how to configure auditing in wso2 - wso2

How do I configure WSO2 auditing in API Manger to log all successful/failure logins, various application access, API creations, API approvals, token generations, subscribing to/from APIs, etc.?

You can see some audit logs at CARBON_HOME/repository/logs/audit.log file already in default. Responsible logging configuration can be found at,
http://umeshagunasinghe.blogspot.com/2014/12/how-to-enable-audit-logs-for-wso2-api-m.html
Also, the HTTP access logs will be in CARBON_HOME/repository/logs/repository/logs/http_access_.log. You can trace different actions based on your requirement from that.

Related

How to push mobile application (android/ios) logs to AWS?

This apparently is so simple question but I have been trying hard and came accross many questions and articles but none of them really answers this.
There are many ways to design the architecture after the log is ingested and transferred to AWS. We can use ES, Kinesis and other services.
My problem is how to transfer the application client logs to AWS securly, anywhere, could be S3, Lambda, Kindesis, ElasticSearch. We can surely have an endpoint exposed but that will be open. How to authenticate this to make sure malicious users don't spam our logs? what is the best way to ingest and transfer logs to AWS from mobile applicatios?
Creat an API that collect logs and ingest to kinesis expose it with API gateway use API keys aur authentication API to generate bearer token.
In application create functionality that make API call.
We did this in one of our application successfully
One way is to use Amplify SDK on the client application to log
securely.
Have a look at this link:
https://medium.com/swlh/add-monitoring-to-your-amplify-app-by-using-amplify-framework-d4c43b2bb84b

WS02 API Manager 2.0

Many third-party services providers allow you to configure a "Webhook" (aka HTTP POST) to your system when an event occurs in their system. Service providers will use various methods of authentication (HMAC, OAuth, TLS, etc.).
For example, Company1 configures ServiceABC to send notification to http://company1.com/eventlistener when an event occurs in the service provider (eg transaction approved):
ServiceABC.com -> HTTP POST -> http://company1.com/eventlistener
http://company1.com/eventlistener is in the DMZ. It will authenticate the message and forward to back end service as appropriate.
[DMZ] http://company1.com/eventlistener -> | [Behind] http://backendUrl/service
In this example, assume the service provider does not support OAuth. Authentication is performed using a custom header scheme.
Can/Should the WSO2 API Manager be used in this scenario?
If not the API Manager, can the WSO2 ESB be used ?
API Manager is the right solution here. API Manager has 5 main components, gateway, publisher, store, keymanager and traffic manager. In the basic distributed setup these 5 components can run on 5 machines. API Publisher publishes APIs to gateway (real artifact of API are here) and store (virtual representation of API, to which can be subscribed, are here). Gateway exposes your APIs to outside. So it resides in DMZ. API Store also can be on DMZ depending on what you want. Keymanager handles authentication (eg. OAuth2) and should be in MZ. Traffic manager is used for request throttling.
Backend authentication can be done with a simple customization.
You can find clustering documentation here. APIM deployment patterns are here.
Hope this helps.

API Manager 1.10 - Is there a way to monitor back end health?

I actually try WSO2 API Manager in our IT and I can't found how to monitor backend WS.
Is there a way to have an alert (trace/mail/...) when :
the time response of a webservice is too high?
the Webservice is unavailable (or http code isn't 200) ?
This tool seems great but I need a monitoring part...
Perhaps I simply miss it...
Any helps ?
If you already use WSO2 APIM in production how do you manage this part?
Regards,
Mike
By Using APIM and CEP integration, you can achieve this requirement. APIM can be configured to publish thrift events into CEP and then CEP can process these events to provide necessary alerts and notifications as required.
Please refer below document for APIM and CEP integration.
WSO2 API Manager has following statistics monitoring
API Subscriptions: Number of subscriptions per API (across all
versions of an API)
API Usage: Number of API calls being made per API
(across all versions of an API)
API Response Times:
API Last Access Times: The subscribers who did the last 10 API invocations and the APIs/versions they invoked
API Usage by Resource Path: Usage of an API and from which resource path (per API version)
API Usage by Destination: To see destination-based usage tracking, you must first enable it. See API Usage by Destination.
API Usage by User: Number of times a user has accessed an API
Faulty Invocations: The number of API invocations that failed to reach the endpoint per API per user In a faulty API invocation, the message is mediated though the fault sequence. By default, the API Manager considers an API invocation to be faulty when the backend service is unavailable.
For more information, please see https://docs.wso2.com/display/AM1100/Viewing+API+Statistics
For our public hosted version of API Manager - WSO2 API Cloud - we simply set up Pingdom for both the gateway and the web UIs and exposed the public dashboard at the SLA & Support page. Pingdom also has email, sms, etc. alerts when response times get over 30 seconds.
Internally we also use various server monitoring tools like icinga.

Anonymous access to APIs using WSO2 API Manager

We're trying to make Salesforce send a message to one of our APIs through WSO2 API Manager 1.9.0. However, it seems that Salesforce is unable to authenticate and recommends using IP-restrictions.
So, is it possible to allow an anonymous/unauthenticated user to use an API in API Manager? IP-restriction I can take care of with firewalls, I don't have to do that in API Manager.
When you create an API, in the Manage tap, you can select No Authentication for an API resource. Then you will be able to access the API resource without access token. See my answer for the similar question.

Threat protection on WSO2 API Manager

I am evaluating the WSO2 API Manager. From a security perspective I have a couple of question on the API Manager capabilities, which I was not able to find through the documentation:
Does WSO2 API Server support security features by detecting/checking the content on incoming messages for attacks, redirection/traffic routing? If yes, how does it support?
Do the GUI portals offered by WSO2 (API Portal, API Publisher, etc) enable protection against cross-site scripting, SQL injection and XML content or structural threats and viruses?
Thanks in advance.
Regards,
Ritwik
Yes, WSO2 API Manager's API Gateway is essentially an ESB and can check the content of incoming requests and detect message attacks. It is also possible to route traffic. You can direct access the API definition from the admin console of the API Manager (or directly from the file system)
Yes both the API Store and Publisher is secured against cross site scripting, SQL injection and XML content threats