Difference: APPXAuditLog (22 vs. 23)

Revision 232016-02-11 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Audit Log Feature

This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature on either Linux or Windows.

Changed:
<
<
>
>
 

Overview

The APPX Audit Log feature creates an xml log of APPX file I/O activity. The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX. The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.

To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file. The audit log service does not have to run on the same server as APPX.

Added:
>
>		 The Audit Log is emitted as an xml document. Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read Yes Yes Yes Yes Indexed Files Yes No
Update Yes Yes Yes Yes Indexed Files Yes No
Insert Yes Yes Yes Yes Indexed Files Yes No
Delete Yes Yes Yes Yes Indexed Files Yes No
Scratch Yes Yes Yes Yes No
FileCreate Yes Yes Yes Yes No Yes
Restructure Yes Yes Yes Yes No

node node/element value
<eventID>
  <type/> see above table
  <timeStamp/> ccyymmddhhmmsstt
</eventID>
<sessionID>
  <processID/> 9(6)
  <userID/> X(3)
</sessionID>
<fileID>
  <application/>
  <database/>
  <structureDate/>
  <filename/>
</fileID>
<appxProcessID>
  <type/>
  <name/>
  <applica
 

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.

Line: 117 to 148
  The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
Changed:
<
<		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
>
>		The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the <nop>ServiceName. Any option not specified will be configured with an appropriate default value.
  Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
Line: 148 to 179
 
Options - General
Changed:
<
<		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
>
>		 -name, -ServiceName=SERVICENAME
The <nop>ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default <nop>ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
  -DisplayName=DISPLAYNAME
Changed:
<
<		The DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.
>
>		The <nop>DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.
 

-LogDirectory={/tmp, LOGDIR}

Line: 168 to 199
 -ServiceDisable={true, false}
This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.
Changed:
<
<		-initScript={lsb, RedHat}
>
>		-initScript={lsb, <nop>RedHat}
 
Used with -install option to specify the type of Linux operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.

Options - Audit Log
Line: 176 to 207
 -LogNamePattern={/tmp/logmon%N.xml C:\APPXLOG%N.xml, AUDITLOGPATHNAME}
Changed:
<
<		The LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
>
>		The <nop>LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.
 

-LogRotationInterval={86400, MAXSECONDS}

Changed:
<
<
The LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
>
>
The <nop>LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day
  -LogRotationSize={1G, MAXSIZE}
Changed:
<
<
The LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
>
>
The <nop>LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.
 
Options - TCP/IP
Line: 392 to 423
 monitorLog - starting
Changed:
<
<
>
>
#RedHatServiceCommand
 

Issues:

  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.

  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option. If you do not, the ps command will not display a meaningful name for the running service.

Line: 428 to 459
 

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

Changed:
<
<
/tmp/appx-11-Jun-08
>
>
/tmp/appx-11-Jun-08
  /tmp/appx-12-Jun-08
Changed:
<
<		...
>
>		...
 

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page):

Line: 497 to 528
  Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:
Changed:
<
<
>
>
 
type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read Yes Yes Yes Yes Indexed Files Yes No
Update Yes Yes Yes Yes Indexed Files Yes No
Line: 606 to 637
 
Changed:
<
<
<--/commentPlugin-->
>
>
<--/commentPlugin-->
  -- SteveFrizzell - 20 Jun 2008
  • subrs.xslt: subrs.xslt extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.
View topic | History: r25 < r24 < r23 < r22 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback