How to audit WildFly commands

Keeping your WildFly system secure often requires tracing commands sent across the native management interface. In this article we will learn how to enable auditing of CLI commands with WildFly in just a minute.

Enable Auditing in WildFly

To enable auditing of CLI commands, connect to the CLI and navigate to the logger’s audit log:


This command activates command auditing. For example, let’s try to apply a change to the Model configuration:


The above command will vary the default core-threads attribute of the ejb3 subsystem. Next, you will find the audit log in the folder data of your server:

├── audit-log.log
├── content
├── kernel
│   └── process-uuid
├── timer-service-data
└── tx-object-store
    └── ShadowNoFileLockStore
        └── defaultStore

If you open the audit-log.log file, you will find the username and the operation:

2024-02-14 16:20:04 - {
    "type" : "core",
    "r/o" : false,
    "booting" : false,
    "version" : "31.0.0.Final",
    "user" : "$local",
    "domainUUID" : null,
    "access" : "NATIVE",
    "remote-address" : "localhost/",
    "success" : true,
    "ops" : [{
        "address" : [
                "subsystem" : "ejb3"
                "thread-pool" : "default"
        "operation" : "write-attribute",
        "name" : "core-threads",
        "value" : 15,
        "operation-headers" : {
            "caller-type" : "user",
            "access-mechanism" : "NATIVE"

Control logging of non-modifying operations

By default, only operations modifying the configuration will be audited. Set the log-read-only attribute to true to log operations that don’t change configuration or runtime services:


Optionally, you can choose to log management operations during server boot

Set the log-boot attribute to true to log management actions when the server starts:


The CLI commands reflects in the following XM configuration:

                <json-formatter name="json-formatter"/>
                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to=""/>
            <logger log-boot="true" log-read-only="true" enabled="true">
                    <handler name="file"/>

By following these steps, you’ll actively enable CLI command auditing and strengthen your system’s security posture.

Found the article helpful? if so please follow us on Socials