removal, versioning, check-in/check-out operations
  2. alfresco-node
  3. alfresco-api: events issued by the call of low level API methods and services. For example it can be used to list SearchServices search list parameters, properties listing using PropertyServices, operations on nodes using NodeServices and so on.

and path is the real path value to filter against.

Property names have an audit.filter.* prefix and use '.' as a separator where as components of rootPath and keys in the audit map use '/'.

Lists are evaluated from left to right and if no match is made by the end of the list the value is rejected. If there is not a property for a given value or an empty list is defined any value is accepted.

Each regular expression in the list is separated by a semicolon (';'). Expressions that include a semicolon can be escaped using a ''.

Note that if the audit.config.strict flag is set to true Alfresco startup will fail in case of invalid audit configurations detection.

An expression that starts with a '~' indicates that any matching value should be rejected. If the first character of an expression needs to be a '~', it can be escaped with a '\'.

Adding .* at the end of a filter will include all values that have not been specifically excluded

Filters can be one of the following:

transaction.user - specifies what user(s) actions will/will not be audited. For example: Actions from all users except for 'System' will be audited

transaction.type - actions that are performed against the specified document type will be audited.

default.path - actions that occur on documents within the specified path will be audited

transaction.action - specifies what actions will and won't be audited. Some of the auditing events that can be enables or disabled using this property are: READ, MOVE, COPY, CHECK IN, CHECK OUT, CANCEL CHECK OUT, CREATE VERSION, readContent, addNodeAspect, deleteNodeAspect, updateNodeProperties.

For more information about audit filters: