Difference: APPXAuditLog (21 vs. 22)

Revision 222016-01-20 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

Changed:
<
<		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature.
>
>		This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature on either Linux or Windows.
 

Overview

The APPX Audit Log feature creates an xml log of APPX file I/O activity. The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX. The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.

Changed:
<
<		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file.
>
>		To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file. The audit log service does not have to run on the same server as APPX.
 

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

Changed:
<
<		The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. So, there is nothing additional that you need to do to install the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.
>
>		The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.
 
Changed:
<
<		The appxAuditMgr command is installed into the "services" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxAuditMgr command will be "/usr/local/appx/services/appxAuditMgr".
>
>		The appxAuditMgr command is installed into the "services" subdirectory of the directory where you installed APPX.
 
Changed:
<
<		The appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.
>
>		On Linux and Unix systems the appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.
  In the event that it is necessary to reset the permissions of the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxAuditMgr command.
Changed:
<
<
cd /usr/local/appx/services
chown root appxAuditMgr
chgrp appxgrp appxAuditMgr
chmod 4775 appxAuditMgr
>
>

cd /usr/local/appx/services chown root appxAuditMgr chgrp appxgrp appxAuditMgr chmod 4775 appxAuditMgr

  You can check the permissions of the appxAuditMgr command by running the following command:
Line: 38 to 37
 

Creating and Configuring an Audit Log Service

Changed:
<
<		On Unix/Linux systems, an instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port. Each instance of the Audit Log Service will log file I/O activity to a separate xml file. By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
>
>		An instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port. Each instance of the Audit Log Service will log file I/O activity to a separate xml file. By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.
 

Creating an Audit Log Service

Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.

The -install option of the appxAuditMgr command is used to initially create, configure, and start an instance of the APPX Audit Log Service. The following steps are performed:

Changed:
<
<
  1. A configuration file (ini) is created
  2. An environment file (env) is created
  3. A service is created, including required init files and links. ( On Red Hat, /etc/init.d/ )
>
>
  1. A configuration file (ini) is created or the Windows registry is updated
  2. An environment file (env) is created or the Windows registry is updated
  3. A service is created, including required init files and links.
 
  1. The service is started
When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number. For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.
Changed:
<
<
>
>
 

Service Name

Line: 62 to 61
 

Changing the Configuration of an Audit Log Service

Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Changed:
<
<
>
>
 

Method 1 - The APPX Audit Log Manager Command (appxAuditMgr)

Changed:
<
<		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files (ini and env) with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.

Method 2 - Text Editor

A text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above. When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.
>
>		The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files or registry settings with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.

Method 2 - Text Editor/Regedit

On Linux/Unix systems a text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above. When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.

On Windows systems you can use 'regedit' to directly edit the registry. The service is created under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name>. Note that you will have to manually restart the service for the changes to take affect. Due to the risk inherent in directly changing the registry we recommend using method 1 above.

 

Managing an Audit Log Service

Two methods are available for managing an existing instance of the APPX Audit Log Service.

Line: 76 to 79
 

Method 1 - appxAuditMgr command

The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxAuditMgr command to check on the status of an APPX Audit Log Service (must be logged in as root to execute).

Changed:
<
<
[root@500test services]# ./appxAuditMgr -status appxLog8070 
up and running (process 2390 servicing port 8070)
>
>

[root@500test services]# ./appxAuditMgr -status appxLog8070 up and running (process 2390 servicing port 8070)

 

Method 2 - O/S Services

Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service.

Changed:
<
<
[root@500test services]# service appxLog8070 status 
up and running (process 2390 servicing port 8070)
>
>
 
Added:
>
>		[root@500test services]# service appxLog8070 status up and running (process 2390 servicing port 8070)

On Windows, you can manage the audit service the same as any Windows service.

 

Usage (appxAuditMgr)

Changed:
<
<
>
>
 

Synopsis - Service Configuration

Changed:
<
<
The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.
>
>
The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.
  appxAuditMgr -install -serviceName=SERVICENAME -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...
Line: 100 to 108
  appxAuditMgr -remove -serviceName=SERVICENAME

Configuration - Commands

Changed:
<
<
>
>
  -install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

-install -port=PORT -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

Changed:
<
<
The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.
>
>
The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.
  The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
Line: 118 to 126
 In addition to creating the service configuration file and the environment configuration file, the -install command also creates an operating system service that will be automatically started when the computer system is started.

After creating the configuration files and the operating system service, the -install command starts the service.

Changed:
<
<		 -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...
>
>

-modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...

  The -modify command is used to modify the configuration of an existing Audit Log Service. The specified options will be updated in the service configuration files. Any options not specified will not be changed. After updating the configuration files, the -modify command restarts the service.
Line: 128 to 139
 

-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

Changed:
<
<
The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.
>
>
The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.
  -remove -name=SERVICENAME
Changed:
<
<
The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.
>
>
The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.
 

Configuration - Options

Changed:
<
<
>
>
 
Options - General
Changed:
<
<		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
>
>		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
  -DisplayName=DISPLAYNAME
Changed:
<
<
>
>
  The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.

-LogDirectory={/tmp, LOGDIR}

Changed:
<
<
When the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.
>
>
On Linux and Unix systems when the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the <nop>ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the <nop>LogDirectory option is not specified, the log files are created in the /tmp directory.

On Windows systems, a status file is not created, and a log file is only created if -CreateLogFile is set to 'true'.

  -ServiceType=logmonitor
Changed:
<
<
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
>
>
The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.
  -ServiceDisable={true, false}
Changed:
<
<
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
>
>
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
  -initScript={lsb, RedHat}
Changed:
<
<
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
>
>
Used with -install option to specify the type of Linux operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.
 
Options - Audit Log
Changed:
<
<		-LogNamePattern={/tmp/logmon%N.xml, AUDITLOGPATHNAME}
>
>		 -LogNamePattern={/tmp/logmon%N.xml C:\APPXLOG%N.xml, AUDITLOGPATHNAME}
  The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.

-LogRotationInterval={86400, MAXSECONDS}

Changed:
<
<
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
  -LogRotationSize={1G, MAXSIZE}
Changed:
<
<
The LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
>
>
The LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Options - TCP/IP
Changed:
<
<		-port, -SockPort={8060, PORT}
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
>
>		 -port, -SockPort={8060, PORT}
Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
 

Configuration - Environment Variables

Changed:
<
<
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created. There is currently no reason to use this feature.
>
>
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created or written to the registry. There is currently no reason to use this feature.
 

Synopsis - Service Management

Changed:
<
<
appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
>
>
appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}
  MANAGEMENT OPTIONS
Changed:
<
<
-start | < blank >
Start an instance of the Audit Log Service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
>
>
-start | < blank >
Start an instance of the Audit Log Service.
  -stop
Changed:
<
<
Stop the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Stop the instance of the Audit Log Service.
  -restart
Changed:
<
<
Restart (stop and then start) the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Restart (stop and then start) the instance of the Audit Log Service.
  -status
Changed:
<
<
Report the status of the instance of the Audit Log Service that was started with the SERVICENAME.ini file.
>
>
Report the status of the instance of the Audit Log Service.
 
Changed:
<
<		EXAMPLES
>
>		Note on Windows the -status command does not take a SERVICENAME arguement, it will display the status of all defined login and audit services.

EXAMPLES

  Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:

appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor

Deleted:
<
<
[root@localhost services]# ./appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor
Configuration written to:  appxLog8070.ini
Environment written to:    appxLog8070.env
Service script written to: /etc/init.d/appxLog8070
Configuration complete
Registering service
Starting appxLog8070: serviceName: appxLog8070
servicePath: /usr/local/appx500/services/
Looking for config file in appxLog8070.ini
Writing process ID to /var/run/appxLog8070.pid
running as process 12859 servicing port 8070
up and running (process 12859 servicing port 8070)
Installation Complete
  Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070. The service name and descriptive name are also specified.
Line: 227 to 236
  appxAuditMgr -modify -name=appxLog8070 -displayName="Big Audit Log" -LogRotationSize=10G
Changed:
<
<

The Configuration File (ini)

>
>

The Configuration File (ini) or Registry

 
Changed:
<
<		Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the Audit Log Service.
>
>		Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the Audit Log Service. On Windows, this is kept in the registry but the keywords and values are the same.
  The -install option of the appxAuditMgr command creates the configuration file when the service is created.
Line: 240 to 249
 Once created, the name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.

Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service. You should ignore the configuration options that do not apply to an APPX Audit Log service. Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments. Although these extraneous options are of no consequence, they will be removed in a future release.

Changed:
<
<
# Appx connection manager configuration file
#
#  You can change this file by hand, or
#  use the uappxd program for better results
#
#  blank lines are ignored
#
#  anything following a '#' is treated as a comment
#
#  case is not important on the left-hand side
#  properties whose descriptions end in a '?' are
#  boolean and should be set to true or false
# --------------------------------------------------
# AppxApplication           =                    #startup application for spawned engines
# AppxDatabase              =                    #startup database for spawned engines
AppxExecutable              = /usr/local/appx500/appx#pathname to Appx engine
# AppxProcessName           =                    #startup process name for spawned engines
# AppxProcessType           =                    #startup process type for spawned engines
# AuthenticationMethod      = OS-User            #authentication method (OS-User, Appx-User, HT-User(filename))
DisplayName                 = appxLog8070        #descriptive name
# ImpersonateGID            = true               #change effective grouo ID for spawned engines?
# ImpersonateGroup          = User               #[LogonUser, NamedGroup(groupname), ServiceOwner]
# ImpersonateUID            = true               #change effective user ID for spawned engines?
# ImpersonateUser           = LogonUser          #[LogonUser, NamedUser(username), ServiceOwner]
# LoadSystemEnvironment     = true               #load default system-defined environment variables into spawned engines?
# LogDirectory              = /tmp               #directory where log file should reside
# LogNamePattern            = /tmp/appxlog%N.xml #audit log filename pattern (see man strftime for details
# LogRotationInterval       = 86400              #number of seconds between audit log rotations
# LogRotationSize           = 1G                 #maximum audit log file size
# RequireSSL                = false              #Require SSL-secured connections?
# RequireSSLClientCertificates = false              #require SSL-client certificates?
# ServerCertificateFile     =                    #pathname of server's X509 certificate (leave blank for anonymous connections
# ServerPrivateKeyFile      =                    #pathname of server's private key file (unlocks the ServerCertificateFile)
# ServerPrivateKeyPassphrase =                    #passphrase that unlocks ServerPrivateKeyFile
# ServiceDisable            = false              #disable this service?
# ServiceDisableAppxKeys    = false              #disable keyboard mapping?
# ServiceDisableFMS         = false              #disable AppxNET connections?
# ServiceDisableLogins      = false              #disable interactive logins?
# ServiceEnableCmds         = true               #allow client-side startup options?
ServiceName                 = appxLog8070        #name of service
ServiceType                 = logmonitor         #service type (login or logmonitor)
SockPort                    = 8070               #port number to service
# SSLMode                   = Optional           #SSL connection type (optional, required, disabled)
# TCPEnableKeepAlive        = true               #Enable TCP dead-connection detection
# TCPKeepCount              = 8                  #Maximum number of keep-alive pings
# TCPKeepIdle               = 300                #Idle time before ping sent to client (in seconds)
# TCPKeepInterval           = 60                 #Interval between keep-alive pings
# TCPNoDelay                = true               #disable TCP packet filling delay?
# TrustedCAFile             =                    #determines which client certificates to trust
# Umask                     =                    #umask (file creation mask) given to spawned engines
>
>

# Appx connection manager configuration file # # You can change this file by hand, or # use the uappxd program for better results # # blank lines are ignored # # anything following a '#' is treated as a comment # # case is not important on the left-hand side # properties whose descriptions end in a '?' are # boolean and should be set to true or false # --------------------------------------------------

 
Changed:
<
<

The Environment File (env)

>
>		# AppxApplication = #startup application for spawned engines # AppxDatabase = #startup database for spawned engines AppxExecutable = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName = #startup process name for spawned engines # AppxProcessType = #startup process type for spawned engines # AuthenticationMethod = OS-User #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName = appxLog8070 #descriptive name # ImpersonateGID = true #change effective grouo ID for spawned engines? # ImpersonateGroup = User #[LogonUser, NamedGroup (groupname), ServiceOwner ] # ImpersonateUID = true #change effective user ID for spawned engines? # ImpersonateUser = LogonUser #[LogonUser, NamedUser (username), ServiceOwner ] # LoadSystemEnvironment = true #load default system-defined environment variables into spawned engines? # LogDirectory = /tmp #directory where log file should reside # LogNamePattern = /tmp/appxlog%N.xml #audit log filename pattern (see man strftime for details # LogRotationInterval = 86400 #number of seconds between audit log rotations # LogRotationSize = 1G #maximum audit log file size # RequireSSL = false #Require SSL-secured connections? # RequireSSLClientCertificates = false #require SSL-client certificates? # ServerCertificateFile = #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile = #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase = #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable = false #disable this service? # ServiceDisableAppxKeys = false #disable keyboard mapping? # ServiceDisableFMS = false #disable AppxNET connections? # ServiceDisableLogins = false #disable interactive logins? # ServiceEnableCmds = true #allow client-side startup options? ServiceName = appxLog8070 #name of service ServiceType = logmonitor #service type (login or logmonitor) SockPort = 8070 #port number to service # SSLMode = Optional #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive = true #Enable TCP dead-connection detection # TCPKeepCount = 8 #Maximum number of keep-alive pings # TCPKeepIdle = 300 #Idle time before ping sent to client (in seconds) # TCPKeepInterval = 60 #Interval between keep-alive pings # TCPNoDelay = true #disable TCP packet filling delay? # TrustedCAFile = #determines which client certificates to trust # Umask = #umask (file creation mask) given to spawned engines
 
Changed:
<
<		Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the Audit Log Service. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.
>
>

The Environment File (env) or Registry

Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the Audit Log Service. On Windows, this is kept in the registry. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.

  The -install option of the appxAuditMgr command creates the environment file when the service is created.
Line: 302 to 267
 The environment file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.

Once created, the name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.

Changed:
<
<
# Appx connection manager environment variables
>
>
# Appx connection manager environment variables
 # # The entries in this file will become # environment variables in the engines
Line: 316 to 281
 # --------------------------------------------------
Changed:
<
<

The Status File (stat)

>
>

The Status File (stat) (Linux only)

 
Changed:
<
<		When an APPX Audit Log Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
>
>		On Linux and Unix systems when an APPX Audit Log Service is started, a status file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the status file is created in the /tmp directory.
  The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxLog8070", the name of the status file will be "appxLog8070.stat".

The status file can be viewed to see the actual context within which the service is running.

Changed:
<
<
appxLog8070 running as process 8665
>
>
appxLog8070 running as process 8665
 Effective User ID 0 Real User ID 0 Configuration values follow
Line: 375 to 340
 

The Log File (log)

Changed:
<
<		When an APPX Audit Log Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.
>
>		When an APPX Audit Log Service is started on a Linux/Unix system, a log file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the log file is created in the /tmp directory. On Windows servers, the log file will not be created unless you set CreateLogFile = true when defining the service. The default location for the file is C:\ for Windows.
  The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxLog8070", the name of the log file will be "appxLog8070.log".

When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file.

Changed:
<
<
*Daemonize = true
>
>
*Daemonize = true
 *DontForkEngine = false *InitScriptStyle = *SleepAfterFork =
Line: 428 to 393
 

Deleted:
<
<

Red Hat service command.

Usage (service)

Synopsis - service Command

service [serviceName] [start|stop|restart|status]

Examples:

Warnings:

 

Issues:

  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.

  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option. If you do not, the ps command will not display a meaningful name for the running service.

Deleted:
<
<

Enhancement Suggestions

 

Notes

More About Log Profiles

Changed:
<
<		Before data can be written to the log file in XML format, you need to define a Log Profile for the monitor.
>
>		Before data can be written to the log file you need to define a Log Profile for the monitor.
  To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:
Line: 464 to 417
 

More About the xml Audit Log file

Using a Pattern in a Log File Name

Changed:
<
<		Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize.
>
>		You can change the name of the log file by setting the LogNamePattern in for your service. You can also change the LogRotationInterval and LogRotationSize.
  Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:
Changed:
<
<
>
>
  /tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

Deleted:
<
<		The default pattern (as reflected in the serviceName. ini file) is:
LogNamePattern = /tmp/appxlog%N.xml
 Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:
Changed:
<
<
/tmp/appx-11-Jun-08
>
>
/tmp/appx-11-Jun-08
  /tmp/appx-12-Jun-08
Line: 533 to 482
 %% A literal '%' character.
Deleted:
<
<		In Release 5.0.3, specifying %F when starting the audit service on Windows will cause the service to crash.
 

How to Rotate the Audit Log File

Changed:
<
<		To close existent log file and rotate the log, you need issue the following command:

kill -s SIGUSR1 <PID>

where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one.

>
>		To close an existing log file and rotate the log just stop and start the service
 

How to View Audit Log Events

The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

Deleted:
<
<

Microsoft XML Notepad

Web Browser

xslt

 

Databases

XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

Line: 662 to 600
  Need examples of loading XML Data into an RDBMS
Deleted:
<
<

NOTES:

If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all

In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command.

How to close and rotate the log in Windows?

 

Comments:

Read what other users have said about this page or add your own comments.

View topic | History: r25 < r24 < r23 < r22 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback