Difference: APPXAuditLog (1 vs. 25)

Revision 252023-04-19 - BrianRyan

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

Line: 448 to 448
  To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.
Changed:
<
<		Give it an FMS group of 1 and click on 'FMS group attributes' button. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.
>
>		Assign it a FMS group that is appropriate for the FMS group type (either 9 or 1 for AppxIO) that is already assigned to your files or that you intend to use for your new files. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.
 
Changed:
<
<		You can now assign this FMS group to the file(s) that you wish to monitor.
>
>		You can now assign this FMS group to the file(s) that you wish to monitor.
 

More About the xml Audit Log file

Using a Pattern in a Log File Name

Revision 242020-11-05 - MisaghKarimi

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

Line: 53 to 53
 
Changed:
<
<		cd /usr/local/appx/services chown root appxAuditMgr chgrp appxgrp appxAuditMgr chmod 4775 appxAuditMgr
>
>		cd /usr/local/appx/services

chown root appxAuditMgr

chgrp appxgrp appxAuditMgr

chmod 4775 appxAuditMgr

 

You can check the permissions of the appxAuditMgr command by running the following command:

Revision 232016-02-11 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature on either Linux or Windows.

Changed:
<
<
>
>
 

Overview

The APPX Audit Log feature creates an xml log of APPX file I/O activity. The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX. The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.

To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file. The audit log service does not have to run on the same server as APPX.

Added:
>
>		 The Audit Log is emitted as an xml document. Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read Yes Yes Yes Yes Indexed Files Yes No
Update Yes Yes Yes Yes Indexed Files Yes No
Insert Yes Yes Yes Yes Indexed Files Yes No
Delete Yes Yes Yes Yes Indexed Files Yes No
Scratch Yes Yes Yes Yes No
FileCreate Yes Yes Yes Yes No Yes
Restructure Yes Yes Yes Yes No

node node/element value
<eventID>
  <type/> see above table
  <timeStamp/> ccyymmddhhmmsstt
</eventID>
<sessionID>
  <processID/> 9(6)
  <userID/> X(3)
</sessionID>
<fileID>
  <application/>
  <database/>
  <structureDate/>
  <filename/>
</fileID>
<appxProcessID>
  <type/>
  <name/>
  <applica
 

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.

Line: 117 to 148
  The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
Changed:
<
<		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
>
>		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the <nop>ServiceName. Any option not specified will be configured with an appropriate default value.
  Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
Line: 148 to 179
 
Options - General
Changed:
<
<		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
>
>		 -name, -ServiceName=SERVICENAME
The <nop>ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default <nop>ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
  -DisplayName=DISPLAYNAME
Changed:
<
<		The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.
>
>		The <nop>DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.
 

-LogDirectory={/tmp, LOGDIR}

Line: 168 to 199
 -ServiceDisable={true, false}
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
Changed:
<
<		-initScript={lsb, RedHat}
>
>		-initScript={lsb, <nop>RedHat}
 
Used with -install option to specify the type of Linux operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.

Options - Audit Log
Line: 176 to 207
 -LogNamePattern={/tmp/logmon%N.xml C:\APPXLOG%N.xml, AUDITLOGPATHNAME}
Changed:
<
<		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
>
>		The <nop>LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
 

-LogRotationInterval={86400, MAXSECONDS}

Changed:
<
<
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>
The <nop>LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
  -LogRotationSize={1G, MAXSIZE}
Changed:
<
<
The LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
>
>
The <nop>LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Options - TCP/IP
Line: 392 to 423
 monitorLog - starting
Changed:
<
<
>
>
#RedHatServiceCommand
 

Issues:

  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.

  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option. If you do not, the ps command will not display a meaningful name for the running service.

Line: 428 to 459
 

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

Changed:
<
<
/tmp/appx-11-Jun-08
>
>
/tmp/appx-11-Jun-08
  /tmp/appx-12-Jun-08
Changed:
<
<		...
>
>		...
 

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page):

Line: 497 to 528
  Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:
Changed:
<
<
>
>
 
type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read Yes Yes Yes Yes Indexed Files Yes No
Update Yes Yes Yes Yes Indexed Files Yes No
Line: 606 to 637
 
Changed:
<
<
<--/commentPlugin-->
>
>
<--/commentPlugin-->
  -- SteveFrizzell - 20 Jun 2008
  • subrs.xslt: subrs.xslt extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

Revision 222016-01-20 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

Changed:
<
<		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature.
>
>		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature on either Linux or Windows.
 

Overview

The APPX Audit Log feature creates an xml log of APPX file I/O activity. The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX. The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.

Changed:
<
<		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file.
>
>		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file. The audit log service does not have to run on the same server as APPX.
 

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

Changed:
<
<		The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.
>
>		The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.
 
Changed:
<
<		The appxAuditMgr command is installed into the "services" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxAuditMgr command will be "/usr/local/appx/services/appxAuditMgr".
>
>		The appxAuditMgr command is installed into the "services" subdirectory of the directory where you installed APPX.
 
Changed:
<
<		The appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.
>
>		On Linux and Unix systems the appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.
  In the event that it is necessary to reset the permissions of the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxAuditMgr command.
Changed:
<
<
cd /usr/local/appx/services
chown root appxAuditMgr
chgrp appxgrp appxAuditMgr
chmod 4775 appxAuditMgr
>
>

cd /usr/local/appx/services chown root appxAuditMgr chgrp appxgrp appxAuditMgr chmod 4775 appxAuditMgr

  You can check the permissions of the appxAuditMgr command by running the following command:
Line: 38 to 37
 

Creating and Configuring an Audit Log Service

Changed:
<
<		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port. Each instance of the Audit Log Service will log file I/O activity to a separate xml file. By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
>
>		An instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port. Each instance of the Audit Log Service will log file I/O activity to a separate xml file. By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
 

Creating an Audit Log Service

Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.

The -install option of the appxAuditMgr command is used to initially create, configure, and start an instance of the APPX Audit Log Service. The following steps are performed:

Changed:
<
<
  1. A configuration file (ini) is created
  2. An environment file (env) is created
  3. A service is created, including required init files and links. ( On Red Hat, /etc/init.d/ )
>
>
  1. A configuration file (ini) is created or the Windows registry is updated
  2. An environment file (env) is created or the Windows registry is updated
  3. A service is created, including required init files and links.
 
  1. The service is started
When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number. For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.
Changed:
<
<
>
>
 

Service Name

Line: 62 to 61
 

Changing the Configuration of an Audit Log Service

Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Changed:
<
<
>
>
 

Method 1 - The APPX Audit Log Manager Command (appxAuditMgr)

Changed:
<
<		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.

Method 2 - Text Editor

A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above. When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.
>
>		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files or registry settings with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.

Method 2 - Text Editor/Regedit

On Linux/Unix systems a text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above. When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.

On Windows systems you can use 'regedit' to directly edit the registry. The service is created under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name>. Note that you will have to manually restart the service for the changes to take affect. Due to the risk inherent in directly changing the registry we recommend using method 1 above.

 

Managing an Audit Log Service

Two methods are available for managing an existing instance of the APPX Audit Log Service.

Line: 76 to 79
 

Method 1 - appxAuditMgr command

The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxAuditMgr command to check on the status of an APPX Audit Log Service (must be logged in as root to execute).

Changed:
<
<
[root@500test services]# ./appxAuditMgr -status appxLog8070 
up and running (process 2390 servicing port 8070)
>
>

[root@500test services]# ./appxAuditMgr -status appxLog8070 up and running (process 2390 servicing port 8070)

 

Method 2 - O/S Services

Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service.

Changed:
<
<
[root@500test services]# service appxLog8070 status 
up and running (process 2390 servicing port 8070)
>
>
 
Added:
>
>		[root@500test services]# service appxLog8070 status up and running (process 2390 servicing port 8070)

On Windows, you can manage the audit service the same as any Windows service.

 

Usage (appxAuditMgr)

Changed:
<
<
>
>
 

Synopsis - Service Configuration

Changed:
<
<
The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.
>
>
The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.
  appxAuditMgr -install -serviceName=SERVICENAME -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...
Line: 100 to 108
  appxAuditMgr -remove -serviceName=SERVICENAME

Configuration - Commands

Changed:
<
<
>
>
  -install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

-install -port=PORT -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

Changed:
<
<
The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.
>
>
The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.
  The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
Line: 118 to 126
 In addition to creating the service configuration file and the environment configuration file, the -install command also creates an operating system service that will be automatically started when the computer system is started.

After creating the configuration files and the operating system service, the -install command starts the service.

Changed:
<
<		 -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...
>
>

-modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...

  The -modify command is used to modify the configuration of an existing Audit Log Service. The specified options will be updated in the service configuration files. Any options not specified will not be changed. After updating the configuration files, the -modify command restarts the service.
Line: 128 to 139
 

-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

Changed:
<
<
The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.
>
>
The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.
  -remove -name=SERVICENAME
Changed:
<
<
The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.
>
>
The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.
 

Configuration - Options

Changed:
<
<
>
>
 
Options - General
Changed:
<
<		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
>
>		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
  -DisplayName=DISPLAYNAME
Changed:
<
<
>
>
  The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.

-LogDirectory={/tmp, LOGDIR}

Changed:
<
<
When the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.
>
>
On Linux and Unix systems when the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the <nop>ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the <nop>LogDirectory option is not specified, the log files are created in the /tmp directory.

On Windows systems, a status file is not created, and a log file is only created if -CreateLogFile is set to 'true'.

  -ServiceType=logmonitor
Changed:
<
<
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
>
>
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
  -ServiceDisable={true, false}
Changed:
<
<
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
>
>
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
  -initScript={lsb, RedHat}
Changed:
<
<
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
>
>
Used with -install option to specify the type of Linux operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
 
Options - Audit Log
Changed:
<
<		-LogNamePattern={/tmp/logmon%N.xml, AUDITLOGPATHNAME}
>
>		 -LogNamePattern={/tmp/logmon%N.xml C:\APPXLOG%N.xml, AUDITLOGPATHNAME}
  The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.

-LogRotationInterval={86400, MAXSECONDS}

Changed:
<
<
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
  -LogRotationSize={1G, MAXSIZE}
Changed:
<
<
The LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
>
>
The LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Options - TCP/IP
Changed:
<
<		-port, -SockPort={8060, PORT}
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
>
>		 -port, -SockPort={8060, PORT}
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
 

Configuration - Environment Variables

Changed:
<
<
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created. There is currently no reason to use this feature.
>
>
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created or written to the registry. There is currently no reason to use this feature.
 

Synopsis - Service Management

Changed:
<
<
appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
>
>
appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
  MANAGEMENT OPTIONS
Changed:
<
<
-start | < blank >
Start an instance of the Audit Log Service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
>
>
-start | < blank >
Start an instance of the Audit Log Service.
  -stop
Changed:
<
<
Stop the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Stop the instance of the Audit Log Service.
  -restart
Changed:
<
<
Restart (stop and then start) the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Restart (stop and then start) the instance of the Audit Log Service.
  -status
Changed:
<
<
Report the status of the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Report the status of the instance of the Audit Log Service.
 
Changed:
<
<		EXAMPLES
>
>		Note on Windows the -status command does not take a SERVICENAME arguement, it will display the status of all defined login and audit services.

EXAMPLES

  Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:

appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor

Deleted:
<
<
[root@localhost services]# ./appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor
Configuration written to:  appxLog8070.ini
Environment written to:    appxLog8070.env
Service script written to: /etc/init.d/appxLog8070
Configuration complete
Registering service
Starting appxLog8070: serviceName: appxLog8070
servicePath: /usr/local/appx500/services/
Looking for config file in appxLog8070.ini
Writing process ID to /var/run/appxLog8070.pid
running as process 12859 servicing port 8070
up and running (process 12859 servicing port 8070)
Installation Complete
  Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070. The service name and descriptive name are also specified.
Line: 227 to 236
  appxAuditMgr -modify -name=appxLog8070 -displayName="Big Audit Log" -LogRotationSize=10G
Changed:
<
<

The Configuration File (ini)

>
>

The Configuration File (ini) or Registry

 
Changed:
<
<		Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the Audit Log Service.
>
>		Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the Audit Log Service. On Windows, this is kept in the registry but the keywords and values are the same.
  The -install option of the appxAuditMgr command creates the configuration file when the service is created.
Line: 240 to 249
 Once created, the name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.

Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service. You should ignore the configuration options that do not apply to an APPX Audit Log service. Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments. Although these extraneous options are of no consequence, they will be removed in a future release.

Changed:
<
<
# Appx connection manager configuration file
#
#  You can change this file by hand, or
#  use the uappxd program for better results
#
#  blank lines are ignored
#
#  anything following a '#' is treated as a comment
#
#  case is not important on the left-hand side
#  properties whose descriptions end in a '?' are
#  boolean and should be set to true or false
# --------------------------------------------------
# AppxApplication           =                    #startup application for spawned engines
# AppxDatabase              =                    #startup database for spawned engines
AppxExecutable              = /usr/local/appx500/appx#pathname to Appx engine
# AppxProcessName           =                    #startup process name for spawned engines
# AppxProcessType           =                    #startup process type for spawned engines
# AuthenticationMethod      = OS-User            #authentication method (OS-User, Appx-User, HT-User(filename))
DisplayName                 = appxLog8070        #descriptive name
# ImpersonateGID            = true               #change effective grouo ID for spawned engines?
# ImpersonateGroup          = User               #[LogonUser, NamedGroup(groupname), ServiceOwner]
# ImpersonateUID            = true               #change effective user ID for spawned engines?
# ImpersonateUser           = LogonUser          #[LogonUser, NamedUser(username), ServiceOwner]
# LoadSystemEnvironment     = true               #load default system-defined environment variables into spawned engines?
# LogDirectory              = /tmp               #directory where log file should reside
# LogNamePattern            = /tmp/appxlog%N.xml #audit log filename pattern (see man strftime for details
# LogRotationInterval       = 86400              #number of seconds between audit log rotations
# LogRotationSize           = 1G                 #maximum audit log file size
# RequireSSL                = false              #Require SSL-secured connections?
# RequireSSLClientCertificates = false              #require SSL-client certificates?
# ServerCertificateFile     =                    #pathname of server's X509 certificate (leave blank for anonymous connections
# ServerPrivateKeyFile      =                    #pathname of server's private key file (unlocks the ServerCertificateFile)
# ServerPrivateKeyPassphrase =                    #passphrase that unlocks ServerPrivateKeyFile
# ServiceDisable            = false              #disable this service?
# ServiceDisableAppxKeys    = false              #disable keyboard mapping?
# ServiceDisableFMS         = false              #disable AppxNET connections?
# ServiceDisableLogins      = false              #disable interactive logins?
# ServiceEnableCmds         = true               #allow client-side startup options?
ServiceName                 = appxLog8070        #name of service
ServiceType                 = logmonitor         #service type (login or logmonitor)
SockPort                    = 8070               #port number to service
# SSLMode                   = Optional           #SSL connection type (optional, required, disabled)
# TCPEnableKeepAlive        = true               #Enable TCP dead-connection detection
# TCPKeepCount              = 8                  #Maximum number of keep-alive pings
# TCPKeepIdle               = 300                #Idle time before ping sent to client (in seconds)
# TCPKeepInterval           = 60                 #Interval between keep-alive pings
# TCPNoDelay                = true               #disable TCP packet filling delay?
# TrustedCAFile             =                    #determines which client certificates to trust
# Umask                     =                    #umask (file creation mask) given to spawned engines
>
>

# Appx connection manager configuration file # # You can change this file by hand, or # use the uappxd program for better results # # blank lines are ignored # # anything following a '#' is treated as a comment # # case is not important on the left-hand side # properties whose descriptions end in a '?' are # boolean and should be set to true or false # --------------------------------------------------

 
Changed:
<
<

The Environment File (env)

>
>		# AppxApplication = #startup application for spawned engines # AppxDatabase = #startup database for spawned engines AppxExecutable = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName = #startup process name for spawned engines # AppxProcessType = #startup process type for spawned engines # AuthenticationMethod = OS-User #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName = appxLog8070 #descriptive name # ImpersonateGID = true #change effective grouo ID for spawned engines? # ImpersonateGroup = User #[LogonUser, NamedGroup (groupname), ServiceOwner ] # ImpersonateUID = true #change effective user ID for spawned engines? # ImpersonateUser = LogonUser #[LogonUser, NamedUser (username), ServiceOwner ] # LoadSystemEnvironment = true #load default system-defined environment variables into spawned engines? # LogDirectory = /tmp #directory where log file should reside # LogNamePattern = /tmp/appxlog%N.xml #audit log filename pattern (see man strftime for details # LogRotationInterval = 86400 #number of seconds between audit log rotations # LogRotationSize = 1G #maximum audit log file size # RequireSSL = false #Require SSL-secured connections? # RequireSSLClientCertificates = false #require SSL-client certificates? # ServerCertificateFile = #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile = #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase = #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable = false #disable this service? # ServiceDisableAppxKeys = false #disable keyboard mapping? # ServiceDisableFMS = false #disable AppxNET connections? # ServiceDisableLogins = false #disable interactive logins? # ServiceEnableCmds = true #allow client-side startup options? ServiceName = appxLog8070 #name of service ServiceType = logmonitor #service type (login or logmonitor) SockPort = 8070 #port number to service # SSLMode = Optional #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive = true #Enable TCP dead-connection detection # TCPKeepCount = 8 #Maximum number of keep-alive pings # TCPKeepIdle = 300 #Idle time before ping sent to client (in seconds) # TCPKeepInterval = 60 #Interval between keep-alive pings # TCPNoDelay = true #disable TCP packet filling delay? # TrustedCAFile = #determines which client certificates to trust # Umask = #umask (file creation mask) given to spawned engines
 
Changed:
<
<		Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the Audit Log Service. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.
>
>

The Environment File (env) or Registry

Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the Audit Log Service. On Windows, this is kept in the registry. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.

  The -install option of the appxAuditMgr command creates the environment file when the service is created.
Line: 302 to 267
 The environment file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.

Once created, the name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.

Changed:
<
<
# Appx connection manager environment variables
>
>
# Appx connection manager environment variables
 # # The entries in this file will become # environment variables in the engines
Line: 316 to 281
 # --------------------------------------------------
Changed:
<
<

The Status File (stat)

>
>

The Status File (stat) (Linux only)

 
Changed:
<
<		When an APPX Audit Log Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
>
>		On Linux and Unix systems when an APPX Audit Log Service is started, a status file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the status file is created in the /tmp directory.
  The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxLog8070", the name of the status file will be "appxLog8070.stat".

The status file can be viewed to see the actual context within which the service is running.

Changed:
<
<
appxLog8070 running as process 8665
>
>
appxLog8070 running as process 8665
 Effective User ID 0 Real User ID 0 Configuration values follow
Line: 375 to 340
 

The Log File (log)

Changed:
<
<		When an APPX Audit Log Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.
>
>		When an APPX Audit Log Service is started on a Linux/Unix system, a log file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the log file is created in the /tmp directory. On Windows servers, the log file will not be created unless you set CreateLogFile = true when defining the service. The default location for the file is C:\ for Windows.
  The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxLog8070", the name of the log file will be "appxLog8070.log".

When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file.

Changed:
<
<
*Daemonize = true
>
>
*Daemonize = true
 *DontForkEngine = false *InitScriptStyle = *SleepAfterFork =
Line: 428 to 393
 

Deleted:
<
<

Red Hat service command.

Usage (service)

Synopsis - service Command

service [serviceName] [start|stop|restart|status]

Examples:

Warnings:

 

Issues:

  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.

  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option. If you do not, the ps command will not display a meaningful name for the running service.

Deleted:
<
<

Enhancement Suggestions

 

Notes

More About Log Profiles

Changed:
<
<		Before data can be written to the log file in XML format, you need to define a Log Profile for the monitor.
>
>		Before data can be written to the log file you need to define a Log Profile for the monitor.
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Line: 464 to 417
 

More About the xml Audit Log file

Using a Pattern in a Log File Name

Changed:
<
<		Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.
>
>		You can change the name of the log file by setting the LogNamePattern in for your service. You can also change the LogRotationInterval and LogRotationSize.
  Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:
Changed:
<
<
>
>
  /tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

Deleted:
<
<		The default pattern (as reflected in the serviceName. ini file) is:
LogNamePattern = /tmp/appxlog%N.xml
 Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:
Changed:
<
<
/tmp/appx-11-Jun-08
>
>
/tmp/appx-11-Jun-08
  /tmp/appx-12-Jun-08
Line: 533 to 482
 %% A literal '%' character.
Deleted:
<
<		In Release 5.0.3, specifying %F when starting the audit service on Windows will cause the service to crash.
 

How to Rotate the Audit Log File

Changed:
<
<		To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

>
>		To close an existing log file and rotate the log just stop and start the service
 

How to View Audit Log Events

The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

Deleted:
<
<

Microsoft XML Notepad

Web Browser

xslt

 

Databases

XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

Line: 662 to 600
  Need examples of loading XML Data into an RDBMS
Deleted:
<
<

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

 

Comments:

Read what other users have said about this page or add your own comments.

Revision 212014-01-07 - AlKalter

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

Line: 574 to 573
 
<eventID>
  <type/> see above table
  <timeStamp/> ccyymmddhhmmsstt
Added:
>
>
  <sequenceNumber/> 9(3)
 
</eventID>
<sessionID>
  <processID/> 9(6)
Line: 586 to 586
 
  <filename/>
</fileID>
<appxProcessID>
Changed:
<
<
  <type/>
  <name/>
>
>
  <type/> INPUT, SUBR, etc.
  <name/> X(30) - Proc Name
 
  <application/>
  <version/>
  <database/>
Line: 595 to 595
 
</appxProcessID>
<eventRecordID>
  <keySegment> 0-16 instances
Deleted:
<
<
</eventRecordID>
 
<keySegment>
  <fieldName>
  <fieldValue>
</keySegment>
Added:
>
>
</eventRecordID>
 
<eventData>
  <field> 0-n instances
</eventData>
Line: 607 to 607
 
  <fieldName>
  <occurrence>
  <fieldValue>
Changed:
<
<
</fieldData>
>
>
</field>
 
<fieldData> update
  <fieldName>
Added:
>
>
  <occurrence> (optional)
 
  <oldValue>
  <newValue>
</fieldData

Revision 202011-07-27 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

Line: 534 to 534
 %% A literal '%' character.
Added:
>
>		In Release 5.0.3, specifying %F when starting the audit service on Windows will cause the service to crash.
 

How to Rotate the Audit Log File

To close existent log file and rotate the log, you need issue the following command:

Revision 192010-11-12 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"
Added:
>
>

APPX Audit Log Feature

 
Changed:
<
<

APPX Audit Log Feature 

This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature.

>
>		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature.
 

Overview

Changed:
<
<		The APPX Audit Log feature creates an xml log of APPX file I/O activity.  The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX.  The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.
>
>		The APPX Audit Log feature creates an xml log of APPX file I/O activity. The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX. The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.
 
Changed:
<
<		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file.

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

>
>		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file.

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

  The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.
Line: 21 to 20
  In the event that it is necessary to reset the permissions of the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxAuditMgr command.
Changed:
<
<
cd /usr/local/appx/services
>
>
cd /usr/local/appx/services
 chown root appxAuditMgr chgrp appxgrp appxAuditMgr chmod 4775 appxAuditMgr
Changed:
<
<
>
>

  You can check the permissions of the appxAuditMgr command by running the following command:
Changed:
<
<
ls -l appxAuditMgr
>
>
ls -l appxAuditMgr
  The recommended permissions should be as follows:
Changed:
<
<
-rwsrwxr-x 1 root appxgrp    636843 Jul 11 07:31 appxAuditMgr

Creating and Configuring an Audit Log Service

>
>
-rwsrwxr-x 1 root appxgrp    636843 Jul 11 07:31 appxAuditMgr

Creating and Configuring an Audit Log Service

 
Changed:
<
<		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port.   Each instance of the Audit Log Service will log file I/O activity to a separate xml file.  By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
>
>		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port. Each instance of the Audit Log Service will log file I/O activity to a separate xml file. By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
 

Creating an Audit Log Service

Changed:
<
<		Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.
>
>		Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.
  The -install option of the appxAuditMgr command is used to initially create, configure, and start an instance of the APPX Audit Log Service. The following steps are performed:
  1. A configuration file (ini) is created
Line: 58 to 49
 
  1. A service is created, including required init files and links. ( On Red Hat, /etc/init.d/ )
  2. The service is started
Changed:
<
<		When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number.  For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.
>
>		When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number. For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.
 
Changed:
<
<

Service Name 

>
>

Service Name

  Each instance of an APPX Audit Log Service must have a unique name. When creating an instance of a service, the -name option may be used to specify the name that you want the service to have. If you do not specify a name, a name will be assigned for you for example, appxd-8070.

Service Type

Changed:
<
<		When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified.  The value of this option must be "logmonitor".
>
>		When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified. The value of this option must be "logmonitor".
 

TCP/IP Port Number

Changed:
<
<		When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for audit log requests on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.
>
>		When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for audit log requests on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.
 

Changing the Configuration of an Audit Log Service

Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Line: 72 to 64
  Two methods are available for modifying an existing instance of an APPX Audit Log Service.
Added:
>
>
 

Method 1 - The APPX Audit Log Manager Command (appxAuditMgr)

Changed:
<
<		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.
>
>		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.
 

Method 2 - Text Editor

Changed:
<
<		A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above.  When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.

Managing an Audit Log Service

>
>		A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above. When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.

Managing an Audit Log Service

  Two methods are available for managing an existing instance of the APPX Audit Log Service.
Line: 83 to 77
 

Method 1 - appxAuditMgr command

The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxAuditMgr command to check on the status of an APPX Audit Log Service (must be logged in as root to execute).

Changed:
<
<
[root@500test services]# ./appxAuditMgr -status appxLog8070 
up and running (process 2390 servicing port 8070)
>
>
[root@500test services]# ./appxAuditMgr -status appxLog8070 
up and running (process 2390 servicing port 8070)
 
Deleted:
<
<

Method 2 - O/S Services 

 
Changed:
<
<		Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service. 
[root@500test services]# service appxLog8070 status 
up and running (process 2390 servicing port 8070)
>
>

Method 2 - O/S Services

Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service. 

[root@500test services]# service appxLog8070 status 
up and running (process 2390 servicing port 8070)
 

Usage (appxAuditMgr)

Synopsis - Service Configuration

Line: 110 to 103
 

Configuration - Commands

Changed:
<
<		-install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
>
>		-install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
  -install -port=PORT -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.
Changed:
<
<		The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
>
>		The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
 
Changed:
<
<		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
>
>		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
 
Changed:
<
<		Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
>
>		Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
  Both forms of the -install command optionally allow values to be specified for environment variables. If specified, the environment variables and their values are stored in the environment configuration file (env). There is currently no need to set any environment variables.

In addition to creating the service configuration file and the environment configuration file, the -install command also creates an operating system service that will be automatically started when the computer system is started.

Changed:
<
<		After creating the configuration files and the operating system service, the -install command starts the service. -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...
>
>		After creating the configuration files and the operating system service, the -install command starts the service. -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...
  The -modify command is used to modify the configuration of an existing Audit Log Service. The specified options will be updated in the service configuration files. Any options not specified will not be changed. After updating the configuration files, the -modify command restarts the service.

Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.

Changed:
<
<		Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables.  Any comments that may have been manually added to these configuration files are not preserved.
>
>		Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables. Any comments that may have been manually added to these configuration files are not preserved.
 
Changed:
<
<		-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
>
>		-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
 
The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.

-remove -name=SERVICENAME

Line: 142 to 137
 

Configuration - Options

Options - General
Changed:
<
<		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
>
>		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
  -DisplayName=DISPLAYNAME
Changed:
<
<		The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.
>
>		The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.
 
Changed:
<
<		-LogDirectory={/tmp, LOGDIR}
>
>		-LogDirectory={/tmp, LOGDIR}
 
When the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.

-ServiceType=logmonitor

Changed:
<
<
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
>
>
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
 
Changed:
<
<		-ServiceDisable={true, false}
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
>
>		-ServiceDisable={true, false}
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
  -initScript={lsb, RedHat}
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
Line: 161 to 156
  -initScript={lsb, RedHat}
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
Added:
>
>
 
Options - Audit Log
Changed:
<
<		-LogNamePattern={/tmp/logmon%N.xml, AUDITLOGPATHNAME}
>
>		-LogNamePattern={/tmp/logmon%N.xml, AUDITLOGPATHNAME}
 
Changed:
<
<		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service.  The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
>
>		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.

-LogRotationInterval={86400, MAXSECONDS}

The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
 
Changed:
<
<		-LogRotationInterval={86400, MAXSECONDS}
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>		-LogRotationSize={1G, MAXSIZE}
The LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Deleted:
<
<		-LogRotationSize={1G, MAXSIZE}
The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Options - TCP/IP
Changed:
<
<		-port, -SockPort={8060, PORT}
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
>
>		-port, -SockPort={8060, PORT}
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
 

Configuration - Environment Variables

Changed:
<
<
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created.  There is currently no reason to use this feature.
>
>
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created. There is currently no reason to use this feature.
 

Synopsis - Service Management

appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}

MANAGEMENT OPTIONS

Changed:
<
<
-start | < blank >
Start an instance of the Audit Log Service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
>
>
-start | < blank >
Start an instance of the Audit Log Service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
  -stop
Changed:
<
<
Stop the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Stop the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  -restart
Changed:
<
<
Restart (stop and then start) the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Restart (stop and then start) the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  -status
Changed:
<
<
Report the status of the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Report the status of the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  EXAMPLES
Changed:
<
<		Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:
>
>		Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:
 
Changed:
<
<		appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor    
[root@localhost services]# ./appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor
>
>		appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor 
[root@localhost services]# ./appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor
 Configuration written to: appxLog8070.ini Environment written to: appxLog8070.env Service script written to: /etc/init.d/appxLog8070
Line: 214 to 206
 running as process 12859 servicing port 8070 up and running (process 12859 servicing port 8070) Installation Complete
Changed:
<
<
>
>

 
Changed:
<
<		Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070.  The service name and descriptive name are also specified.
>
>		Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070. The service name and descriptive name are also specified.
 
Changed:
<
<		appxAuditMgr -install -port=8070 -name=appxLog8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor
>
>		appxAuditMgr -install -port=8070 -name=appxLog8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor
  Example 2 - Display the status of an instance of the Audit Log Service:
Line: 249 to 240
  Once created, the name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.
Changed:
<
<		Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service.  You should ignore the configuration options that do not apply to an APPX Audit Log service.  Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments.  Although these extraneous options are of no consequence, they will be removed in a future release.  
# Appx connection manager configuration file
>
>		Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service. You should ignore the configuration options that do not apply to an APPX Audit Log service. Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments. Although these extraneous options are of no consequence, they will be removed in a future release. 
# Appx connection manager configuration file
 #
Changed:
<
<		#   You can change this file by hand, or #   use the uappxd program for better results
>
>		# You can change this file by hand, or # use the uappxd program for better results
 #
Changed:
<
<		#   blank lines are ignored
>
>		# blank lines are ignored
 #
Changed:
<
<		#   anything following a '#' is treated as a comment
>
>		# anything following a '#' is treated as a comment
 #
Changed:
<
<		#   case is not important on the left-hand side #   properties whose descriptions end in a '?' are #   boolean and should be set to true or false # --------------------------------------------------

# AppxApplication            =                     #startup application for spawned engines # AppxDatabase               =                     #startup database for spawned engines AppxExecutable               = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName            =                     #startup process name for spawned engines # AppxProcessType            =                     #startup process type for spawned engines # AuthenticationMethod       = OS-User             #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName                  = appxLog8070         #descriptive name # ImpersonateGID             = true                #change effective grouo ID for spawned engines? # ImpersonateGroup           = User                #[LogonUser, NamedGroup(groupname), ServiceOwner] # ImpersonateUID             = true                #change effective user ID for spawned engines? # ImpersonateUser            = LogonUser           #[LogonUser, NamedUser(username), ServiceOwner] # LoadSystemEnvironment      = true                #load default system-defined environment variables into spawned engines? # LogDirectory               = /tmp                #directory where log file should reside # LogNamePattern             = /tmp/appxlog%N.xml  #audit log filename pattern (see man strftime for details # LogRotationInterval        = 86400               #number of seconds between audit log rotations # LogRotationSize            = 1G                  #maximum audit log file size # RequireSSL                 = false               #Require SSL-secured connections? # RequireSSLClientCertificates = false               #require SSL-client certificates? # ServerCertificateFile      =                     #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile       =                     #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase =                     #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable             = false               #disable this service? # ServiceDisableAppxKeys     = false               #disable keyboard mapping? # ServiceDisableFMS          = false               #disable AppxNET connections? # ServiceDisableLogins       = false               #disable interactive logins? # ServiceEnableCmds          = true                #allow client-side startup options? ServiceName                  = appxLog8070         #name of service ServiceType                  = logmonitor          #service type (login or logmonitor) SockPort                     = 8070                #port number to service # SSLMode                    = Optional            #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive         = true                #Enable TCP dead-connection detection # TCPKeepCount               = 8                   #Maximum number of keep-alive pings # TCPKeepIdle                = 300                 #Idle time before ping sent to client (in seconds) # TCPKeepInterval            = 60                  #Interval between keep-alive pings # TCPNoDelay                 = true                #disable TCP packet filling delay? # TrustedCAFile              =                     #determines which client certificates to trust # Umask                      =                     #umask (file creation mask) given to spawned engines

>
>		# case is not important on the left-hand side # properties whose descriptions end in a '?' are # boolean and should be set to true or false # --------------------------------------------------

# AppxApplication = #startup application for spawned engines # AppxDatabase = #startup database for spawned engines AppxExecutable = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName = #startup process name for spawned engines # AppxProcessType = #startup process type for spawned engines # AuthenticationMethod = OS-User #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName = appxLog8070 #descriptive name # ImpersonateGID = true #change effective grouo ID for spawned engines? # ImpersonateGroup = User #[LogonUser, NamedGroup(groupname), ServiceOwner] # ImpersonateUID = true #change effective user ID for spawned engines? # ImpersonateUser = LogonUser #[LogonUser, NamedUser(username), ServiceOwner] # LoadSystemEnvironment = true #load default system-defined environment variables into spawned engines? # LogDirectory = /tmp #directory where log file should reside # LogNamePattern = /tmp/appxlog%N.xml #audit log filename pattern (see man strftime for details # LogRotationInterval = 86400 #number of seconds between audit log rotations # LogRotationSize = 1G #maximum audit log file size # RequireSSL = false #Require SSL-secured connections? # RequireSSLClientCertificates = false #require SSL-client certificates? # ServerCertificateFile = #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile = #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase = #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable = false #disable this service? # ServiceDisableAppxKeys = false #disable keyboard mapping? # ServiceDisableFMS = false #disable AppxNET connections? # ServiceDisableLogins = false #disable interactive logins? # ServiceEnableCmds = true #allow client-side startup options? ServiceName = appxLog8070 #name of service ServiceType = logmonitor #service type (login or logmonitor) SockPort = 8070 #port number to service # SSLMode = Optional #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive = true #Enable TCP dead-connection detection # TCPKeepCount = 8 #Maximum number of keep-alive pings # TCPKeepIdle = 300 #Idle time before ping sent to client (in seconds) # TCPKeepInterval = 60 #Interval between keep-alive pings # TCPNoDelay = true #disable TCP packet filling delay? # TrustedCAFile = #determines which client certificates to trust # Umask = #umask (file creation mask) given to spawned engines

 

The Environment File (env)

Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the Audit Log Service. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.

Line: 314 to 303
 The environment file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.

Once created, the name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.

Changed:
<
<
# Appx connection manager environment variables
>
>
# Appx connection manager environment variables
 # # The entries in this file will become # environment variables in the engines
Line: 328 to 315
 # # letter case IS important in this file # --------------------------------------------------
Changed:
<
<
>
>
 

The Status File (stat)

Changed:
<
<		When an APPX Audit Log Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
>
>		When an APPX Audit Log Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
  The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxLog8070", the name of the status file will be "appxLog8070.stat".

The status file can be viewed to see the actual context within which the service is running.

Changed:
<
<
appxLog8070 running as process 8665
>
>
appxLog8070 running as process 8665
 Effective User ID 0
Changed:
<
<		Real User ID      0
>
>		Real User ID 0
 Configuration values follow *Daemonize = true *DontForkEngine = false
Line: 387 to 372
 Umask = Environment variables follow Logging to /tmp/appxlog3.xml
Changed:
<
<
>
>
 

The Log File (log)

When an APPX Audit Log Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.

The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxLog8070", the name of the log file will be "appxLog8070.log".

Changed:
<
<		When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file. 
*Daemonize = true
>
>		When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file. 
*Daemonize = true
 *DontForkEngine = false *InitScriptStyle = *SleepAfterFork =
Line: 443 to 426
 createListener complete - listening on port 8070 CAppxD::Run starting monitorLog - starting
Changed:
<
<
>
>
 

Red Hat service command.

Line: 453 to 435
 

Synopsis - service Command

Changed:
<
<		service [serviceName] [start|stop|restart|status]
>
>		service [serviceName] [start|stop|restart|status]
 

Examples:

Warnings:

Issues:

Changed:
<
<
  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.
  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option.  If you do not, the ps command will not display a meaningful name for the running service.
>
>

  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.

  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option. If you do not, the ps command will not display a meaningful name for the running service.

 

Enhancement Suggestions

Notes

More About Log Profiles

Line: 467 to 451
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
>
>		servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:
Line: 479 to 463
  You can now assign this FMS group to the file(s) that you wish to monitor.

More About the xml Audit Log file

Changed:
<
<

Using a Pattern in a Log File Name

>
>

Using a Pattern in a Log File Name

  Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.
Line: 488 to 472
  /tmp/appx_2007-01-31.xml
Changed:
<
<		/tmp/appx_2007-02-28.xml
>
>		/tmp/appx_2007-02-28.xml
  The default pattern (as reflected in the serviceName. ini file) is:
LogNamePattern = /tmp/appxlog%N.xml
Line: 498 to 483
  /tmp/appx-12-Jun-08
Changed:
<
<		...
>
>		...
  If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page):
Changed:
<
<
%a The abbreviated weekday name according to the current locale.
>
>
%a The abbreviated weekday name according to the current locale.
 %A The full weekday name according to the current locale. %b The abbreviated month name according to the current locale. %B The full month name according to the current locale.
Line: 553 to 539
 To close existent log file and rotate the log, you need issue the following command:
Changed:
<
<		kill -s SIGUSR1 <PID>
>
>		kill -s SIGUSR1 <PID>
  where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

How to View Audit Log Events

Line: 573 to 560
 
type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Changed:
<
<
Read
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Update
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Insert
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Delete
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Scratch
Yes
Yes
Yes
Yes
 No
File Create
Yes
Yes
Yes
Yes
 No Yes
Restructure
Yes
Yes
Yes
Yes
 No
>
>
Read Yes Yes Yes Yes Indexed Files Yes No
Update Yes Yes Yes Yes Indexed Files Yes No
Insert Yes Yes Yes Yes Indexed Files Yes No
Delete Yes Yes Yes Yes Indexed Files Yes No
Scratch Yes Yes Yes Yes No
File Create Yes Yes Yes Yes No Yes
Restructure Yes Yes Yes Yes No
 
node node/element value
<eventID>
Line: 678 to 665
  In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.
Changed:
<
<		How to close and rotate the log in Windows?
>
>		How to close and rotate the log in Windows?
 

Comments:

Read what other users have said about this page or add your own comments.

Line: 687 to 674
  
<--/commentPlugin-->
Deleted:
<
<		-- SteveFrizzell - 20 Jun 2008 %META:FILEATTACHMENT{name="subrs.xslt" attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"}% %META:FILEATTACHMENT{name="structure.xslt" attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"}%
 \ No newline at end of file
Added:
>
>		-- SteveFrizzell - 20 Jun 2008
  • subrs.xslt: subrs.xslt extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

  • structure.xslt: structure.xslt will extract any FileCreate events from a log and produces an HTML table that shows the structure of each file that you create.

META FILEATTACHMENT attachment="subrs.xslt" attr="" comment="subrs.xslt extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name." date="1289520846" name="subrs.xslt" path="subrs.xslt" size="1908" stream="subrs.xslt" tmpFilename="/tmp/TOiLGVKvXf" user="JeanNeron" version="2"
META FILEATTACHMENT attachment="structure.xslt" attr="" comment="structure.xslt will extract any FileCreate events from a log and produces an HTML table that shows the structure of each file that you create." date="1289520985" name="structure.xslt" path="structure.xslt" size="1682" stream="structure.xslt" tmpFilename="/tmp/EWSFPUuB8E" user="JeanNeron" version="2"

Revision 182009-05-28 - AlKalter

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 168 to 168
 The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service.  The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.

-LogRotationInterval={86400, MAXSECONDS}

Changed:
<
<
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86000 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
  -LogRotationSize={1G, MAXSIZE}
The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
Line: 467 to 467
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
>
>		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:

Revision 172009-01-27 - AlKalter

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"
Changed:
<
<

APPX Audit Log Feature 

>
>

APPX Audit Log Feature 

 
Changed:
<
<		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature.
>
>		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature.
 

Overview

Changed:
<
<		The APPX Audit Log feature creates an xml log of APPX file I/O activity.  The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX.  The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.
>
>		The APPX Audit Log feature creates an xml log of APPX file I/O activity.  The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX.  The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.
 
Changed:
<
<		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file.

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

>
>		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file.

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

  The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.
Line: 45 to 45
 -rwsrwxr-x 1 root appxgrp 636843 Jul 11 07:31 appxAuditMgr
Changed:
<
<

Creating and Configuring an Audit Log Service

>
>

Creating and Configuring an Audit Log Service

 
Changed:
<
<		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port.   Each instance of the Audit Log Service will log file I/O activity to a separate xml file.  By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
>
>		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port.   Each instance of the Audit Log Service will log file I/O activity to a separate xml file.  By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
 

Creating an Audit Log Service

Changed:
<
<		Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.
>
>		Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.
  The -install option of the appxAuditMgr command is used to initially create, configure, and start an instance of the APPX Audit Log Service. The following steps are performed:
  1. A configuration file (ini) is created
Line: 58 to 58
 
  1. A service is created, including required init files and links. ( On Red Hat, /etc/init.d/ )
  2. The service is started
Changed:
<
<		When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number.  For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.

Service Name 

>
>		When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number.  For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.

Service Name 

  Each instance of an APPX Audit Log Service must have a unique name. When creating an instance of a service, the -name option may be used to specify the name that you want the service to have. If you do not specify a name, a name will be assigned for you for example, appxd-8070.

Service Type

Changed:
<
<		When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified.  The value of this option must be "logmonitor".
>
>		When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified.  The value of this option must be "logmonitor".
 

TCP/IP Port Number

Changed:
<
<		When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for audit log requests on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.
>
>		When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for audit log requests on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.
 

Changing the Configuration of an Audit Log Service

Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Changed:
<
<
>
>
 

Method 1 - The APPX Audit Log Manager Command (appxAuditMgr)

Changed:
<
<		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.
>
>		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.
 

Method 2 - Text Editor

Changed:
<
<		A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above.  When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.

Managing an Audit Log Service

>
>		A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above.  When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.

Managing an Audit Log Service

  Two methods are available for managing an existing instance of the APPX Audit Log Service.

Method 1 - appxAuditMgr command

Changed:
<
<		The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxLogMgr command to check on the status of an APPX Audit Log Service.
>
>		The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxAuditMgr command to check on the status of an APPX Audit Log Service (must be logged in as root to execute).
 
Changed:
<
<

[root@500test services]# appxLogMgr -status appxLog8070

>
>

[root@500test services]# ./appxAuditMgr -status appxLog8070

 up and running (process 2390 servicing port 8070)
Changed:
<
<

Method 2 - O/S Services 

>
>

Method 2 - O/S Services 

 
Changed:
<
<		Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service.
>
>		Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service.
 
Changed:
<
<

[root@500test services]# service appxLog8070 status

>
>

[root@500test services]# service appxLog8070 status

 up and running (process 2390 servicing port 8070)

Usage (appxAuditMgr)

Changed:
<
<
>
>
 

Synopsis - Service Configuration

Changed:
<
<
The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.
>
>
The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.
  appxAuditMgr -install -serviceName=SERVICENAME -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...
Line: 108 to 108
  appxAuditMgr -remove -serviceName=SERVICENAME

Configuration - Commands

Changed:
<
<
>
>
 
Changed:
<
<		-install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
>
>		-install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
  -install -port=PORT -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
Changed:
<
<
The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.
>
>
The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.
 
Changed:
<
<		The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
>
>		The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
 
Changed:
<
<		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
>
>		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
 
Changed:
<
<		Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
>
>		Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
  Both forms of the -install command optionally allow values to be specified for environment variables. If specified, the environment variables and their values are stored in the environment configuration file (env). There is currently no need to set any environment variables.

In addition to creating the service configuration file and the environment configuration file, the -install command also creates an operating system service that will be automatically started when the computer system is started.

After creating the configuration files and the operating system service, the -install command starts the service. -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...

Changed:
<
<
>
>
  The -modify command is used to modify the configuration of an existing Audit Log Service. The specified options will be updated in the service configuration files. Any options not specified will not be changed. After updating the configuration files, the -modify command restarts the service.

Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.

Changed:
<
<		Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables.  Any comments that may have been manually added to these configuration files are not preserved.
>
>		Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables.  Any comments that may have been manually added to these configuration files are not preserved.
 
Changed:
<
<		-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.
>
>		-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.
  -remove -name=SERVICENAME
Changed:
<
<
The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.
>
>
The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.
 

Configuration - Options

Changed:
<
<
>
>
 
Options - General
-name, -ServiceName=SERVICENAME
Changed:
<
<
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
>
>
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
  -DisplayName=DISPLAYNAME
Changed:
<
<
>
>
  The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.

-LogDirectory={/tmp, LOGDIR}

Changed:
<
<
When the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.
>
>
When the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.
  -ServiceType=logmonitor
Changed:
<
<
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
>
>
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
  -ServiceDisable={true, false}
Changed:
<
<
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
>
>
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
  -initScript={lsb, RedHat}
Changed:
<
<
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
>
>
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
 
Options - Audit Log
-LogNamePattern={/tmp/logmon%N.xml, AUDITLOGPATHNAME}
Changed:
<
<
>
>
 
Changed:
<
<		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service.  The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
>
>		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service.  The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
  -LogRotationInterval={86400, MAXSECONDS}
Changed:
<
<
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86000 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86000 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
  -LogRotationSize={1G, MAXSIZE}
Changed:
<
<
The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
>
>
The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Options - TCP/IP
-port, -SockPort={8060, PORT}
Changed:
<
<
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
>
>
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
 

Configuration - Environment Variables

Changed:
<
<
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created.  There is currently no reason to use this feature.
>
>
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created.  There is currently no reason to use this feature.
 

Synopsis - Service Management

Changed:
<
<
appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
>
>
appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
  MANAGEMENT OPTIONS
Changed:
<
<
-start | < blank >
Start an instance of the Audit Log Service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
>
>
-start | < blank >
Start an instance of the Audit Log Service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
  -stop
Changed:
<
<
Stop the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Stop the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  -restart
Changed:
<
<
Restart (stop and then start) the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Restart (stop and then start) the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  -status
Changed:
<
<
Report the status of the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Report the status of the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  EXAMPLES
Changed:
<
<		Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:
>
>		Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:
 
Changed:
<
<		appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor   
>
>		appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor   
 
[root@localhost services]# ./appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor
Line: 217 to 217
 
Changed:
<
<		Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070.  The service name and descriptive name are also specified.
>
>		Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070.  The service name and descriptive name are also specified.
 
Changed:
<
<		appxAuditMgr -install -port=8070 -name=appxLog8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor
>
>		appxAuditMgr -install -port=8070 -name=appxLog8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor
  Example 2 - Display the status of an instance of the Audit Log Service:
Line: 249 to 249
  Once created, the name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.
Changed:
<
<		Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service.  You should ignore the configuration options that do not apply to an APPX Audit Log service.  Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments.  Although these extraneous options are of no consequence, they will be removed in a future release. 
>
>		Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service.  You should ignore the configuration options that do not apply to an APPX Audit Log service.  Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments.  Although these extraneous options are of no consequence, they will be removed in a future release. 
 
# Appx connection manager configuration file
#
Changed:
<
<		#   You can change this file by hand, or #   use the uappxd program for better results
>
>		#   You can change this file by hand, or #   use the uappxd program for better results
 #
Changed:
<
<		#   blank lines are ignored
>
>		#   blank lines are ignored
 #
Changed:
<
<		#   anything following a '#' is treated as a comment
>
>		#   anything following a '#' is treated as a comment
 #
Changed:
<
<		#   case is not important on the left-hand side #   properties whose descriptions end in a '?' are #   boolean and should be set to true or false # --------------------------------------------------

# AppxApplication            =                     #startup application for spawned engines # AppxDatabase               =                     #startup database for spawned engines AppxExecutable               = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName            =                     #startup process name for spawned engines # AppxProcessType            =                     #startup process type for spawned engines # AuthenticationMethod       = OS-User             #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName                  = appxLog8070         #descriptive name # ImpersonateGID             = true                #change effective grouo ID for spawned engines? # ImpersonateGroup           = User                #[LogonUser, NamedGroup(groupname), ServiceOwner] # ImpersonateUID             = true                #change effective user ID for spawned engines? # ImpersonateUser            = LogonUser           #[LogonUser, NamedUser(username), ServiceOwner] # LoadSystemEnvironment      = true                #load default system-defined environment variables into spawned engines? # LogDirectory               = /tmp                #directory where log file should reside # LogNamePattern             = /tmp/appxlog%N.xml  #audit log filename pattern (see man strftime for details # LogRotationInterval        = 86400               #number of seconds between audit log rotations # LogRotationSize            = 1G                  #maximum audit log file size # RequireSSL                 = false               #Require SSL-secured connections? # RequireSSLClientCertificates = false               #require SSL-client certificates? # ServerCertificateFile      =                     #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile       =                     #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase =                     #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable             = false               #disable this service? # ServiceDisableAppxKeys     = false               #disable keyboard mapping? # ServiceDisableFMS          = false               #disable AppxNET connections? # ServiceDisableLogins       = false               #disable interactive logins? # ServiceEnableCmds          = true                #allow client-side startup options? ServiceName                  = appxLog8070         #name of service ServiceType                  = logmonitor          #service type (login or logmonitor) SockPort                     = 8070                #port number to service # SSLMode                    = Optional            #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive         = true                #Enable TCP dead-connection detection # TCPKeepCount               = 8                   #Maximum number of keep-alive pings # TCPKeepIdle                = 300                 #Idle time before ping sent to client (in seconds) # TCPKeepInterval            = 60                  #Interval between keep-alive pings # TCPNoDelay                 = true                #disable TCP packet filling delay? # TrustedCAFile              =                     #determines which client certificates to trust # Umask                      =                     #umask (file creation mask) given to spawned engines

>
>		#   case is not important on the left-hand side #   properties whose descriptions end in a '?' are #   boolean and should be set to true or false # --------------------------------------------------

# AppxApplication            =                     #startup application for spawned engines # AppxDatabase               =                     #startup database for spawned engines AppxExecutable               = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName            =                     #startup process name for spawned engines # AppxProcessType            =                     #startup process type for spawned engines # AuthenticationMethod       = OS-User             #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName                  = appxLog8070         #descriptive name # ImpersonateGID             = true                #change effective grouo ID for spawned engines? # ImpersonateGroup           = User                #[LogonUser, NamedGroup(groupname), ServiceOwner] # ImpersonateUID             = true                #change effective user ID for spawned engines? # ImpersonateUser            = LogonUser           #[LogonUser, NamedUser(username), ServiceOwner] # LoadSystemEnvironment      = true                #load default system-defined environment variables into spawned engines? # LogDirectory               = /tmp                #directory where log file should reside # LogNamePattern             = /tmp/appxlog%N.xml  #audit log filename pattern (see man strftime for details # LogRotationInterval        = 86400               #number of seconds between audit log rotations # LogRotationSize            = 1G                  #maximum audit log file size # RequireSSL                 = false               #Require SSL-secured connections? # RequireSSLClientCertificates = false               #require SSL-client certificates? # ServerCertificateFile      =                     #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile       =                     #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase =                     #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable             = false               #disable this service? # ServiceDisableAppxKeys     = false               #disable keyboard mapping? # ServiceDisableFMS          = false               #disable AppxNET connections? # ServiceDisableLogins       = false               #disable interactive logins? # ServiceEnableCmds          = true                #allow client-side startup options? ServiceName                  = appxLog8070         #name of service ServiceType                  = logmonitor          #service type (login or logmonitor) SockPort                     = 8070                #port number to service # SSLMode                    = Optional            #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive         = true                #Enable TCP dead-connection detection # TCPKeepCount               = 8                   #Maximum number of keep-alive pings # TCPKeepIdle                = 300                 #Idle time before ping sent to client (in seconds) # TCPKeepInterval            = 60                  #Interval between keep-alive pings # TCPNoDelay                 = true                #disable TCP packet filling delay? # TrustedCAFile              =                     #determines which client certificates to trust # Umask                      =                     #umask (file creation mask) given to spawned engines

 

The Environment File (env)

Line: 314 to 314
 The environment file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.

Once created, the name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.

Changed:
<
<
>
>
 
# Appx connection manager environment variables
#
Line: 332 to 332
 

The Status File (stat)

Changed:
<
<		When an APPX Audit Log Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
>
>		When an APPX Audit Log Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
  The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxLog8070", the name of the status file will be "appxLog8070.stat".

The status file can be viewed to see the actual context within which the service is running.

Changed:
<
<
>
>
 
appxLog8070 running as process 8665
Effective User ID 0
Changed:
<
<		Real User ID      0
>
>		Real User ID      0
 Configuration values follow *Daemonize = true *DontForkEngine = false
Line: 395 to 395
  The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxLog8070", the name of the log file will be "appxLog8070.log".
Changed:
<
<		When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file.
>
>		When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file.
 
*Daemonize = true
*DontForkEngine = false
Line: 448 to 448
 

Red Hat service command.

Changed:
<
<
>
>
 

Usage (service)

Changed:
<
<
>
>
 

Synopsis - service Command

Changed:
<
<		service [serviceName] [start|stop|restart|status]
>
>		service [serviceName] [start|stop|restart|status]
 

Examples:

Warnings:

Issues:

  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.
Changed:
<
<
  1. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option.  If you do not, the ps command will not display a meaningful name for the running service.
>
>
  1. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option.  If you do not, the ps command will not display a meaningful name for the running service.
 

Enhancement Suggestions

Notes

More About Log Profiles

Line: 467 to 467
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<		<?XML:NAMESPACE PREFIX = V />@0 1 0">@1">@2 1 2">@3 21600 pixelWidth">@3 21600 pixelHeight">@0 0 1">servername:8064

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1 and click on 'FMS group attributes' button. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.

You can now assign this FMS group to the file(s) that you wish to monitor.

More About the xml Audit Log file

Using a Pattern in a Log File Name

Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

/tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

The default pattern (as reflected in the serviceName. ini file) is:

LogNamePattern = /tmp/appxlog%N.xml

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

/tmp/appx-11-Jun-08

/tmp/appx-12-Jun-08

...

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page): 

%a The abbreviated weekday name according to the current locale.
>
>		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1 and click on 'FMS group attributes' button. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.

You can now assign this FMS group to the file(s) that you wish to monitor.

More About the xml Audit Log file

Using a Pattern in a Log File Name

Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

/tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

The default pattern (as reflected in the serviceName. ini file) is:

LogNamePattern = /tmp/appxlog%N.xml

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

/tmp/appx-11-Jun-08

/tmp/appx-12-Jun-08

...

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page): 

%a The abbreviated weekday name according to the current locale.
 %A The full weekday name according to the current locale. %b The abbreviated month name according to the current locale. %B The full month name according to the current locale.
Line: 531 to 547
 %Z The time zone or name or abbreviation. %+ The date and time in date(1) format. (TZ) (Not supported in glibc2.) %% A literal '%' character.
Changed:
<
<

How to Rotate the Audit Log File

To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

How to View Audit Log Events

The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

Microsoft XML Notepad

Web Browser

xslt

Databases

XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

Audit Log Events

Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Update
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Insert
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Delete
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Scratch
Yes
Yes
Yes
Yes
 No %SPAN% %SPAN%
File Create
Yes
Yes
Yes
Yes
 No %SPAN% Yes
Restructure
Yes
Yes
Yes
Yes
 No %SPAN% %SPAN%

node node/element value
<eventID> %SPAN% %SPAN%
%SPAN% <type/> see above table
%SPAN% <timeStamp/> ccyymmddhhmmsstt
</eventID> %SPAN% %SPAN%
<sessionID> %SPAN% %SPAN%
%SPAN% <processID/> 9(6)
%SPAN% <userID/> X(3)
</sessionID> %SPAN% %SPAN%
<fileID> %SPAN% %SPAN%
%SPAN% <application/> %SPAN%
%SPAN% <database/> %SPAN%
%SPAN% <structureDate/> %SPAN%
%SPAN% <filename/> %SPAN%
</fileID> %SPAN% %SPAN%
<appxProcessID> %SPAN% %SPAN%
%SPAN% <type/> %SPAN%
%SPAN% <name/> %SPAN%
%SPAN% <application/> %SPAN%
%SPAN% <version/> %SPAN%
%SPAN% <database/> %SPAN%
%SPAN% <lastChange/> %SPAN%
</appxProcessID> %SPAN% %SPAN%
<eventRecordID> %SPAN% %SPAN%
%SPAN% <keySegment> 0-16 instances
</eventRecordID> %SPAN% %SPAN%
<keySegment> %SPAN% %SPAN%
%SPAN% <fieldName> %SPAN%
%SPAN% <fieldValue> %SPAN%
</keySegment> %SPAN% %SPAN%
<eventData> %SPAN% %SPAN%
%SPAN% <field> 0-n instances
</eventData> %SPAN% %SPAN%
<field> %SPAN% read, insert, delete
%SPAN% <fieldName> %SPAN%
%SPAN% <occurrence> %SPAN%
%SPAN% <fieldValue> %SPAN%
</fieldData> %SPAN% %SPAN%
<fieldData> %SPAN% update
%SPAN% <fieldName> %SPAN%
%SPAN% <oldValue> %SPAN%
%SPAN% <newValue> %SPAN%
</fieldData %SPAN% %SPAN%
<Structure> %SPAN% %SPAN%
%SPAN% <Field> 1-n instances
</Structure> %SPAN% %SPAN%
<Field> %SPAN% %SPAN%
%SPAN% <fieldName> %SPAN%
%SPAN% <fieldType> %SPAN%
%SPAN% <occurrences> %SPAN%
%SPAN% <rawLength> %SPAN%
%SPAN% <offset> %SPAN%
</Field> %SPAN% %SPAN%
<eventData> %SPAN% %SPAN%
%SPAN% <RecordSizeChange> %SPAN%
%SPAN% <DeletedElement> %SPAN%
</eventData> %SPAN% %SPAN%
<RecordSizeChange> %SPAN% %SPAN%
%SPAN% <old> %SPAN%
%SPAN% <new> %SPAN%
</RecordSizeChange> %SPAN% %SPAN%
<DeletedElement/> %SPAN% %SPAN%
%SPAN% <fieldName/> %SPAN%
</DeletedElement> %SPAN% %SPAN%

Sample scripts

Here are some sample xslt processing commands that you can use to do inquiries against the raw XML data.

The attached file 'structure.xslt' will extract any file create events from a log and produces an HTML table that shows the structure of each file that you create.

The attached file 'subrs.xslt' extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

To use a stylesheet with xsltproc (the XSLT processor from libxml/xmlsoft):

$ xslt stylesheetFileName logFileName >output.html

for example:

$ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html

To use a stylesheet with xalan (the XSLT processor from Apache):

$ xalan -xsl stylesheetFileName <logFileName >output.html

for example:

$ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html

Need examples of loading XML Data into an RDBMS

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

Comments:

Read what other users have said about this page or add your own comments. 

<--/commentPlugin-->

-- SteveFrizzell - 20 Jun 2008

%META:FILEATTACHMENT{name="subrs.xslt" attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"}% %META:FILEATTACHMENT{name="structure.xslt" attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"}%
>
>

How to Rotate the Audit Log File

To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

How to View Audit Log Events

The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

Microsoft XML Notepad

Web Browser

xslt

Databases

XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

Audit Log Events

Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Update
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Insert
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Delete
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Scratch
Yes
Yes
Yes
Yes
 No
File Create
Yes
Yes
Yes
Yes
 No Yes
Restructure
Yes
Yes
Yes
Yes
 No

node node/element value
<eventID>
<type/> see above table
<timeStamp/> ccyymmddhhmmsstt
</eventID>
<sessionID>
<processID/> 9(6)
<userID/> X(3)
</sessionID>
<fileID>
<application/>
<database/>
<structureDate/>
<filename/>
</fileID>
<appxProcessID>
<type/>
<name/>
<application/>
<version/>
<database/>
<lastChange/>
</appxProcessID>
<eventRecordID>
<keySegment> 0-16 instances
</eventRecordID>
<keySegment>
<fieldName>
<fieldValue>
</keySegment>
<eventData>
<field> 0-n instances
</eventData>
<field> read, insert, delete
<fieldName>
<occurrence>
<fieldValue>
</fieldData>
<fieldData> update
<fieldName>
<oldValue>
<newValue>
</fieldData
<Structure>
<Field> 1-n instances
</Structure>
<Field>
<fieldName>
<fieldType>
<occurrences>
<rawLength>
<offset>
</Field>
<eventData>
<RecordSizeChange>
<DeletedElement>
</eventData>
<RecordSizeChange>
<old>
<new>
</RecordSizeChange>
<DeletedElement/>
<fieldName/>
</DeletedElement>

Sample scripts

Here are some sample xslt processing commands that you can use to do inquiries against the raw XML data.

The attached file 'structure.xslt' will extract any file create events from a log and produces an HTML table that shows the structure of each file that you create.

The attached file 'subrs.xslt' extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

To use a stylesheet with xsltproc (the XSLT processor from libxml/xmlsoft):

$ xslt stylesheetFileName logFileName >output.html

for example:

$ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html

To use a stylesheet with xalan (the XSLT processor from Apache):

$ xalan -xsl stylesheetFileName <logFileName >output.html

for example:

$ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html

Need examples of loading XML Data into an RDBMS

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

Comments:

Read what other users have said about this page or add your own comments. 

<--/commentPlugin-->

-- SteveFrizzell - 20 Jun 2008 %META:FILEATTACHMENT{name="subrs.xslt" attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"}% %META:FILEATTACHMENT{name="structure.xslt" attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"}%

 \ No newline at end of file

Revision 162008-10-29 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 100 to 100
 

Synopsis - Service Configuration

The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.
Changed:
<
<		appxAuditMgr -install -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...
>
>		appxAuditMgr -install -serviceName=SERVICENAME -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...
  appxAuditMgr -modify -serviceName=SERVICENAME [options]... [VARIABLE=VALUE]...
Line: 198 to 198
  Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:
Changed:
<
<		appxAuditMgr -install -port=8070 -ServiceType=logmonitor  
>
>		appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor    
[root@localhost services]# ./appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor
Configuration written to:  appxLog8070.ini
Environment written to:    appxLog8070.env
Service script written to: /etc/init.d/appxLog8070
Configuration complete
Registering service
Starting appxLog8070: serviceName: appxLog8070
servicePath: /usr/local/appx500/services/
Looking for config file in appxLog8070.ini
Writing process ID to /var/run/appxLog8070.pid
running as process 12859 servicing port 8070
up and running (process 12859 servicing port 8070)
Installation Complete
  Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070.  The service name and descriptive name are also specified.
Line: 440 to 457
 

Examples:

Warnings:

Issues:

Added:
>
>
  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.
  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option.  If you do not, the ps command will not display a meaningful name for the running service.
 

Enhancement Suggestions

Notes

More About Log Profiles

Line: 468 to 487
 

/tmp/appx-12-Jun-08

...

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page):

Changed:
<
<

%a The abbreviated weekday name according to the current locale.
>
>

%a The abbreviated weekday name according to the current locale.
 %A The full weekday name according to the current locale. %b The abbreviated month name according to the current locale. %B The full month name according to the current locale.
Line: 914 to 933
 

<--/commentPlugin-->
Changed:
<
<

-- SteveFrizzell - 20 Jun 2008

%META:FILEATTACHMENT{name="subrs.xslt" attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"}%

META FILEATTACHMENT attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" name="structure.xslt" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"
>
>

-- SteveFrizzell - 20 Jun 2008

%META:FILEATTACHMENT{name="subrs.xslt" attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"}% %META:FILEATTACHMENT{name="structure.xslt" attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"}%

Revision 152008-10-29 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 67 to 67
  When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified.  The value of this option must be "logmonitor".

TCP/IP Port Number

Changed:
<
<		When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for connections on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.
>
>		When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for audit log requests on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.
 

Changing the Configuration of an Audit Log Service

Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Line: 102 to 102
  appxAuditMgr -install -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...
Changed:
<
<		appxLoginMgr -modify -serviceName=SERVICENAME [options]... [VARIABLE=VALUE]...
>
>		appxAuditMgr -modify -serviceName=SERVICENAME [options]... [VARIABLE=VALUE]...
 
Changed:
<
<		appxLoginMgr -replace -serviceName=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
>
>		appxAuditMgr -replace -serviceName=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...
 
Changed:
<
<		appxLoginMgr -remove -serviceName=SERVICENAME
>
>		appxAuditMgr -remove -serviceName=SERVICENAME
 

Configuration - Commands

Line: 218 to 218
  Example 5 - Modify the Display Name and the maximum size of the log of an existing service:
Changed:
<
<		appxLoginMgr -modify -name=appxLog8070 -displayName="Big Audit Log" -LogRotationSize=10G
>
>		appxAuditMgr -modify -name=appxLog8070 -displayName="Big Audit Log" -LogRotationSize=10G
 

The Configuration File (ini)

Changed:
<
<		Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the connection service.
>
>		Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the Audit Log Service.
 
Changed:
<
<		The -install option of the appxLoginMgr command creates the configuration file when the service is created.
>
>		The -install option of the appxAuditMgr command creates the configuration file when the service is created.
  The name of the configuration file is the concatenation of the service name and ".ini". For example, if the service name is "appxLog8070", the name of the configuration file will be "appxLog8070.ini".
Changed:
<
<		The configuration file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the configuration file to reside. For example, if you want the configuration file to be created in the APPX services directory, you should change to the services directory before you run the appxLoginMgr command.
>
>		The configuration file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the configuration file to reside. For example, if you want the configuration file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.
  Once created, the name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.
Changed:
<
<		Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service.  You should ignore the configuration options that do not apply to an APPX Audit Log service.  These irrelevant options are of no consequence and will be removed in a future release. 
>
>		Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service.  You should ignore the configuration options that do not apply to an APPX Audit Log service.  Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments.  Although these extraneous options are of no consequence, they will be removed in a future release. 
 
# Appx connection manager configuration file
Line: 253 to 253
 # AppxProcessName            =                     #startup process name for spawned engines # AppxProcessType            =                     #startup process type for spawned engines # AuthenticationMethod       = OS-User             #authentication method (OS-User, Appx-User, HT-User(filename))
Changed:
<
<		DisplayName                  = AppxLog8070         #descriptive name
>
>		DisplayName                  = appxLog8070         #descriptive name
 # ImpersonateGID             = true                #change effective grouo ID for spawned engines? # ImpersonateGroup           = User                #[LogonUser, NamedGroup(groupname), ServiceOwner] # ImpersonateUID             = true                #change effective user ID for spawned engines?
Line: 273 to 273
 # ServiceDisableFMS          = false               #disable AppxNET connections? # ServiceDisableLogins       = false               #disable interactive logins? # ServiceEnableCmds          = true                #allow client-side startup options?
Changed:
<
<		ServiceName                  = AppxLog8070         #name of service
>
>		ServiceName                  = appxLog8070         #name of service
 ServiceType                  = logmonitor          #service type (login or logmonitor) SockPort                     = 8070                #port number to service # SSLMode                    = Optional            #SSL connection type (optional, required, disabled)
Line: 288 to 288
 

The Environment File (env)

Changed:
<
<		Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the connection service. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.
>
>		Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the Audit Log Service. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.
  The -install option of the appxAuditMgr command creates the environment file when the service is created.
Line: 322 to 322
 The status file can be viewed to see the actual context within which the service is running.
Changed:
<
<		appxd-8430 running as process 28192
>
>		appxLog8070 running as process 8665
 Effective User ID 0
Changed:
<
<		Real User ID 0
>
>		Real User ID      0
 Configuration values follow *Daemonize = true *DontForkEngine = false
Line: 332 to 332
 *SleepAfterFork = AppxApplication = AppxDatabase =
Changed:
<
<		AppxExecutable = ../appx
>
>		AppxExecutable = /usr/local/appx500/appx
 AppxProcessName = AppxProcessType = AuthenticationMethod = OS-User
Changed:
<
<		DisplayName = appxd-8430
>
>		DisplayName = AppxLog8070
 ImpersonateGID = true ImpersonateGroup = User ImpersonateUID = true ImpersonateUser = LogonUser
Changed:
<
<		IncludeSystemEnv = true
>
>		LoadSystemEnvironment = true
 LogDirectory = /tmp LogNamePattern = /tmp/appxlog%N.xml LogRotationInterval = 86400
Line: 357 to 357
 ServiceDisableLogins = false ServiceDisableODBC = ServiceEnableCmds = true
Changed:
<
<		ServiceName = appxd-8430 ServiceType = login SockPort = 8430
>
>		ServiceName = AppxLog8070 ServiceType = logmonitor SockPort = 8070
 SSLMode = Optional TCPEnableKeepAlive = true TCPKeepCount = 8
Line: 369 to 369
 TrustedCAFile = Umask = Environment variables follow
Changed:
<
<		APPX_KEYMAP = WINDOWS
>
>		Logging to /tmp/appxlog3.xml
 

The Log File (log)

Line: 387 to 387
 *SleepAfterFork = AppxApplication = AppxDatabase =
Changed:
<
<		AppxExecutable = ../appx
>
>		AppxExecutable = /usr/local/appx500/appx
 AppxProcessName = AppxProcessType = AuthenticationMethod = OS-User
Changed:
<
<		DisplayName = appxd-8430
>
>		DisplayName = appxLog8070
 ImpersonateGID = true ImpersonateGroup = User ImpersonateUID = true ImpersonateUser = LogonUser
Changed:
<
<		IncludeSystemEnv = true
>
>		LoadSystemEnvironment = true
 LogDirectory = /tmp LogNamePattern = /tmp/appxlog%N.xml LogRotationInterval = 86400
Line: 412 to 412
 ServiceDisableLogins = false ServiceDisableODBC = ServiceEnableCmds = true
Changed:
<
<		ServiceName = appxd-8430 ServiceType = login SockPort = 8430
>
>		ServiceName = appxLog8070 ServiceType = logmonitor SockPort = 8070
 SSLMode = Optional TCPEnableKeepAlive = true TCPKeepCount = 8
Line: 423 to 423
 TCPNoDelay = true TrustedCAFile = Umask =
Changed:
<
<		createListener complete - listening on port 8430
>
>		createListener complete - listening on port 8070
 CAppxD::Run starting
Changed:
<
<		handleClients - starting handleClients - waiting
>
>		monitorLog - starting
 
Line: 438 to 437
 

Synopsis - service Command

service [serviceName] [start|stop|restart|status]

Added:
>
>

Examples:

Warnings:

Issues:

Enhancement Suggestions

 

Notes

Added:
>
>

More About Log Profiles

 
Changed:
<
<		For example, here is a command to create a log monitor:

./appxAuditMgr -install -serviceType=logmonitor -name=myLogMonitor -port=8064

Port number has to be different from the port number you are using for your users to login.

This port is not a listener, so you can not login directly to that port.

Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

/tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

The default pattern (as reflected in the serviceName. ini file) is:

LogNamePattern = /tmp/appxlog%N.xml

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

/tmp/appx-11-Jun-08

/tmp/appx-12-Jun-08

...

>
>		Before data can be written to the log file in XML format, you need to define a Log Profile for the monitor.
 
Changed:
<
<		If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page):
>
>		To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
 
Changed:
<
<
%a The abbreviated weekday name according to the current locale.
>
>		<?XML:NAMESPACE PREFIX = V />@0 1 0">@1">@2 1 2">@3 21600 pixelWidth">@3 21600 pixelHeight">@0 0 1">servername:8064

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1 and click on 'FMS group attributes' button. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.

You can now assign this FMS group to the file(s) that you wish to monitor.

More About the xml Audit Log file

Using a Pattern in a Log File Name

Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

/tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

The default pattern (as reflected in the serviceName. ini file) is:

LogNamePattern = /tmp/appxlog%N.xml

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

/tmp/appx-11-Jun-08

/tmp/appx-12-Jun-08

...

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page): 

%a The abbreviated weekday name according to the current locale.
 %A The full weekday name according to the current locale. %b The abbreviated month name according to the current locale. %B The full month name according to the current locale.
Line: 515 to 512
 %Z The time zone or name or abbreviation. %+ The date and time in date(1) format. (TZ) (Not supported in glibc2.) %% A literal '%' character.
Changed:
<
<

After you have modified .ini file, you need to stop and re-start that service. To stop service, assuming you are in ./services directory of your Appx installation simply type:

./appxAuditMgr -stop -name=myLogMonitor

./appxAuditMgr -start -name=myLogMonitor

If you stop/start service as a root, make sure you give it a fully qualified path.

./appxAuditMgr -stop -name=/usr/local/appx/services/myLogMonitor

./appxAuditMgr -start -name=/usr/local/appx/services/myLogMonitor

Please note that -name parameter is required.

Before data can be written to the log file in XML format, you need to define a Log Profile for the monitor.

To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:

@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1 and click on 'FMS group attributes' button. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.

You can now assign this FMS group to the file(s) that you wish to monitor.

To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size. XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Update
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Insert
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Delete
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Scratch
Yes
Yes
Yes
Yes
 No
FileCreate
Yes
Yes
Yes
Yes
 No Yes
Restructure
Yes
Yes
Yes
Yes
 No

node node/element value
<eventID>
<type/> see above table
<timeStamp/> ccyymmddhhmmsstt
</eventID>
<sessionID>
<processID/> 9(6)
<userID/> X(3)
</sessionID>
<fileID>
<application/>
<database/>
<structureDate/>
<filename/>
</fileID>
<appxProcessID>
<type/>
<name/>
<application/>
<version/>
<database/>
<lastChange/>
</appxProcessID>
<eventRecordID>
<keySegment> 0-16 instances
</eventRecordID>
<keySegment>
<fieldName>
<fieldValue>
</keySegment>
<eventData>
<field> 0-n instances
</eventData>
<field> read, insert, delete
<fieldName>
<occurrence>
<fieldValue>
</fieldData>
<fieldData> update
<fieldName>
<oldValue>
<newValue>
</fieldData
<Structure>
<Field> 1-n instances
</Structure>
<Field>
<fieldName>
<fieldType>
<occurrences>
<rawLength>
<offset>
</Field>
<eventData>
<RecordSizeChange>
<DeletedElement>
</eventData>
<RecordSizeChange>
<old>
<new>
</RecordSizeChange>
<DeletedElement/>
<fieldName/>
</DeletedElement>

Sample scripts

Here are some sample xslt processing commands that you can use to do inquiries against the raw XML data.

The attached file 'structure.xslt' will extract any file create events from a log and produces an HTML table that shows the structure of each file that you create.

The attached file 'subrs.xslt' extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

To use a stylesheet with xsltproc (the XSLT processor from libxml/xmlsoft):

$ xslt stylesheetFileName logFileName >output.html

for example:

$ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html

To use a stylesheet with xalan (the XSLT processor from Apache):

$ xalan -xsl stylesheetFileName <logFileName >output.html

for example:

$ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html

Need examples of loading XML Data into an RDBMS

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

Comments:

Read what other users have said about this page or add your own comments. 

<--/commentPlugin-->
>
>

How to Rotate the Audit Log File

To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

How to View Audit Log Events

The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

Microsoft XML Notepad

Web Browser

xslt

Databases

XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

Audit Log Events

Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Update
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Insert
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Delete
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Scratch
Yes
Yes
Yes
Yes
 No %SPAN% %SPAN%
File Create
Yes
Yes
Yes
Yes
 No %SPAN% Yes
Restructure
Yes
Yes
Yes
Yes
 No %SPAN% %SPAN%

node node/element value
<eventID> %SPAN% %SPAN%
%SPAN% <type/> see above table
%SPAN% <timeStamp/> ccyymmddhhmmsstt
</eventID> %SPAN% %SPAN%
<sessionID> %SPAN% %SPAN%
%SPAN% <processID/> 9(6)
%SPAN% <userID/> X(3)
</sessionID> %SPAN% %SPAN%
<fileID> %SPAN% %SPAN%
%SPAN% <application/> %SPAN%
%SPAN% <database/> %SPAN%
%SPAN% <structureDate/> %SPAN%
%SPAN% <filename/> %SPAN%
</fileID> %SPAN% %SPAN%
<appxProcessID> %SPAN% %SPAN%
%SPAN% <type/> %SPAN%
%SPAN% <name/> %SPAN%
%SPAN% <application/> %SPAN%
%SPAN% <version/> %SPAN%
%SPAN% <database/> %SPAN%
%SPAN% <lastChange/> %SPAN%
</appxProcessID> %SPAN% %SPAN%
<eventRecordID> %SPAN% %SPAN%
%SPAN% <keySegment> 0-16 instances
</eventRecordID> %SPAN% %SPAN%
<keySegment> %SPAN% %SPAN%
%SPAN% <fieldName> %SPAN%
%SPAN% <fieldValue> %SPAN%
</keySegment> %SPAN% %SPAN%
<eventData> %SPAN% %SPAN%
%SPAN% <field> 0-n instances
</eventData> %SPAN% %SPAN%
<field> %SPAN% read, insert, delete
%SPAN% <fieldName> %SPAN%
%SPAN% <occurrence> %SPAN%
%SPAN% <fieldValue> %SPAN%
</fieldData> %SPAN% %SPAN%
<fieldData> %SPAN% update
%SPAN% <fieldName> %SPAN%
%SPAN% <oldValue> %SPAN%
%SPAN% <newValue> %SPAN%
</fieldData %SPAN% %SPAN%
<Structure> %SPAN% %SPAN%
%SPAN% <Field> 1-n instances
</Structure> %SPAN% %SPAN%
<Field> %SPAN% %SPAN%
%SPAN% <fieldName> %SPAN%
%SPAN% <fieldType> %SPAN%
%SPAN% <occurrences> %SPAN%
%SPAN% <rawLength> %SPAN%
%SPAN% <offset> %SPAN%
</Field> %SPAN% %SPAN%
<eventData> %SPAN% %SPAN%
%SPAN% <RecordSizeChange> %SPAN%
%SPAN% <DeletedElement> %SPAN%
</eventData> %SPAN% %SPAN%
<RecordSizeChange> %SPAN% %SPAN%
%SPAN% <old> %SPAN%
%SPAN% <new> %SPAN%
</RecordSizeChange> %SPAN% %SPAN%
<DeletedElement/> %SPAN% %SPAN%
%SPAN% <fieldName/> %SPAN%
</DeletedElement> %SPAN% %SPAN%

Sample scripts

Here are some sample xslt processing commands that you can use to do inquiries against the raw XML data.

The attached file 'structure.xslt' will extract any file create events from a log and produces an HTML table that shows the structure of each file that you create.

The attached file 'subrs.xslt' extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

To use a stylesheet with xsltproc (the XSLT processor from libxml/xmlsoft):

$ xslt stylesheetFileName logFileName >output.html

for example:

$ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html

To use a stylesheet with xalan (the XSLT processor from Apache):

$ xalan -xsl stylesheetFileName <logFileName >output.html

for example:

$ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html

Need examples of loading XML Data into an RDBMS

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

Comments:

Read what other users have said about this page or add your own comments. 

<--/commentPlugin-->

-- SteveFrizzell - 20 Jun 2008

%META:FILEATTACHMENT{name="subrs.xslt" attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"}%
 
Deleted:
<
<		-- SteveFrizzell - 20 Jun 2008
 
META FILEATTACHMENT attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" name="structure.xslt" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"
Deleted:
<
<
META FILEATTACHMENT attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" name="subrs.xslt" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"

Revision 142008-10-28 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 288 to 288
 

The Environment File (env)

Changed:
<
<		Each instance of an APPX Connection Service has an environment file that is used to store the environment variables relating to that specific instance of the connection service. The environment variables in the environment file are inherited by each APPX session that is started by the APPX Connection Service.
>
>		Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the connection service. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.
 
Changed:
<
<		The -install option of the appxLoginMgr command creates the environment file when the service is created.
>
>		The -install option of the appxAuditMgr command creates the environment file when the service is created.
 
Changed:
<
<		The name of the environment file is the concatenation of the service name and ".env". For example, if the service name is "appxd-8430", the name of the environment file will be "appxd-8430.env".
>
>		The name of the environment file is the concatenation of the service name and ".env". For example, if the service name is "appxLog8070", the name of the environment file will be "appxLog8070.env".
 
Changed:
<
<		The environment file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX tools directory, you should change to the tools directory before you run the appxLoginMgr command.
>
>		The environment file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.
 
Changed:
<
<		The name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.
>
>		Once created, the name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.
 
# Appx connection manager environment variables
Line: 311 to 311
 # # letter case IS important in this file # --------------------------------------------------
Deleted:
<
<		APPX_KEYMAP=WINDOWS
 

The Status File (stat)

Changed:
<
<		When an APPX Connection Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
>
>		When an APPX Audit Log Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
 
Changed:
<
<		The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxd-8430", the name of the status file will be "appxd-8430.stat".
>
>		The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxLog8070", the name of the status file will be "appxLog8070.stat".
  The status file can be viewed to see the actual context within which the service is running.
Line: 375 to 374
 

The Log File (log)

Changed:
<
<		When an APPX Connection Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.
>
>		When an APPX Audit Log Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.
 
Changed:
<
<		The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxd-8430", the name of the log file will be "appxd-8430.log".
>
>		The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxLog8070", the name of the log file will be "appxLog8070.log".
 
Changed:
<
<		When the connection service is started, the log file is initialized with the configuration of the connection service. The configuration information is followed by a dialog of messages relating to actions performed by the connection service. Each time the connection service processes a connection request, messages relating to the connection request are appended to the log file.
>
>		When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file.
 
*Daemonize = true
Line: 538 to 537
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
>
>		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:

Revision 132008-10-28 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 15 to 15
  The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.
Changed:
<
<		The appxAuditMgr command is installed into the "tools" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxAuditMgr command will be "/usr/local/appx/tools/appxAuditMgr".
>
>		The appxAuditMgr command is installed into the "services" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxAuditMgr command will be "/usr/local/appx/services/appxAuditMgr".
  The appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.
Line: 23 to 23
 
Changed:
<
<

cd /usr/local/appx/tools

>
>

cd /usr/local/appx/services

 chown root appxAuditMgr chgrp appxgrp appxAuditMgr chmod 4775 appxAuditMgr
Line: 62 to 62
 

Service Name 

Changed:
<
<		Each instance of an APPX Audit Log Service must have a unique name. When creating an instance of a service, the -name option may be used to specify the name that you want the service to have. If you do not specify a name, a name will be assigned for you for example, appxd-8060.
>
>		Each instance of an APPX Audit Log Service must have a unique name. When creating an instance of a service, the -name option may be used to specify the name that you want the service to have. If you do not specify a name, a name will be assigned for you for example, appxd-8070.
 

Service Type

When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified.  The value of this option must be "logmonitor".

Line: 84 to 84
  The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxLogMgr command to check on the status of an APPX Audit Log Service.
Changed:
<
<

[root@500test tools]# appxLogMgr -status logmon-8436 up and running (process 2390 servicing port 8436)

>
>

[root@500test services]# appxLogMgr -status appxLog8070 up and running (process 2390 servicing port 8070)

 

Method 2 - O/S Services 

Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service.
Changed:
<
<

[root@500test tools]# service logmon-8436 status up and running (process 2390 servicing port 8436)

>
>

[root@500test services]# service appxLog8070 status up and running (process 2390 servicing port 8070)

 

Usage (appxAuditMgr)

Line: 202 to 202
  Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070.  The service name and descriptive name are also specified.
Changed:
<
<		appxAuditMgr -install -port=8070 -name=appx8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor
>
>		appxAuditMgr -install -port=8070 -name=appxLog8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor
  Example 2 - Display the status of an instance of the Audit Log Service:
Changed:
<
<		appxAuditMgr -status appx8070
>
>		appxAuditMgr -status appxLog8070
  Example 3 - Shutdown a running instance of the Audit Log Service:
Changed:
<
<		appxAuditMgr -stop appx8070
>
>		appxAuditMgr -stop appxLog8070
  Example 4 - Start a previously configured instance of the Audit Log Service:
Changed:
<
<		appxAuditMgr -start appx8070
>
>		appxAuditMgr -start appxLog8070
  Example 5 - Modify the Display Name and the maximum size of the log of an existing service:
Changed:
<
<		appxLoginMgr -modify -name=appx8070 -displayName="Big Audit Log" -LogRotationSize=10G
>
>		appxLoginMgr -modify -name=appxLog8070 -displayName="Big Audit Log" -LogRotationSize=10G
 

The Configuration File (ini)

Changed:
<
<		Each instance of an APPX Connection Service has a configuration file that is used to store the various parameters relating to that specific instance of the connection service.
>
>		Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the connection service.
  The -install option of the appxLoginMgr command creates the configuration file when the service is created.
Changed:
<
<		The name of the configuration file is the concatenation of the service name and ".ini". For example, if the service name is "appxd-8430", the name of the configuration file will be "appxd-8430.ini".
>
>		The name of the configuration file is the concatenation of the service name and ".ini". For example, if the service name is "appxLog8070", the name of the configuration file will be "appxLog8070.ini".
 
Changed:
<
<		The configuration file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the configuration file to reside. For example, if you want the configuration file to be created in the APPX tools directory, you should change to the tools directory before you run the appxLoginMgr command.
>
>		The configuration file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the configuration file to reside. For example, if you want the configuration file to be created in the APPX services directory, you should change to the services directory before you run the appxLoginMgr command.
 
Changed:
<
<		The name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.
>
>		Once created, the name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.

Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service.  You should ignore the configuration options that do not apply to an APPX Audit Log service.  These irrelevant options are of no consequence and will be removed in a future release. 

 
Changed:
<
<		# Appx connection manager configuration file
>
>

# Appx connection manager configuration file

 #
Changed:
<
<		# You can change this file by hand, or # use the uappxd program for better results
>
>		#   You can change this file by hand, or #   use the uappxd program for better results
 #
Changed:
<
<		# blank lines are ignored
>
>		#   blank lines are ignored
 #
Changed:
<
<		# anything following a '#' is treated as a comment
>
>		#   anything following a '#' is treated as a comment
 #
Changed:
<
<		# case is not important on the left-hand side # properties whose descriptions end in a '?' are # boolean and should be set to true or false # -------------------------------------------------- # AppxApplication = #startup application for spawned engines # AppxDatabase = #startup database for spawned engines AppxExecutable = /usr/local/appx/appx #pathname to Appx engine # AppxProcessName = #startup process name for spawned engines # AppxProcessType = #startup process type for spawned engines AuthenticationMethod = OS-User #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName = Login-8430 #descriptive name ImpersonateGID = true #change effective grouo ID for spawned engines? ImpersonateGroup = NamedGroup(appxgrp) #[LogonUser, NamedGroup(groupname), ServiceOwner] ImpersonateUID = true #change effective user ID for spawned engines? ImpersonateUser = NamedUser(appx) #[LogonUser, NamedUser(username), ServiceOwner] # IncludeSystemEnv = true #include service environment variables in spawned engines? # LogDirectory = /tmp #directory where log file should reside # LogNamePattern = /tmp/appxlog%N.xml #audit log filename pattern (see man strftime for details # LogRotationInterval = 86400 #number of seconds between audit log rotations # LogRotationSize = 1G #maximum audit log file size # RequireSSL = false #Require SSL-secured connections? # RequireSSLClientCertificates = false #require SSL-client certificates? # ServerCertificateFile = #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile = #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase = #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable = false #disable this service? # ServiceDisableAppxKeys = false #disable keyboard mapping? # ServiceDisableFMS = false #disable AppxNET connections? # ServiceDisableLogins = false #disable interactive logins? # ServiceEnableCmds = true #allow client-side startup options? ServiceName = appxd-8430 #name of service ServiceType = login #service type (login or logmonitor) SockPort = 8430 #port number to service # SSLMode = optional #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive = true #Enable TCP dead-connection detection # TCPKeepCount = 8 #Maximum number of keep-alive pings # TCPKeepIdle = 300 #Idle time before ping sent to client (in seconds) # TCPKeepInterval = 60 #Interval between keep-alive pings # TCPNoDelay = true #disable TCP packet filling delay? # TrustedCAFile = #determines which client certificates to trust # Umask = #umask (file creation mask) given to spawned engines
>
>		#   case is not important on the left-hand side #   properties whose descriptions end in a '?' are #   boolean and should be set to true or false # --------------------------------------------------

# AppxApplication            =                     #startup application for spawned engines # AppxDatabase               =                     #startup database for spawned engines AppxExecutable               = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName            =                     #startup process name for spawned engines # AppxProcessType            =                     #startup process type for spawned engines # AuthenticationMethod       = OS-User             #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName                  = AppxLog8070         #descriptive name # ImpersonateGID             = true                #change effective grouo ID for spawned engines? # ImpersonateGroup           = User                #[LogonUser, NamedGroup(groupname), ServiceOwner] # ImpersonateUID             = true                #change effective user ID for spawned engines? # ImpersonateUser            = LogonUser           #[LogonUser, NamedUser(username), ServiceOwner] # LoadSystemEnvironment      = true                #load default system-defined environment variables into spawned engines? # LogDirectory               = /tmp                #directory where log file should reside # LogNamePattern             = /tmp/appxlog%N.xml  #audit log filename pattern (see man strftime for details # LogRotationInterval        = 86400               #number of seconds between audit log rotations # LogRotationSize            = 1G                  #maximum audit log file size # RequireSSL                 = false               #Require SSL-secured connections? # RequireSSLClientCertificates = false               #require SSL-client certificates? # ServerCertificateFile      =                     #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile       =                     #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase =                     #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable             = false               #disable this service? # ServiceDisableAppxKeys     = false               #disable keyboard mapping? # ServiceDisableFMS          = false               #disable AppxNET connections? # ServiceDisableLogins       = false               #disable interactive logins? # ServiceEnableCmds          = true                #allow client-side startup options? ServiceName                  = AppxLog8070         #name of service ServiceType                  = logmonitor          #service type (login or logmonitor) SockPort                     = 8070                #port number to service # SSLMode                    = Optional            #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive         = true                #Enable TCP dead-connection detection # TCPKeepCount               = 8                   #Maximum number of keep-alive pings # TCPKeepIdle                = 300                 #Idle time before ping sent to client (in seconds) # TCPKeepInterval            = 60                  #Interval between keep-alive pings # TCPNoDelay                 = true                #disable TCP packet filling delay? # TrustedCAFile              =                     #determines which client certificates to trust # Umask                      =                     #umask (file creation mask) given to spawned engines

 

The Environment File (env)

Revision 122008-10-15 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 174 to 174
 
The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
Options - TCP/IP
-port, -SockPort={8060, PORT}
Changed:
<
<
Configure the service to listen for connection requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
>
>
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
 

Configuration - Environment Variables

VARIABLE=VALUE
Changed:
<
<
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created and will be given to the environment of the appx sessions that are started by the Login Manager. Note that when specifying variables on the command line, you do not prefix them with a dash if you are referring to environment variables.
>
>
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created.  There is currently no reason to use this feature.
 

Synopsis - Service Management

Changed:
<
<
appxLoginMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
>
>
appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
  MANAGEMENT OPTIONS
-start | < blank >
Changed:
<
<
Start an instance of the Login Manager service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
>
>
Start an instance of the Audit Log Service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
  -stop
Changed:
<
<
Stop the instance of the Login Manager service that was started with the SERVICENAME.ini file.
>
>
Stop the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  -restart
Changed:
<
<
Restart (stop and then start) the instance of the Login Manager that was started with the SERVICENAME.ini file.
>
>
Restart (stop and then start) the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  -status
Changed:
<
<
Report the status of the instance of the Login Manager that was started with the SERVICENAME.ini file.
>
>
Report the status of the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
  EXAMPLES
Changed:
<
<		Example 1: Configure and start a new instance of the Connection Service that will listen for connection requests on port 8060:
>
>		Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:
 
Changed:
<
<		appxLoginMgr -install -port=8060 
Warning - the engine that you named has the setuid bit enabled
you may not want that bit set for the authentication method that you have chosen (OS-User)
To turn off the setuid bit, chmod u-s
../appx Configuration written to: appxd-8060.ini
Environment written to: appxd-8060.envtten to: /etc/rc.d/init.d/appxd-8060
>
>		appxAuditMgr -install -port=8070 -ServiceType=logmonitor  
 
Changed:
<
<		appxLoginMgr -install -port=8060 -name=appx8060 -displayName="Appx-Production(8060)" -engine=/usr/local/appx/appx APPXPATH=c:\appx\data APPX_KEYMAP=WINDOWS
>
>		Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070.  The service name and descriptive name are also specified.
 
Changed:
<
<		Display the status of an instance of the Connection Service:
>
>		appxAuditMgr -install -port=8070 -name=appx8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor
 
Changed:
<
<		appxLoginMgr -status appx8060
>
>		Example 2 - Display the status of an instance of the Audit Log Service:
 
Changed:
<
<		Shutdown a running instance of the Connection Service:
>
>		appxAuditMgr -status appx8070
 
Changed:
<
<		appxLoginMgr -stop appx8060
>
>		Example 3 - Shutdown a running instance of the Audit Log Service:
 
Changed:
<
<		Start a previously configured instance of the Connection Service:
>
>		appxAuditMgr -stop appx8070
 
Changed:
<
<		appxLoginMgr -start appx8060
>
>		Example 4 - Start a previously configured instance of the Audit Log Service:
 
Changed:
<
<		Modify a setting and an environment variable of an existing service
>
>		appxAuditMgr -start appx8070
 
Changed:
<
<		appxLoginMgr -modify -name=appx8060 -SSLMode=required APPX_KEYMAP=Windows
>
>		Example 5 - Modify the Display Name and the maximum size of the log of an existing service:

appxLoginMgr -modify -name=appx8070 -displayName="Big Audit Log" -LogRotationSize=10G

 
Deleted:
<
<
 

The Configuration File (ini)

Each instance of an APPX Connection Service has a configuration file that is used to store the various parameters relating to that specific instance of the connection service.

Revision 112008-10-15 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 165 to 165
 -LogNamePattern={/tmp/logmon%N.xml, AUDITLOGPATHNAME}
Changed:
<
<		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service.  The file name can include a pattern to ensure that each file created by the Audit Log Service will have a unique name.
>
>		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service.  The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
  -LogRotationInterval={86400, MAXSECONDS}
Changed:
<
<
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86000 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86000 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
  -LogRotationSize={1G, MAXSIZE}
Changed:
<
<
The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
>
>
The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Options - TCP/IP
-port, -SockPort={8060, PORT}
Changed:
<
<
Configure the service to listen for connection requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
>
>
Configure the service to listen for connection requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.

Configuration - Environment Variables

VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created and will be given to the environment of the appx sessions that are started by the Login Manager. Note that when specifying variables on the command line, you do not prefix them with a dash if you are referring to environment variables.

Synopsis - Service Management

appxLoginMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}

MANAGEMENT OPTIONS

-start | < blank >
Start an instance of the Login Manager service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.

-stop

Stop the instance of the Login Manager service that was started with the SERVICENAME.ini file.

-restart

Restart (stop and then start) the instance of the Login Manager that was started with the SERVICENAME.ini file.

-status

Report the status of the instance of the Login Manager that was started with the SERVICENAME.ini file.

EXAMPLES

Example 1: Configure and start a new instance of the Connection Service that will listen for connection requests on port 8060:

appxLoginMgr -install -port=8060 

Warning - the engine that you named has the setuid bit enabled
you may not want that bit set for the authentication method that you have chosen (OS-User)
To turn off the setuid bit, chmod u-s
../appx Configuration written to: appxd-8060.ini
Environment written to: appxd-8060.envtten to: /etc/rc.d/init.d/appxd-8060

appxLoginMgr -install -port=8060 -name=appx8060 -displayName="Appx-Production(8060)" -engine=/usr/local/appx/appx APPXPATH=c:\appx\data APPX_KEYMAP=WINDOWS

Display the status of an instance of the Connection Service:

appxLoginMgr -status appx8060

Shutdown a running instance of the Connection Service:

appxLoginMgr -stop appx8060

Start a previously configured instance of the Connection Service:

appxLoginMgr -start appx8060

Modify a setting and an environment variable of an existing service

appxLoginMgr -modify -name=appx8060 -SSLMode=required APPX_KEYMAP=Windows

The Configuration File (ini)

Each instance of an APPX Connection Service has a configuration file that is used to store the various parameters relating to that specific instance of the connection service.

The -install option of the appxLoginMgr command creates the configuration file when the service is created.

The name of the configuration file is the concatenation of the service name and ".ini". For example, if the service name is "appxd-8430", the name of the configuration file will be "appxd-8430.ini".

The configuration file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the configuration file to reside. For example, if you want the configuration file to be created in the APPX tools directory, you should change to the tools directory before you run the appxLoginMgr command.

The name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed. 

# Appx connection manager configuration file
#
#   You can change this file by hand, or
#   use the uappxd program for better results
#
#   blank lines are ignored
#
#   anything following a '#' is treated as a comment
#
#   case is not important on the left-hand side
#   properties whose descriptions end in a '?' are
#   boolean and should be set to true or false
# --------------------------------------------------
# AppxApplication         =                     #startup application for spawned engines
# AppxDatabase            =                     #startup database for spawned engines
AppxExecutable            = /usr/local/appx/appx    #pathname to Appx engine
# AppxProcessName         =                     #startup process name for spawned engines
# AppxProcessType         =                     #startup process type for spawned engines
AuthenticationMethod      = OS-User             #authentication method (OS-User, Appx-User, HT-User(filename))
DisplayName               = Login-8430          #descriptive name
ImpersonateGID            = true                #change effective grouo ID for spawned engines?
ImpersonateGroup          = NamedGroup(appxgrp) #[LogonUser, NamedGroup(groupname), ServiceOwner]
ImpersonateUID            = true                #change effective user ID for spawned engines?
ImpersonateUser           = NamedUser(appx)     #[LogonUser, NamedUser(username), ServiceOwner]
# IncludeSystemEnv        = true                #include service environment variables in spawned engines?
# LogDirectory            = /tmp                #directory where log file should reside
# LogNamePattern          = /tmp/appxlog%N.xml  #audit log filename pattern (see man strftime for details
# LogRotationInterval     = 86400               #number of seconds between audit log rotations
# LogRotationSize         = 1G                  #maximum audit log file size
# RequireSSL              = false               #Require SSL-secured connections?
# RequireSSLClientCertificates = false          #require SSL-client certificates?
# ServerCertificateFile   =                     #pathname of server's X509 certificate (leave blank for anonymous connections
# ServerPrivateKeyFile    =                     #pathname of server's private key file (unlocks the ServerCertificateFile)
# ServerPrivateKeyPassphrase =                  #passphrase that unlocks ServerPrivateKeyFile
# ServiceDisable          = false               #disable this service?
# ServiceDisableAppxKeys  = false               #disable keyboard mapping?
# ServiceDisableFMS       = false               #disable AppxNET connections?
# ServiceDisableLogins    = false               #disable interactive logins?
# ServiceEnableCmds       = true                #allow client-side startup options?
ServiceName               = appxd-8430          #name of service
ServiceType               = login               #service type (login or logmonitor)
SockPort                  = 8430                #port number to service
# SSLMode                 = optional            #SSL connection type (optional, required, disabled)
# TCPEnableKeepAlive      = true                #Enable TCP dead-connection detection
# TCPKeepCount            = 8                   #Maximum number of keep-alive pings
# TCPKeepIdle             = 300                 #Idle time before ping sent to client (in seconds)
# TCPKeepInterval         = 60                  #Interval between keep-alive pings
# TCPNoDelay              = true                #disable TCP packet filling delay?
# TrustedCAFile           =                     #determines which client certificates to trust
# Umask                   =                     #umask (file creation mask) given to spawned engines

The Environment File (env)

Each instance of an APPX Connection Service has an environment file that is used to store the environment variables relating to that specific instance of the connection service. The environment variables in the environment file are inherited by each APPX session that is started by the APPX Connection Service.

The -install option of the appxLoginMgr command creates the environment file when the service is created.

The name of the environment file is the concatenation of the service name and ".env". For example, if the service name is "appxd-8430", the name of the environment file will be "appxd-8430.env".

The environment file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX tools directory, you should change to the tools directory before you run the appxLoginMgr command.

The name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed. 

# Appx connection manager environment variables
#
#   The entries in this file will become
#   environment variables in the engines
#   spawned by this service
#
#   blank lines are ignored
#
#   anything following a '#' is treated as a comment
#
#   letter case IS important in this file
# --------------------------------------------------
APPX_KEYMAP=WINDOWS

The Status File (stat)

When an APPX Connection Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.

The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxd-8430", the name of the status file will be "appxd-8430.stat".

The status file can be viewed to see the actual context within which the service is running. 

appxd-8430 running as process 28192
Effective User ID 0
Real User ID      0
Configuration values follow
*Daemonize = true
*DontForkEngine = false
*InitScriptStyle = 
*SleepAfterFork = 
AppxApplication = 
AppxDatabase = 
AppxExecutable = ../appx
AppxProcessName = 
AppxProcessType = 
AuthenticationMethod = OS-User
DisplayName = appxd-8430
ImpersonateGID = true
ImpersonateGroup = User
ImpersonateUID = true
ImpersonateUser = LogonUser
IncludeSystemEnv = true
LogDirectory = /tmp
LogNamePattern = /tmp/appxlog%N.xml
LogRotationInterval = 86400
LogRotationSize = 1G
RequireSSL = false
RequireSSLClientCertificates = false
ServerCertificateFile = 
ServerPrivateKeyFile = 
ServerPrivateKeyPassphrase = 
ServiceDisable = false
ServiceDisableAppxKeys = false
ServiceDisableFMS = false
ServiceDisableLogins = false
ServiceDisableODBC = 
ServiceEnableCmds = true
ServiceName = appxd-8430
ServiceType = login
SockPort = 8430
SSLMode = Optional
TCPEnableKeepAlive = true
TCPKeepCount = 8
TCPKeepIdle = 300
TCPKeepInterval = 60
TCPNoDelay = true
TrustedCAFile = 
Umask = 
Environment variables follow
APPX_KEYMAP = WINDOWS

The Log File (log)

When an APPX Connection Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.

The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxd-8430", the name of the log file will be "appxd-8430.log".

When the connection service is started, the log file is initialized with the configuration of the connection service. The configuration information is followed by a dialog of messages relating to actions performed by the connection service. Each time the connection service processes a connection request, messages relating to the connection request are appended to the log file. 

*Daemonize = true
*DontForkEngine = false
*InitScriptStyle = 
*SleepAfterFork = 
AppxApplication = 
AppxDatabase = 
AppxExecutable = ../appx
AppxProcessName = 
AppxProcessType = 
AuthenticationMethod = OS-User
DisplayName = appxd-8430
ImpersonateGID = true
ImpersonateGroup = User
ImpersonateUID = true
ImpersonateUser = LogonUser
IncludeSystemEnv = true
LogDirectory = /tmp
LogNamePattern = /tmp/appxlog%N.xml
LogRotationInterval = 86400
LogRotationSize = 1G
RequireSSL = false
RequireSSLClientCertificates = false
ServerCertificateFile = 
ServerPrivateKeyFile = 
ServerPrivateKeyPassphrase = 
ServiceDisable = false
ServiceDisableAppxKeys = false
ServiceDisableFMS = false
ServiceDisableLogins = false
ServiceDisableODBC = 
ServiceEnableCmds = true
ServiceName = appxd-8430
ServiceType = login
SockPort = 8430
SSLMode = Optional
TCPEnableKeepAlive = true
TCPKeepCount = 8
TCPKeepIdle = 300
TCPKeepInterval = 60
TCPNoDelay = true
TrustedCAFile = 
Umask = 
createListener complete - listening on port 8430
CAppxD::Run starting
handleClients - starting
handleClients - waiting

Red Hat service command.

Usage (service)

Synopsis - service Command

service [serviceName] [start|stop|restart|status]

 

Notes

Added:
>
>
 For example, here is a command to create a log monitor:
Line: 272 to 544
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
>
>		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:
Line: 397 to 670
  Need examples of loading XML Data into an RDBMS
Deleted:
<
<

BUGS

No open bugs.

 

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

Line: 414 to 685
  
<--/commentPlugin-->
Changed:
<
<		-- SteveFrizzell - 20 Jun 2008
>
>		-- SteveFrizzell - 20 Jun 2008
 
META FILEATTACHMENT attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" name="structure.xslt" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"
META FILEATTACHMENT attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" name="subrs.xslt" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"

Revision 102008-10-15 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature 

Line: 45 to 45
 -rwsrwxr-x 1 root appxgrp 636843 Jul 11 07:31 appxAuditMgr
Changed:
<
<

Creating and Configuring the APPX Audit Log Service

>
>

Creating and Configuring an Audit Log Service

 
Changed:
<
<		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port.
>
>		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port.   Each instance of the Audit Log Service will log file I/O activity to a separate xml file.  By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
 

Creating an Audit Log Service

Changed:
<
<		Before file I/O activity can be logged, at least one instance of an APPX Connection Service must be configured and started.
>
>		Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.
  The -install option of the appxAuditMgr command is used to initially create, configure, and start an instance of the APPX Audit Log Service. The following steps are performed:
  1. A configuration file (ini) is created
Line: 58 to 58
 
  1. A service is created, including required init files and links. ( On Red Hat, /etc/init.d/ )
  2. The service is started
Changed:
<
<		For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.
>
>		When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number.  For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.
 

Service Name 

Line: 68 to 68
 When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified.  The value of this option must be "logmonitor".

TCP/IP Port Number

When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for connections on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.
Changed:
<
<

Changing an Audit Log Service

>
>

Changing the Configuration of an Audit Log Service

  Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Method 1 - The APPX Audit Log Manager Command (appxAuditMgr)

The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.

Method 2 - Text Editor

Changed:
<
<		A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above.
>
>		A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above.  When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.
 

Managing an Audit Log Service

Two methods are available for managing an existing instance of the APPX Audit Log Service.

Changed:
<
<
>
>
 

Method 1 - appxAuditMgr command

Changed:
<
<		The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service.

Method 2 - O/S Services

Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the command line tool service

>
>		The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxLogMgr command to check on the status of an APPX Audit Log Service. 
[root@500test tools]# appxLogMgr -status logmon-8436 
up and running (process 2390 servicing port 8436)

Method 2 - O/S Services 

 
Changed:
<
<		.
>
>		Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service.
 
Changed:
<
<		[root@tubes tools]# service appxd-8060 status Warning - the engine that you named has the setuid bit enabled, you may not want that bit set for the authentication method that you have chosen (OS-User) To turn off the setuid bit, chmod u-s ../appx up and running (process 13893 servicing port 8060) [root@tubes tools]#
>
>

[root@500test tools]# service logmon-8436 status up and running (process 2390 servicing port 8436)

 
Changed:
<
<

Notes

>
>

Usage (appxAuditMgr)

Synopsis - Service Configuration

The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.

appxAuditMgr -install -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...

appxLoginMgr -modify -serviceName=SERVICENAME [options]... [VARIABLE=VALUE]...

appxLoginMgr -replace -serviceName=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

appxLoginMgr -remove -serviceName=SERVICENAME

Configuration - Commands

-install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

-install -port=PORT -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.

The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.

The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.

Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).

Both forms of the -install command optionally allow values to be specified for environment variables. If specified, the environment variables and their values are stored in the environment configuration file (env). There is currently no need to set any environment variables.

In addition to creating the service configuration file and the environment configuration file, the -install command also creates an operating system service that will be automatically started when the computer system is started.

 
Added:
>
>		After creating the configuration files and the operating system service, the -install command starts the service. -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...

The -modify command is used to modify the configuration of an existing Audit Log Service. The specified options will be updated in the service configuration files. Any options not specified will not be changed. After updating the configuration files, the -modify command restarts the service.

Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.

Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables.  Any comments that may have been manually added to these configuration files are not preserved.

-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.

-remove -name=SERVICENAME

The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.

Configuration - Options

Options - General
-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".

-DisplayName=DISPLAYNAME

The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.

-LogDirectory={/tmp, LOGDIR}

When the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.

-ServiceType=logmonitor

The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.

-ServiceDisable={true, false}

This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.

-initScript={lsb, RedHat}

Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
Options - Audit Log
-LogNamePattern={/tmp/logmon%N.xml, AUDITLOGPATHNAME}

The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service.  The file name can include a pattern to ensure that each file created by the Audit Log Service will have a unique name.

-LogRotationInterval={86400, MAXSECONDS}

The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created.  The default value of 86000 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day

-LogRotationSize={1G, MAXSIZE}

The LogRotationSize is the maximum size that an Audit Log file is allowed to be.  When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
Options - TCP/IP
-port, -SockPort={8060, PORT}
Configure the service to listen for connection requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.

Notes

 For example, here is a command to create a log monitor:
Line: 195 to 272
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
>
>
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:
Line: 337 to 414
  
<--/commentPlugin-->
Changed:
<
<		-- SteveFrizzell - 20 Jun 2008
>
>		-- SteveFrizzell - 20 Jun 2008
 
META FILEATTACHMENT attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" name="structure.xslt" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"
META FILEATTACHMENT attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" name="subrs.xslt" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"

Revision 92008-10-14 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"
Changed:
<
<

APPX Audit Log

>
>

APPX Audit Log Feature 

 
Changed:
<
<		This page describes how to install the APPX Audit Log Manager and how to use it to install, configure, and manage APPX Audit Log Services on Unix/Linux systems.
>
>		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature.
 

Overview

Changed:
<
<		The APPX Audit Log feature creates an xml log of APPX file activity.  The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX.  The level of detail can be configured to optionally include read, write, rewrite, delete, create, and restructure events.
>
>		The APPX Audit Log feature creates an xml log of APPX file I/O activity.  The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX.  The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.

To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file.

 

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.

Line: 17 to 19
  The appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.
Changed:
<
<		In the event that it is necessary to reset the permissions on the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxLoginMgr command.
>
>		In the event that it is necessary to reset the permissions of the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxAuditMgr command.
 
Line: 43 to 45
 -rwsrwxr-x 1 root appxgrp 636843 Jul 11 07:31 appxAuditMgr
Changed:
<
<

Overview x

>
>

Creating and Configuring the APPX Audit Log Service

On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port.

Creating an Audit Log Service

Before file I/O activity can be logged, at least one instance of an APPX Connection Service must be configured and started.

The -install option of the appxAuditMgr command is used to initially create, configure, and start an instance of the APPX Audit Log Service. The following steps are performed:

  1. A configuration file (ini) is created
  2. An environment file (env) is created
  3. A service is created, including required init files and links. ( On Red Hat, /etc/init.d/ )
  4. The service is started

For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.

Service Name 

Each instance of an APPX Audit Log Service must have a unique name. When creating an instance of a service, the -name option may be used to specify the name that you want the service to have. If you do not specify a name, a name will be assigned for you for example, appxd-8060.

Service Type

When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified.  The value of this option must be "logmonitor".

TCP/IP Port Number

When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for connections on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.

Changing an Audit Log Service

Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Method 1 - The APPX Audit Log Manager Command (appxAuditMgr)

The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.

Method 2 - Text Editor

A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above.

Managing an Audit Log Service

 
Changed:
<
<		A new service has been added in Release 5.0 - appxAuditMgr. It accepts the same command parameters as appxLoginMgr, with the addition of the --serviceType=logmonitor flag that indicates it is to run as a log monitor, not a login manager. The appxAuditMgr program is located in the services directory of your Appx installation. For example, here is a command to create a log monitor:
>
>		Two methods are available for managing an existing instance of the APPX Audit Log Service.

Method 1 - appxAuditMgr command

The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service.

Method 2 - O/S Services

Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the command line tool service

. 

[root@tubes tools]# *service appxd-8060 status*
Warning - the engine that you named has the setuid bit enabled,
          you may not want that bit set for the authentication
          method that you have chosen (OS-User)
     To turn off the setuid bit, chmod u-s ../appx
up and running (process 13893 servicing port 8060)
[root@tubes tools]#

Notes

For example, here is a command to create a log monitor:

 

./appxAuditMgr -install -serviceType=logmonitor -name=myLogMonitor -port=8064

Line: 141 to 195
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
>
>
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:

Revision 82008-10-09 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log

Line: 15 to 15
  The appxAuditMgr command is installed into the "tools" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxAuditMgr command will be "/usr/local/appx/tools/appxAuditMgr".
Changed:
<
<		The appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of root.
>
>		The appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.
  In the event that it is necessary to reset the permissions on the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxLoginMgr command.
Line: 40 to 40
 
Changed:
<
<		-rwsrwxr-x 1 root root 636843 Jul 11 07:31 appxAuditMgr
>
>		-rwsrwxr-x 1 root appxgrp 636843 Jul 11 07:31 appxAuditMgr
 

Overview x

Revision 72008-10-09 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log

Line: 6 to 6
 This page describes how to install the APPX Audit Log Manager and how to use it to install, configure, and manage APPX Audit Log Services on Unix/Linux systems.

Added:
>
>

Overview

The APPX Audit Log feature creates an xml log of APPX file activity.  The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX.  The level of detail can be configured to optionally include read, write, rewrite, delete, create, and restructure events.

 

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.

Line: 40 to 43
 -rwsrwxr-x 1 root root 636843 Jul 11 07:31 appxAuditMgr
Changed:
<
<

Overview

>
>

Overview x

  A new service has been added in Release 5.0 - appxAuditMgr. It accepts the same command parameters as appxLoginMgr, with the addition of the --serviceType=logmonitor flag that indicates it is to run as a log monitor, not a login manager. The appxAuditMgr program is located in the services directory of your Appx installation. For example, here is a command to create a log monitor:

Revision 62008-10-09 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log

Changed:
<
<		APPX now includes the ability to log all file I/O for selected data files.
>
>		This page describes how to install the APPX Audit Log Manager and how to use it to install, configure, and manage APPX Audit Log Services on Unix/Linux systems.
 
Added:
>
>

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.

The appxAuditMgr command is installed into the "tools" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxAuditMgr command will be "/usr/local/appx/tools/appxAuditMgr".

The appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of root.

In the event that it is necessary to reset the permissions on the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxLoginMgr command. 

cd /usr/local/appx/tools
chown root appxAuditMgr
chgrp appxgrp appxAuditMgr
chmod 4775 appxAuditMgr

You can check the permissions of the appxAuditMgr command by running the following command: 

ls -l appxAuditMgr

The recommended permissions should be as follows: 

-rwsrwxr-x 1 root root    636843 Jul 11 07:31 appxAuditMgr
 

Overview

A new service has been added in Release 5.0 - appxAuditMgr. It accepts the same command parameters as appxLoginMgr, with the addition of the --serviceType=logmonitor flag that indicates it is to run as a log monitor, not a login manager. The appxAuditMgr program is located in the services directory of your Appx installation. For example, here is a command to create a log monitor:

Line: 104 to 138
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
>
>
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:

Revision 52008-09-15 - SteveFrizzell

Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="APPX43Features"
>
>
META TOPICPARENT name="APPX500Features"
 

APPX Audit Log

Line: 9 to 9
 

Overview

A new service has been added in Release 5.0 - appxAuditMgr. It accepts the same command parameters as appxLoginMgr, with the addition of the --serviceType=logmonitor flag that indicates it is to run as a log monitor, not a login manager. The appxAuditMgr program is located in the services directory of your Appx installation. For example, here is a command to create a log monitor:

Changed:
<
<
>
>
  ./appxAuditMgr -install -serviceType=logmonitor -name=myLogMonitor -port=8064
Line: 17 to 17
  This port is not a listener, so you can not login directly to that port.
Changed:
<
<		Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.
>
>		Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.
  Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:
Changed:
<
<
>
>
  /tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

The default pattern (as reflected in the serviceName. ini file) is:

Changed:
<
<
LogNamePattern = /tmp/appxlog%N.xml
>
>
LogNamePattern = /tmp/appxlog%N.xml
  Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:
Changed:
<
<
/tmp/appx-11-Jun-08
>
>
/tmp/appx-11-Jun-08
  /tmp/appx-12-Jun-08
Line: 86 to 85
 

After you have modified .ini file, you need to stop and re-start that service. To stop service, assuming you are in ./services directory of your Appx installation simply type:

Changed:
<
<
>
>
  ./appxAuditMgr -stop -name=myLogMonitor

./appxAuditMgr -start -name=myLogMonitor

If you stop/start service as a root, make sure you give it a fully qualified path.

Changed:
<
<
>
>
  ./appxAuditMgr -stop -name=/usr/local/appx/services/myLogMonitor
Line: 105 to 104
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Changed:
<
<
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined=""> servername:8064
>
>
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:
Line: 118 to 117
 You can now assign this FMS group to the file(s) that you wish to monitor.

To close existent log file and rotate the log, you need issue the following command:

Changed:
<
<
>
>
  kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

Changed:
<
<		The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size. XML files can easily be imported into a RDBMS, which does not have the same file size limitation.
>
>		The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size. XML files can easily be imported into a RDBMS, which does not have the same file size limitation.
  You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).
Changed:
<
<		Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:
>
>		Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:
 
type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Line: 226 to 215
  $ xslt stylesheetFileName logFileName >output.html
Changed:
<
<		for example:
>
>		for example:
  $ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html
Changed:
<
<		To use a stylesheet with xalan (the XSLT processor from Apache):
>
>		To use a stylesheet with xalan (the XSLT processor from Apache):
  $ xalan -xsl stylesheetFileName <logFileName >output.html
Changed:
<
<		for example:
>
>		for example:
  $ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html
Line: 242 to 231
 

BUGS

Changed:
<
<		#2195 - FIXED - System Administration - Configuration - Log Profiles. There is a button at the bottom of the screen that is carried over to the details screen. it looks like it's just a left over and needs to be removed
#2201 - FIXED - --- MOD SCROLL BEHAV subroutine needs to be added to the input process. Also, when in CHANGE MODE, it highlights the Name, but then you press ENTER to go to the next screen - and it takes you tot he next record instead.
#2219 - FIXED -Testing showed the when you issue kill -1 PID command, it kills the listener, but doesn't close the file. Furthermore, when you restart listener - your log file is getting completely wiped out.
Same results were when kill -s sigusr1 PID command was issued - the log file didn't close, Appx session closed and log file was wiped out.

#2220 - FIXED - If you run a process - any process, against the file where FMS group for the listener is assigned to, Appx closes session all together - needs better handling.

#2225 - FIXED - As of 6/13/08 - you can not use IP address in Log Profile. If server name is used - all is well. If IP address is used - nothing is logged

>
>		No open bugs.
 

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

Changed:
<
<		How to close and rotate the log in Windows?
>
>		How to close and rotate the log in Windows?
 

Comments:

Read what other users have said about this page or add your own comments.

Revision 42008-08-26 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX43Features"

APPX Audit Log

Line: 8 to 8
 

Overview

Changed:
<
<		uappxd/appxdsvc have been modified to start as a LogMonitor. For uappxd you can create a log monitor service like this:
>
>		A new service has been added in Release 5.0 - appxAuditMgr. It accepts the same command parameters as appxLoginMgr, with the addition of the --serviceType=logmonitor flag that indicates it is to run as a log monitor, not a login manager. The appxAuditMgr program is located in the services directory of your Appx installation. For example, here is a command to create a log monitor:
 
Changed:
<
<		./uappxd -install -serviceType=logmonitor -name=myLogMonitor -port=8064
>
>		./appxAuditMgr -install -serviceType=logmonitor -name=myLogMonitor -port=8064
  Port number has to be different from the port number you are using for your users to login.

This port is not a listener, so you can not login directly to that port.

Changed:
<
<		Once you have created this new Service Type, it will create .ini and .env files for you. In our example, uappxd will create myLogMonitor.ini and myLogMonitor.env fiels in /tools directory.

Make sure you change permissions on newly created .ini and .env files:

chmod 775 myLogMonitor

chown appx:appxgrp myLogMonitor

>
>		Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory.
 You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

Line: 93 to 85
 %% A literal '%' character.
Changed:
<
<		After you have modified .ini file, you need to stop and re-start that service. To stop service, assuming you are in /usr/local/appx/tools directory AND logged in as appx, simply type:
>
>		After you have modified .ini file, you need to stop and re-start that service. To stop service, assuming you are in ./services directory of your Appx installation simply type:
 
Changed:
<
<		./uappxd -stop -name=myLogMonitor
>
>		./appxAuditMgr -stop -name=myLogMonitor
 
Changed:
<
<		./uappxd -start -name=myLogMonitor
>
>		./appxAuditMgr -start -name=myLogMonitor
  If you stop/start service as a root, make sure you give it a fully qualified path.
Changed:
<
<		./uappxd -stop -name=/usr/local/appx/tools/myLogMonitor
>
>		./appxAuditMgr -stop -name=/usr/local/appx/services/myLogMonitor
 
Changed:
<
<		./uappxd -start -name=/usr/local/appx/tools/myLogMonitor
>
>		./appxAuditMgr -start -name=/usr/local/appx/services/myLogMonitor
  Please note that -name parameter is required.
Changed:
<
<		Now Appx is ready to write changes to the log file, client sends XML data to the monitor and the monitor writes to the log file.
>
>		Before data can be written to the log file in XML format, you need to define a Log Profile for the monitor.
 
Changed:
<
<		Before data can be written to the log file in XML format, you need to define FMS group for the monitor.

To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with uappxd:

>
>		To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
 
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined=""> servername:8064
Line: 123 to 113
  To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.
Changed:
<
<		Give it an FMS group of 1, then in the FMS group attributes screen pull down Log Profile Names adn choose the name of your Log Profile.
>
>		Give it an FMS group of 1 and click on 'FMS group attributes' button. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.
  You can now assign this FMS group to the file(s) that you wish to monitor.
Line: 134 to 124
  where PID is a process ID of the audit log listener. Existent log will be closed and rotated tot he next one.
Changed:
<
<		Generated xml log files can be viewed with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file.
>
>		The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size. XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

  Each Audit Log document contains one primary enclosing <events> node which contains one
Line: 220 to 215
 
<fieldName/>
</DeletedElement>
Added:
>
>

Sample scripts

Here are some sample xslt processing commands that you can use to do inquiries against the raw XML data.

The attached file 'structure.xslt' will extract any file create events from a log and produces an HTML table that shows the structure of each file that you create.

The attached file 'subrs.xslt' extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

To use a stylesheet with xsltproc (the XSLT processor from libxml/xmlsoft):

$ xslt stylesheetFileName logFileName >output.html

for example:

$ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html

To use a stylesheet with xalan (the XSLT processor from Apache):

$ xalan -xsl stylesheetFileName <logFileName >output.html

for example:

$ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html

Need examples of loading XML Data into an RDBMS

 

BUGS

#2195 - FIXED - System Administration - Configuration - Log Profiles. There is a button at the bottom of the screen that is carried over to the details screen. it looks like it's just a left over and needs to be removed
#2201 - FIXED - --- MOD SCROLL BEHAV subroutine needs to be added to the input process. Also, when in CHANGE MODE, it highlights the Name, but then you press ENTER to go to the next screen - and it takes you tot he next record instead.
#2219 - FIXED -Testing showed the when you issue kill -1 PID command, it kills the listener, but doesn't close the file. Furthermore, when you restart listener - your log file is getting completely wiped out.
Same results were when kill -s sigusr1 PID command was issued - the log file didn't close, Appx session closed and log file was wiped out.

Line: 243 to 263
 
<--/commentPlugin-->

-- SteveFrizzell - 20 Jun 2008

Added:
>
>
META FILEATTACHMENT attachment="structure.xslt" attr="" comment="xslt program to extract file create events" date="1219770121" name="structure.xslt" path="structure.xslt" size="1629" stream="structure.xslt" user="Main.JeanNeron" version="1"
META FILEATTACHMENT attachment="subrs.xslt" attr="" comment="xslt program to extract subroutine calls" date="1219770177" name="subrs.xslt" path="subrs.xslt" size="1866" stream="subrs.xslt" user="Main.JeanNeron" version="1"

Revision 32008-07-02 - YanaLorne

Line: 1 to 1
 
META TOPICPARENT name="APPX43Features"

APPX Audit Log

Line: 115 to 115
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with uappxd:
Changed:
<
<		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">@6 1 2" _moz-userdefined="">@7 21600 pixelWidth" _moz-userdefined="">@8 21600 0" _moz-userdefined="">@7 21600 pixelHeight" _moz-userdefined="">@10 21600 0" _moz-userdefined=""><!--[if vml]--><!--[endif]-->
>
>
@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined=""> servername:8064
  Then click on Log File Parameters and make sure you check parameters that you wish to log:
Line: 226 to 226
  #2220 - FIXED - If you run a process - any process, against the file where FMS group for the listener is assigned to, Appx closes session all together - needs better handling.
Changed:
<
<		#2225 - OPEN - As of 6/13/08 - you can not use IP address in Log Profile. If server name is used - all is well. If IP address is used - nothing is logged
>
>		#2225 - FIXED - As of 6/13/08 - you can not use IP address in Log Profile. If server name is used - all is well. If IP address is used - nothing is logged
 

NOTES:

Revision 22008-06-20 - YanaLorne

Line: 1 to 1
 
META TOPICPARENT name="APPX43Features"
Changed:
<
<

APPX Audit Log

>
>

APPX Audit Log

 
Changed:
<
<		APPX now includes the ability to log all file I/O for selected data files.
>
>		APPX now includes the ability to log all file I/O for selected data files.
 

Overview

uappxd/appxdsvc have been modified to start as a LogMonitor. For uappxd you can create a log monitor service like this:

Changed:
<
<
>
>
  ./uappxd -install -serviceType=logmonitor -name=myLogMonitor -port=8064
Line: 20 to 20
 Once you have created this new Service Type, it will create .ini and .env files for you. In our example, uappxd will create myLogMonitor.ini and myLogMonitor.env fiels in /tools directory.

Make sure you change permissions on newly created .ini and .env files:

Changed:
<
<
>
>
  chmod 775 myLogMonitor
Line: 29 to 29
 You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

Changed:
<
<
>
>
  /tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

The default pattern (as reflected in the serviceName. ini file) is:

Changed:
<
<
LogNamePattern = /tmp/appxlog%N.xml
>
>
LogNamePattern = /tmp/appxlog%N.xml
  Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:
Changed:
<
<
/tmp/appx-11-Jun-08
>
>
/tmp/appx-11-Jun-08
  /tmp/appx-12-Jun-08
Line: 94 to 94
 

After you have modified .ini file, you need to stop and re-start that service. To stop service, assuming you are in /usr/local/appx/tools directory AND logged in as appx, simply type:

Changed:
<
<
>
>
  ./uappxd -stop -name=myLogMonitor

./uappxd -start -name=myLogMonitor

If you stop/start service as a root, make sure you give it a fully qualified path.

Changed:
<
<
>
>
  ./uappxd -stop -name=/usr/local/appx/tools/myLogMonitor
Line: 115 to 115
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with uappxd:
Changed:
<
<		<?XML:NAMESPACE PREFIX = V />@0 1 0">@1">@2 1 2">@3 21600 pixelWidth">@3 21600 pixelHeight">@0 0 1">@6 1 2">@7 21600 pixelWidth">@8 21600 0">@7 21600 pixelHeight">@10 21600 0"><?XML:NAMESPACE PREFIX = O /><!--[if vml]--><!--[endif]-->

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1, then in the FMS group attributes screen pull down Log Profile Names adn choose the name of your Log Profile.

You can now assign this FMS group to the file(s) that you wish to monitor.

To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated tot he next one.

Generated xml log files can be viewed with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file.

BUGS

#2195 - FIXED - System Administration - Configuration - Log Profiles. There is a button at the bottom of the screen that is carried over to the details screen. it looks like it's just a left over and needs to be removed
#2201 - FIXED - --- MOD SCROLL BEHAV subroutine needs to be added to the input process. Also, when in CHANGE MODE, it highlights the Name, but then you press ENTER to go to the next screen - and it takes you tot he next record instead.
#2219 - OPEN -Testing showed the when you issue kill -1 PID command, it kills the listener, but doesn't close the file. Furthermore, when you restart listener - your log file is getting completely wiped out.
Same results were when kill -s sigusr1 PID command was issued - the log file didn't close, Appx session closed and log file was wiped out.

#2220 - OPEN - If you run a process - any process, against the file where FMS group for the listener is assigned to, Appx closes session all together - needs better handling.

#2225 - OPEN - As of 6/13/08 - you can not use IP address in Log Profile. If server name is used - all is well. If IP address is used - nothing is logged

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

Comments:

Read what other users have said about this page or add your own comments. 

<--/commentPlugin-->

--  SteveFrizzell - 20 Jun 2008

>
>		@0 1 0" _moz-userdefined="">@1" _moz-userdefined="">@2 1 2" _moz-userdefined="">@3 21600 pixelWidth" _moz-userdefined="">@3 21600 pixelHeight" _moz-userdefined="">@0 0 1" _moz-userdefined="">@6 1 2" _moz-userdefined="">@7 21600 pixelWidth" _moz-userdefined="">@8 21600 0" _moz-userdefined="">@7 21600 pixelHeight" _moz-userdefined="">@10 21600 0" _moz-userdefined=""><!--[if vml]--><!--[endif]-->

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1, then in the FMS group attributes screen pull down Log Profile Names adn choose the name of your Log Profile.

You can now assign this FMS group to the file(s) that you wish to monitor.

To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated tot he next one.

Generated xml log files can be viewed with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file.

Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Update
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Insert
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Delete
Yes
Yes
Yes
Yes
 Indexed Files Yes No
Scratch
Yes
Yes
Yes
Yes
 No
FileCreate
Yes
Yes
Yes
Yes
 No Yes
Restructure
Yes
Yes
Yes
Yes
 No

node node/element value
<eventID>
<type/> see above table
<timeStamp/> ccyymmddhhmmsstt
</eventID>
<sessionID>
<processID/> 9(6)
<userID/> X(3)
</sessionID>
<fileID>
<application/>
<database/>
<structureDate/>
<filename/>
</fileID>
<appxProcessID>
<type/>
<name/>
<application/>
<version/>
<database/>
<lastChange/>
</appxProcessID>
<eventRecordID>
<keySegment> 0-16 instances
</eventRecordID>
<keySegment>
<fieldName>
<fieldValue>
</keySegment>
<eventData>
<field> 0-n instances
</eventData>
<field> read, insert, delete
<fieldName>
<occurrence>
<fieldValue>
</fieldData>
<fieldData> update
<fieldName>
<oldValue>
<newValue>
</fieldData
<Structure>
<Field> 1-n instances
</Structure>
<Field>
<fieldName>
<fieldType>
<occurrences>
<rawLength>
<offset>
</Field>
<eventData>
<RecordSizeChange>
<DeletedElement>
</eventData>
<RecordSizeChange>
<old>
<new>
</RecordSizeChange>
<DeletedElement/>
<fieldName/>
</DeletedElement>

BUGS

#2195 - FIXED - System Administration - Configuration - Log Profiles. There is a button at the bottom of the screen that is carried over to the details screen. it looks like it's just a left over and needs to be removed
#2201 - FIXED - --- MOD SCROLL BEHAV subroutine needs to be added to the input process. Also, when in CHANGE MODE, it highlights the Name, but then you press ENTER to go to the next screen - and it takes you tot he next record instead.
#2219 - FIXED -Testing showed the when you issue kill -1 PID command, it kills the listener, but doesn't close the file. Furthermore, when you restart listener - your log file is getting completely wiped out.
Same results were when kill -s sigusr1 PID command was issued - the log file didn't close, Appx session closed and log file was wiped out.

#2220 - FIXED - If you run a process - any process, against the file where FMS group for the listener is assigned to, Appx closes session all together - needs better handling.

#2225 - OPEN - As of 6/13/08 - you can not use IP address in Log Profile. If server name is used - all is well. If IP address is used - nothing is logged

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

Comments:

Read what other users have said about this page or add your own comments. 

<--/commentPlugin-->

-- SteveFrizzell - 20 Jun 2008

Revision 12008-06-20 - SteveFrizzell

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="APPX43Features"

APPX Audit Log

APPX now includes the ability to log all file I/O for selected data files.

Overview

uappxd/appxdsvc have been modified to start as a LogMonitor. For uappxd you can create a log monitor service like this:

./uappxd -install -serviceType=logmonitor -name=myLogMonitor -port=8064

Port number has to be different from the port number you are using for your users to login.

This port is not a listener, so you can not login directly to that port.

Once you have created this new Service Type, it will create .ini and .env files for you. In our example, uappxd will create myLogMonitor.ini and myLogMonitor.env fiels in /tools directory.

Make sure you change permissions on newly created .ini and .env files:

chmod 775 myLogMonitor

chown appx:appxgrp myLogMonitor

You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

/tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

The default pattern (as reflected in the serviceName. ini file) is:

LogNamePattern = /tmp/appxlog%N.xml

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

/tmp/appx-11-Jun-08

/tmp/appx-12-Jun-08

...

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page): 

%a The abbreviated weekday name according to the current locale.
%A The full weekday name according to the current locale.
%b The abbreviated month name according to the current locale.
%B The full month name according to the current locale.
%c The preferred date and time representation for the current locale.
%C The century number (year/100) as a 2-digit integer. (SU)
%d The day of the month as a decimal number (range 01 to 31).
%D Equivalent to %m/%d/%y. (Yecch -- for Americans only. Americans should note that in other coun-
tries %d/%m/%y is rather common. This means that in international context this format is ambiguous and should not be used.) (SU)
%e Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (SU)
%E Modifier: use alternative format, see below. (SU)
%F Equivalent to %Y-%m-%d (the ISO 8601 date format). (C99)
%G The ISO 8601 year with century as a decimal number. The 4-digit year corresponding to the ISO week number (see %V). This has the same format and value as %y, except that if the ISO week number belongs to the previous or next year, that year is used instead. (TZ)
%g Like %G, but without century, that is, with a 2-digit year (00-99). (TZ)
%h Equivalent to %b. (SU)
%H The hour as a decimal number using a 24-hour clock (range 00 to 23).
%I The hour as a decimal number using a 12-hour clock (range 01 to 12).
%j The day of the year as a decimal number (range 001 to 366).
%k The hour (24-hour clock) as a decimal number (range 0 to 23); single digits are preceded by a blank. (See also %H.) (TZ)
%l The hour (12-hour clock) as a decimal number (range 1 to 12); single digits are preceded by a blank. (See also %I.) (TZ)
%m The month as a decimal number (range 01 to 12).
%M The minute as a decimal number (range 00 to 59).
%n A newline character. (SU)
%O Modifier: use alternative format, see below. (SU)
%p Either `AM' or `PM' according to the given time value, or the corresponding strings for the current locale. Noon is treated as `pm' and midnight as `am'.
%P Like %p but in lowercase: `am' or `pm' or a corresponding string for the current locale. (GNU)
%r The time in a.m. or p.m. notation. In the POSIX locale this is equivalent to `%I:%M:%S %p'. (SU)
%R The time in 24-hour notation (%H:%M). (SU) For a version including the seconds, see %T below.
%s The number of seconds since the Epoch, that is, since 1970-01-01 00:00:00 UTC. (TZ)
%S The second as a decimal number (range 00 to 60). (The range is up to 60 to allow for occasional leap seconds.)
%t A tab character. (SU) %T The time in 24-hour notation (%H:%M:%S). (SU)
%u The day of the week as a decimal, range 1 to 7, Monday being 1. See also %w. (SU)
%U The week number of the current year as a decimal number, range 00 to 53, starting with the first Sunday as the first day of week 01. See also %V and %W.
%V The ISO 8601:1988 week number of the current year as a decimal number, range 01 to 53, where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week. See also %U and %W. (SU)
%w The day of the week as a decimal, range 0 to 6, Sunday being 0. See also %u.
%W The week number of the current year as a decimal number, range 00 to 53, starting with the first Monday as the first day of week 01.
%x The preferred date representation for the current locale without the time.
%X The preferred time representation for the current locale without the date.
%y The year as a decimal number without a century (range 00 to 99).
%Y The year as a decimal number including the century.
%z The time-zone as hour offset from GMT. Required to emit RFC 822-conformant dates (using "%a, %d %b %Y %H:%M:%S %z"). (GNU)
%Z The time zone or name or abbreviation.
%+ The date and time in date(1) format. (TZ) (Not supported in glibc2.)
%% A literal '%' character.

After you have modified .ini file, you need to stop and re-start that service. To stop service, assuming you are in /usr/local/appx/tools directory AND logged in as appx, simply type:

./uappxd -stop -name=myLogMonitor

./uappxd -start -name=myLogMonitor

If you stop/start service as a root, make sure you give it a fully qualified path.

./uappxd -stop -name=/usr/local/appx/tools/myLogMonitor

./uappxd -start -name=/usr/local/appx/tools/myLogMonitor

Please note that -name parameter is required.

Now Appx is ready to write changes to the log file, client sends XML data to the monitor and the monitor writes to the log file.

Before data can be written to the log file in XML format, you need to define FMS group for the monitor.

To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with uappxd:

<?XML:NAMESPACE PREFIX = V />@0 1 0">@1">@2 1 2">@3 21600 pixelWidth">@3 21600 pixelHeight">@0 0 1">@6 1 2">@7 21600 pixelWidth">@8 21600 0">@7 21600 pixelHeight">@10 21600 0"><?XML:NAMESPACE PREFIX = O /><!--[if vml]--><!--[endif]-->

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1, then in the FMS group attributes screen pull down Log Profile Names adn choose the name of your Log Profile.

You can now assign this FMS group to the file(s) that you wish to monitor.

To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated tot he next one.

Generated xml log files can be viewed with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file.

BUGS

#2195 - FIXED - System Administration - Configuration - Log Profiles. There is a button at the bottom of the screen that is carried over to the details screen. it looks like it's just a left over and needs to be removed
#2201 - FIXED - --- MOD SCROLL BEHAV subroutine needs to be added to the input process. Also, when in CHANGE MODE, it highlights the Name, but then you press ENTER to go to the next screen - and it takes you tot he next record instead.
#2219 - OPEN -Testing showed the when you issue kill -1 PID command, it kills the listener, but doesn't close the file. Furthermore, when you restart listener - your log file is getting completely wiped out.
Same results were when kill -s sigusr1 PID command was issued - the log file didn't close, Appx session closed and log file was wiped out.

#2220 - OPEN - If you run a process - any process, against the file where FMS group for the listener is assigned to, Appx closes session all together - needs better handling.

#2225 - OPEN - As of 6/13/08 - you can not use IP address in Log Profile. If server name is used - all is well. If IP address is used - nothing is logged

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

Comments:

Read what other users have said about this page or add your own comments. 

<--/commentPlugin-->

--  SteveFrizzell - 20 Jun 2008

View topic | History: r25 < r24 < r23 < r22 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback