Tags:
create new tag
view all tags

APPX Audit Log Feature

This page describes the APPX Audit Log feature and provides instructions for enabling the APPX Audit Log feature on either Linux or Windows.


Overview

The APPX Audit Log feature creates an xml log of APPX file I/O activity. The feature can be enabled for individual files or for groups of files using the FMS group feature of APPX. The level of activity detail logged can be configured to optionally include read, write, rewrite, delete, create, and restructure events.

To enable the APPX Audit Log feature, you must configure and start an instance of the APPX Audit Log Service, you must define a Log Profile in APPX System Administration, and you must assign the Log Profile to an FMS Group or to individual files. The APPX Audit Log Service receives logging requests from the various APPX sessions and writes the audit data to the log file. The audit log service does not have to run on the same server as APPX.

The Audit Log is emitted as an xml document. Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:

type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read Yes Yes Yes Yes Indexed Files Yes No
Update Yes Yes Yes Yes Indexed Files Yes No
Insert Yes Yes Yes Yes Indexed Files Yes No
Delete Yes Yes Yes Yes Indexed Files Yes No
Scratch Yes Yes Yes Yes No
FileCreate Yes Yes Yes Yes No Yes
Restructure Yes Yes Yes Yes No

node node/element value
<eventID>
  <type/> see above table
  <timeStamp/> ccyymmddhhmmsstt
</eventID>
<sessionID>
  <processID/> 9(6)
  <userID/> X(3)
</sessionID>
<fileID>
  <application/>
  <database/>
  <structureDate/>
  <filename/>
</fileID>
<appxProcessID>
  <type/>
  <name/>
  <applica

Installing the APPX Audit Log Manager Command ( appxAuditMgr)

The APPX Audit Log Manager ( appxAuditMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxAuditMgr command. However, after you install APPX, you will need to run the appxAuditMgr command to configure and start an instance of the APPX Audit Log Service to enable logging of file audit information for APPX sessions.

The appxAuditMgr command is installed into the "services" subdirectory of the directory where you installed APPX.

On Linux and Unix systems the appxAuditMgr command must run with the permissions of the root user. Therefore, the owner of the appxAuditMgr command should be the root user and the SUID bit should be set so that the appxAuditMgr command can be run by users other than root but still be run with the permissions of the root user.

In the event that it is necessary to reset the permissions of the appxAuditMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxAuditMgr command.

cd /usr/local/appx/services

chown root appxAuditMgr

chgrp appxgrp appxAuditMgr

chmod 4775 appxAuditMgr

You can check the permissions of the appxAuditMgr command by running the following command:

ls -l appxAuditMgr

The recommended permissions should be as follows:

-rwsrwxr-x 1 root appxgrp    636843 Jul 11 07:31 appxAuditMgr

Creating and Configuring an Audit Log Service

An instance of the APPX Audit Log Service is initially created, configured, and started by running the appxAuditMgr command with the -install option. At least one appropriately configured instance of the APPX Audit Log Service must be created, configured, and started before running an APPX session for which file I/O activity is to be logged. You may create, configure, and start as many different instances of the APPX Audit Log Service as you desire. However, each concurrently running instance must be configured to receive file I/O audit data on a different TCP/IP port. Each instance of the Audit Log Service will log file I/O activity to a separate xml file. By creating more than one instance of the APPX Audit Log Service, you can separate the file I/O activity that is logged into separate files by assigning different Log Profiles to FMS groups or individual files.

Creating an Audit Log Service

Before file I/O activity can be logged, at least one instance of an APPX Audit Log Service must be configured and started.

The -install option of the appxAuditMgr command is used to initially create, configure, and start an instance of the APPX Audit Log Service. The following steps are performed:

  1. A configuration file (ini) is created or the Windows registry is updated
  2. An environment file (env) is created or the Windows registry is updated
  3. A service is created, including required init files and links.
  4. The service is started
When creating an instance of the APPX Audit Log Service, you must provide the Service Name, Service Type, and TCP/IP Port Number. For compete information on using the -install option of the appxAuditMgr command, please refer to the usage section of this page.

Service Name

Each instance of an APPX Audit Log Service must have a unique name. When creating an instance of a service, the -name option may be used to specify the name that you want the service to have. If you do not specify a name, a name will be assigned for you for example, appxd-8070.

Service Type

When creating an instance of an APPX Audit Log Service, the -ServiceType option must be specified. The value of this option must be "logmonitor".

TCP/IP Port Number

When creating an instance of an APPX Audit Log Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for audit logging requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Audit Log Service. However, as a matter of convention, most APPX administrators configure the APPX Audit Log Service to listen for audit log requests on port 8070. If additional instances of the APPX Audit Log Service are configured, each instance is typically assigned the next available port number after 8070.

Changing the Configuration of an Audit Log Service

Two methods are available for modifying an existing instance of an APPX Audit Log Service.

Method 1 - The APPX Audit Log Manager Command (appxAuditMgr)

The -modify command and the -replace command of the appxAuditMgr tool can be used to modify or replace a previously configured instance of the APPX Audit Log Service. These options update the existing APPX Audit Log Service configuration files or registry settings with the options specified. If you use this technique, the service will be automatically restarted for you, using the new settings. Note that when specifying options on the command line, you must prefix them with a dash.

Method 2 - Text Editor/Regedit

On Linux/Unix systems a text editor can be used to directly edit the APPX Audit Log Service configuration files (ini and env). The configuration files include comments to help you make the desired changes. If you use this method to modify an existing configuration, you should exercise care to ensure that the syntax is correct. The preferred method for modifying an APPX Audit Log Service configuration is with Method 1 above. When you edit the configuration files for an instance of the APPX Audit Log Service with a text editor, you must restart the service before the changes take effect.

On Windows systems you can use 'regedit' to directly edit the registry. The service is created under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name>. Note that you will have to manually restart the service for the changes to take affect. Due to the risk inherent in directly changing the registry we recommend using method 1 above.

Managing an Audit Log Service

Two methods are available for managing an existing instance of the APPX Audit Log Service.

Method 1 - appxAuditMgr command

The appxAuditMgr command can be used to manage an instance of the APPX Audit Log Service. The appxAuditMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Audit Log Service. The following example shows how to use the appxAuditMgr command to check on the status of an APPX Audit Log Service (must be logged in as root to execute).

[root@500test services]# ./appxAuditMgr -status appxLog8070 up and running (process 2390 servicing port 8070)

Method 2 - O/S Services

Your operating system includes commands or programs that can be used to manage services. APPX Audit Log Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the service command. The following example shows how to use the Red hat service command to check on the status of an APPX Audit Log Service.

[root@500test services]# service appxLog8070 status up and running (process 2390 servicing port 8070)

On Windows, you can manage the audit service the same as any Windows service.

Usage (appxAuditMgr)

Synopsis - Service Configuration

The appxAuditMgr service configuration commands are used to create, configure, and remove an instance of an APPX Audit Log Service.

appxAuditMgr -install -serviceName=SERVICENAME -ServiceType=logmonitor -SockPort=[TCP-Port] [options]... [VARIABLE=VALUE]...

appxAuditMgr -modify -serviceName=SERVICENAME [options]... [VARIABLE=VALUE]...

appxAuditMgr -replace -serviceName=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

appxAuditMgr -remove -serviceName=SERVICENAME

Configuration - Commands

-install -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

-install -port=PORT -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

The -install command is used to configure a new instance of an APPX Audit Log Service. Either form of the install command may be used.

The first form of the -install command requires only that a service name and service type be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.

The second form of the -install command requires only that a TCP/IP port and service type be specified. All other options are optional including the <nop>ServiceName. Any option not specified will be configured with an appropriate default value.

Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).

Both forms of the -install command optionally allow values to be specified for environment variables. If specified, the environment variables and their values are stored in the environment configuration file (env). There is currently no need to set any environment variables.

In addition to creating the service configuration file and the environment configuration file, the -install command also creates an operating system service that will be automatically started when the computer system is started.

After creating the configuration files and the operating system service, the -install command starts the service.

-modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...

The -modify command is used to modify the configuration of an existing Audit Log Service. The specified options will be updated in the service configuration files. Any options not specified will not be changed. After updating the configuration files, the -modify command restarts the service.

Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.

Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables. Any comments that may have been manually added to these configuration files are not preserved.

-replace -name=SERVICENAME -ServiceType=logmonitor [options]... [VARIABLE=VALUE]...

The -replace command is used to replace an existing Audit Log Service with a new Audit Log Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as DisplayName, or without a dash if you are referring to environment variables.

-remove -name=SERVICENAME

The -remove command is used to remove an existing Audit Log Service. The -remove command will remove the configuration files (ini and env) and the corresponding operating system service. If the service is running when the -remove command is executed, the -remove command will first stop the service and then remove the service.

Configuration - Options

Options - General
-name, -ServiceName=SERVICENAME
The <nop>ServiceName uniquely identifies an APPX Audit Log Service. When creating (installing) an Audit Log Service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when an Audit Log Service is being created, the Audit Log Service will be created with a default <nop>ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".

-DisplayName=DISPLAYNAME

The <nop>DisplayName is a "user-friendly" descriptive name for an Audit Log Service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when an Audit Log Service is being created, the Audit Log Service will be created with a DISPLAYNAME based on the SERVICENAME.

-LogDirectory={/tmp, LOGDIR}

On Linux and Unix systems when the service is started, two log files are created in the LOGDIR directory - an Audit Log Service log file (.log) and a status file (.stat). Both log files have the same name as the <nop>ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the <nop>LogDirectory option is not specified, the log files are created in the /tmp directory.

On Windows systems, a status file is not created, and a log file is only created if -CreateLogFile is set to 'true'.

-ServiceType=logmonitor

The only valid value when configuring an Audit Log Service is "logmonitor". Note: This option must be specified.

-ServiceDisable={true, false}

This option can be used to temporarily disable or "turn off" the Audit Log Service. If set to true, the Audit Log Service will still run but it will not accept requests to log data from APPX sessions.

-initScript={lsb, <nop>RedHat}

Used with -install option to specify the type of Linux operating system that the service script is to be created for. If this option is not specified, appxAuditMgr will determine which type of service script to install.

Options - Audit Log

-LogNamePattern={/tmp/logmon%N.xml C:\APPXLOG%N.xml, AUDITLOGPATHNAME}

The <nop>LogNamePattern identifies the path and the file name for the audit log files that will be created by the Audit Log Service. The value of AUDITLOGPATHNAME can include a pattern to ensure that the name of each file created by the Audit Log Service will be unique.

-LogRotationInterval={86400, MAXSECONDS}

The <nop>LogRotationInterval identifies the maximum time in seconds that an Audit Log file should be used before being closed and a new audit log file is created. The default value of 86400 is the number of seconds in one day so, by default, the Audit Log Service will create a new audit log file each day

-LogRotationSize={1G, MAXSIZE}

The <nop>LogRotationSize is the maximum size that an Audit Log file is allowed to be. When an audit log file reaches the specified MAXSIZE, it will be closed and a new audit log file will be created.

Options - TCP/IP

-port, -SockPort={8060, PORT}

Configure the service to listen for audit log requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.

Configuration - Environment Variables

VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created or written to the registry. There is currently no reason to use this feature.

Synopsis - Service Management

appxAuditMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}

MANAGEMENT OPTIONS

-start | < blank >
Start an instance of the Audit Log Service.

-stop

Stop the instance of the Audit Log Service.

-restart

Restart (stop and then start) the instance of the Audit Log Service.

-status

Report the status of the instance of the Audit Log Service.

Note on Windows the -status command does not take a SERVICENAME arguement, it will display the status of all defined login and audit services.

EXAMPLES

Example 1 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070:

appxAuditMgr -install -name=appxLog8070 -port=8070 -ServiceType=logmonitor

Example 2 - Configure and start a new instance of the Audit Log Service that will listen for audit log requests on port 8070. The service name and descriptive name are also specified.

appxAuditMgr -install -port=8070 -name=appxLog8070 -displayName="Appx-Audit-Log(8070)" -ServiceType=logmonitor

Example 2 - Display the status of an instance of the Audit Log Service:

appxAuditMgr -status appxLog8070

Example 3 - Shutdown a running instance of the Audit Log Service:

appxAuditMgr -stop appxLog8070

Example 4 - Start a previously configured instance of the Audit Log Service:

appxAuditMgr -start appxLog8070

Example 5 - Modify the Display Name and the maximum size of the log of an existing service:

appxAuditMgr -modify -name=appxLog8070 -displayName="Big Audit Log" -LogRotationSize=10G

The Configuration File (ini) or Registry

Each instance of an APPX Audit Log Service has a configuration file that is used to store the various parameters relating to that specific instance of the Audit Log Service. On Windows, this is kept in the registry but the keywords and values are the same.

The -install option of the appxAuditMgr command creates the configuration file when the service is created.

The name of the configuration file is the concatenation of the service name and ".ini". For example, if the service name is "appxLog8070", the name of the configuration file will be "appxLog8070.ini".

The configuration file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the configuration file to reside. For example, if you want the configuration file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.

Once created, the name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.

Note: The Configuration file for an APPX Audit Log service (as shown below) looks very much like the configuration file for an APPX Login Manager service. You should ignore the configuration options that do not apply to an APPX Audit Log service. Note that the extraneous options are all preceded by a "#" which causes them to be treated as comments. Although these extraneous options are of no consequence, they will be removed in a future release.

# Appx connection manager configuration file # # You can change this file by hand, or # use the uappxd program for better results # # blank lines are ignored # # anything following a '#' is treated as a comment # # case is not important on the left-hand side # properties whose descriptions end in a '?' are # boolean and should be set to true or false # --------------------------------------------------

# AppxApplication = #startup application for spawned engines # AppxDatabase = #startup database for spawned engines AppxExecutable = /usr/local/appx500/appx#pathname to Appx engine # AppxProcessName = #startup process name for spawned engines # AppxProcessType = #startup process type for spawned engines # AuthenticationMethod = OS-User #authentication method (OS-User, Appx-User, HT-User(filename)) DisplayName = appxLog8070 #descriptive name # ImpersonateGID = true #change effective grouo ID for spawned engines? # ImpersonateGroup = User #[LogonUser, NamedGroup (groupname), ServiceOwner ] # ImpersonateUID = true #change effective user ID for spawned engines? # ImpersonateUser = LogonUser #[LogonUser, NamedUser (username), ServiceOwner ] # LoadSystemEnvironment = true #load default system-defined environment variables into spawned engines? # LogDirectory = /tmp #directory where log file should reside # LogNamePattern = /tmp/appxlog%N.xml #audit log filename pattern (see man strftime for details # LogRotationInterval = 86400 #number of seconds between audit log rotations # LogRotationSize = 1G #maximum audit log file size # RequireSSL = false #Require SSL-secured connections? # RequireSSLClientCertificates = false #require SSL-client certificates? # ServerCertificateFile = #pathname of server's X509 certificate (leave blank for anonymous connections # ServerPrivateKeyFile = #pathname of server's private key file (unlocks the ServerCertificateFile) # ServerPrivateKeyPassphrase = #passphrase that unlocks ServerPrivateKeyFile # ServiceDisable = false #disable this service? # ServiceDisableAppxKeys = false #disable keyboard mapping? # ServiceDisableFMS = false #disable AppxNET connections? # ServiceDisableLogins = false #disable interactive logins? # ServiceEnableCmds = true #allow client-side startup options? ServiceName = appxLog8070 #name of service ServiceType = logmonitor #service type (login or logmonitor) SockPort = 8070 #port number to service # SSLMode = Optional #SSL connection type (optional, required, disabled) # TCPEnableKeepAlive = true #Enable TCP dead-connection detection # TCPKeepCount = 8 #Maximum number of keep-alive pings # TCPKeepIdle = 300 #Idle time before ping sent to client (in seconds) # TCPKeepInterval = 60 #Interval between keep-alive pings # TCPNoDelay = true #disable TCP packet filling delay? # TrustedCAFile = #determines which client certificates to trust # Umask = #umask (file creation mask) given to spawned engines

The Environment File (env) or Registry

Each instance of an APPX Audit Log Service has an environment file that is used to store the environment variables relating to that specific instance of the Audit Log Service. On Windows, this is kept in the registry. However, there is currently no requirement to set any environment variables when configuring an APPX Audit Log service.

The -install option of the appxAuditMgr command creates the environment file when the service is created.

The name of the environment file is the concatenation of the service name and ".env". For example, if the service name is "appxLog8070", the name of the environment file will be "appxLog8070.env".

The environment file is created in whichever directory is your current directory at the time that the appxAuditMgr command is run to create the service. Therefore, before you run the appxAuditMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX services directory, you should change to the services directory before you run the appxAuditMgr command.

Once created, the name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.

# Appx connection manager environment variables
#
#   The entries in this file will become
#   environment variables in the engines
#   spawned by this service
#
#   blank lines are ignored
#
#   anything following a '#' is treated as a comment
#
#   letter case IS important in this file
# --------------------------------------------------

The Status File (stat) (Linux only)

On Linux and Unix systems when an APPX Audit Log Service is started, a status file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the status file is created in the /tmp directory.

The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxLog8070", the name of the status file will be "appxLog8070.stat".

The status file can be viewed to see the actual context within which the service is running.

appxLog8070 running as process 8665
Effective User ID 0
Real User ID     0
Configuration values follow
*Daemonize = true
*DontForkEngine = false
*InitScriptStyle = 
*SleepAfterFork = 
AppxApplication = 
AppxDatabase = 
AppxExecutable = /usr/local/appx500/appx
AppxProcessName = 
AppxProcessType = 
AuthenticationMethod = OS-User
DisplayName = AppxLog8070
ImpersonateGID = true
ImpersonateGroup = User
ImpersonateUID = true
ImpersonateUser = LogonUser
LoadSystemEnvironment = true
LogDirectory = /tmp
LogNamePattern = /tmp/appxlog%N.xml
LogRotationInterval = 86400
LogRotationSize = 1G
RequireSSL = false
RequireSSLClientCertificates = false
ServerCertificateFile = 
ServerPrivateKeyFile = 
ServerPrivateKeyPassphrase = 
ServiceDisable = false
ServiceDisableAppxKeys = false
ServiceDisableFMS = false
ServiceDisableLogins = false
ServiceDisableODBC = 
ServiceEnableCmds = true
ServiceName = AppxLog8070
ServiceType = logmonitor
SockPort = 8070
SSLMode = Optional
TCPEnableKeepAlive = true
TCPKeepCount = 8
TCPKeepIdle = 300
TCPKeepInterval = 60
TCPNoDelay = true
TrustedCAFile = 
Umask = 
Environment variables follow
Logging to /tmp/appxlog3.xml

The Log File (log)

When an APPX Audit Log Service is started on a Linux/Unix system, a log file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the log file is created in the /tmp directory. On Windows servers, the log file will not be created unless you set CreateLogFile = true when defining the service. The default location for the file is C:\ for Windows.

The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxLog8070", the name of the log file will be "appxLog8070.log".

When the Audit Log service is started, the log file is initialized with the configuration of the Audit Log service. The configuration information is followed by a dialog of messages relating to actions performed by the Audit Log service. Each time the Audit Log service processes a logging request, messages relating to the logging request are appended to the log file.

*Daemonize = true
*DontForkEngine = false
*InitScriptStyle = 
*SleepAfterFork = 
AppxApplication = 
AppxDatabase = 
AppxExecutable = /usr/local/appx500/appx
AppxProcessName = 
AppxProcessType = 
AuthenticationMethod = OS-User
DisplayName = appxLog8070
ImpersonateGID = true
ImpersonateGroup = User
ImpersonateUID = true
ImpersonateUser = LogonUser
LoadSystemEnvironment = true
LogDirectory = /tmp
LogNamePattern = /tmp/appxlog%N.xml
LogRotationInterval = 86400
LogRotationSize = 1G
RequireSSL = false
RequireSSLClientCertificates = false
ServerCertificateFile = 
ServerPrivateKeyFile = 
ServerPrivateKeyPassphrase = 
ServiceDisable = false
ServiceDisableAppxKeys = false
ServiceDisableFMS = false
ServiceDisableLogins = false
ServiceDisableODBC = 
ServiceEnableCmds = true
ServiceName = appxLog8070
ServiceType = logmonitor
SockPort = 8070
SSLMode = Optional
TCPEnableKeepAlive = true
TCPKeepCount = 8
TCPKeepIdle = 300
TCPKeepInterval = 60
TCPNoDelay = true
TrustedCAFile = 
Umask = 
createListener complete - listening on port 8070
CAppxD::Run starting
monitorLog - starting


#RedHatServiceCommand

Issues:

  1. When executing the appxAuditMgr command with the -install option, you must include the -name option.

  2. When executing the the appxAuditMgr command with the -install option, you must include the - DisplayName option. If you do not, the ps command will not display a meaningful name for the running service.

Notes

More About Log Profiles

Before data can be written to the log file you need to define a Log Profile for the monitor.

To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr:

servername:8064

Then click on Log File Parameters and make sure you check parameters that you wish to log:

Now you are ready to define a new FMS group for the monitor.

To add a new FMS group you need to go to System Administration, Configuration, File System Groups and press F9 to add a new one for the monitor.

Give it an FMS group of 1 and click on 'FMS group attributes' button. On that screen enter the name of your Log Profile in the 'Log Profile' field. Note that if you already have an FMS group that is used by the file(s) you wish to monitor, you can simply add the Log Profile name to the existing FMS group. If the FMS group refers to a RDBMS (such as Oracle, SQL Server, etc), then only changes made by Appx will be logged.

You can now assign this FMS group to the file(s) that you wish to monitor.

More About the xml Audit Log file

Using a Pattern in a Log File Name

You can change the name of the log file by setting the LogNamePattern in for your service. You can also change the LogRotationInterval and LogRotationSize.

Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like:

/tmp/appx_2007-01-31.xml

/tmp/appx_2007-02-28.xml

Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like:

/tmp/appx-11-Jun-08

/tmp/appx-12-Jun-08

...

If you restart the log monitor on 11-Jun-08 (and your LogNamePattern specifies %D-%B-%Y), any existing log file with that name would be replaced. Of course, you can include time components in the LogNamePattern to avoid that problem (or add %N to the pattern to include a sequence number). Here's the complete list of valid specifiers (from the strftime man page):

%a The abbreviated weekday name according to the current locale.
%A The full weekday name according to the current locale.
%b The abbreviated month name according to the current locale.
%B The full month name according to the current locale.
%c The preferred date and time representation for the current locale.
%C The century number (year/100) as a 2-digit integer. (SU)
%d The day of the month as a decimal number (range 01 to 31).
%D Equivalent to %m/%d/%y. (Yecch -- for Americans only. Americans should note that in other coun-
tries %d/%m/%y is rather common. This means that in international context this format is ambiguous and should not be used.) (SU)
%e Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (SU)
%E Modifier: use alternative format, see below. (SU)
%F Equivalent to %Y-%m-%d (the ISO 8601 date format). (C99)
%G The ISO 8601 year with century as a decimal number. The 4-digit year corresponding to the ISO week number (see %V). This has the same format and value as %y, except that if the ISO week number belongs to the previous or next year, that year is used instead. (TZ)
%g Like %G, but without century, that is, with a 2-digit year (00-99). (TZ)
%h Equivalent to %b. (SU)
%H The hour as a decimal number using a 24-hour clock (range 00 to 23).
%I The hour as a decimal number using a 12-hour clock (range 01 to 12).
%j The day of the year as a decimal number (range 001 to 366).
%k The hour (24-hour clock) as a decimal number (range 0 to 23); single digits are preceded by a blank. (See also %H.) (TZ)
%l The hour (12-hour clock) as a decimal number (range 1 to 12); single digits are preceded by a blank. (See also %I.) (TZ)
%m The month as a decimal number (range 01 to 12).
%M The minute as a decimal number (range 00 to 59).
%n A newline character. (SU)
%O Modifier: use alternative format, see below. (SU)
%p Either `AM' or `PM' according to the given time value, or the corresponding strings for the current locale. Noon is treated as `pm' and midnight as `am'.
%P Like %p but in lowercase: `am' or `pm' or a corresponding string for the current locale. (GNU)
%r The time in a.m. or p.m. notation. In the POSIX locale this is equivalent to `%I:%M:%S %p'. (SU)
%R The time in 24-hour notation (%H:%M). (SU) For a version including the seconds, see %T below.
%s The number of seconds since the Epoch, that is, since 1970-01-01 00:00:00 UTC. (TZ)
%S The second as a decimal number (range 00 to 60). (The range is up to 60 to allow for occasional leap seconds.)
%t A tab character. (SU) %T The time in 24-hour notation (%H:%M:%S). (SU)
%u The day of the week as a decimal, range 1 to 7, Monday being 1. See also %w. (SU)
%U The week number of the current year as a decimal number, range 00 to 53, starting with the first Sunday as the first day of week 01. See also %V and %W.
%V The ISO 8601:1988 week number of the current year as a decimal number, range 01 to 53, where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week. See also %U and %W. (SU)
%w The day of the week as a decimal, range 0 to 6, Sunday being 0. See also %u.
%W The week number of the current year as a decimal number, range 00 to 53, starting with the first Monday as the first day of week 01.
%x The preferred date representation for the current locale without the time.
%X The preferred time representation for the current locale without the date.
%y The year as a decimal number without a century (range 00 to 99).
%Y The year as a decimal number including the century.
%z The time-zone as hour offset from GMT. Required to emit RFC 822-conformant dates (using "%a, %d %b %Y %H:%M:%S %z"). (GNU)
%Z The time zone or name or abbreviation.
%+ The date and time in date(1) format. (TZ) (Not supported in glibc2.)
%% A literal '%' character. 

How to Rotate the Audit Log File

To close an existing log file and rotate the log just stop and start the service

How to View Audit Log Events

The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size.

You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache).

Databases

XML files can easily be imported into a RDBMS, which does not have the same file size limitation.

Audit Log Events

Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element:


type eventID sessionID fileID appxProcessID eventRecordID eventData Structure
Read Yes Yes Yes Yes Indexed Files Yes No
Update Yes Yes Yes Yes Indexed Files Yes No
Insert Yes Yes Yes Yes Indexed Files Yes No
Delete Yes Yes Yes Yes Indexed Files Yes No
Scratch Yes Yes Yes Yes No
File Create Yes Yes Yes Yes No Yes
Restructure Yes Yes Yes Yes No

node node/element value
<eventID>
  <type/> see above table
  <timeStamp/> ccyymmddhhmmsstt
  <sequenceNumber/> 9(3)
</eventID>
<sessionID>
  <processID/> 9(6)
  <userID/> X(3)
</sessionID>
<fileID>
  <application/>
  <database/>
  <structureDate/>
  <filename/>
</fileID>
<appxProcessID>
  <type/> INPUT, SUBR, etc.
  <name/> X(30) - Proc Name
  <application/>
  <version/>
  <database/>
  <lastChange/>
</appxProcessID>
<eventRecordID>
  <keySegment> 0-16 instances
<keySegment>
  <fieldName>
  <fieldValue>
</keySegment>
</eventRecordID>
<eventData>
  <field> 0-n instances
</eventData>
<field> read, insert, delete
  <fieldName>
  <occurrence>
  <fieldValue>
</field>
<fieldData> update
  <fieldName>
  <occurrence> (optional)
  <oldValue>
  <newValue>
</fieldData
<Structure>
  <Field> 1-n instances
</Structure>
<Field>
  <fieldName>
  <fieldType>
  <occurrences>
  <rawLength>
  <offset>
</Field>
<eventData>
  <RecordSizeChange>
  <DeletedElement>
</eventData>
<RecordSizeChange>
  <old>
  <new>
</RecordSizeChange>
<DeletedElement/>
  <fieldName/>
</DeletedElement>

Sample scripts

Here are some sample xslt processing commands that you can use to do inquiries against the raw XML data.

The attached file 'structure.xslt' will extract any file create events from a log and produces an HTML table that shows the structure of each file that you create.

The attached file 'subrs.xslt' extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

To use a stylesheet with xsltproc (the XSLT processor from libxml/xmlsoft):

$ xslt stylesheetFileName logFileName >output.html

for example:

$ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html

To use a stylesheet with xalan (the XSLT processor from Apache):

$ xalan -xsl stylesheetFileName <logFileName >output.html

for example:

$ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html

Need examples of loading XML Data into an RDBMS

Comments:

Read what other users have said about this page or add your own comments.



-- SteveFrizzell - 20 Jun 2008

  • subrs.xslt: subrs.xslt extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.

  • structure.xslt: structure.xslt will extract any FileCreate events from a log and produces an HTML table that shows the structure of each file that you create.
Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatxslt structure.xslt r2 r1 manage 1.6 K 2010-11-12 - 00:16 JeanNeron structure.xslt will extract any FileCreate events from a log and produces an HTML table that shows the structure of each file that you create.
Unknown file formatxslt subrs.xslt r2 r1 manage 1.9 K 2010-11-12 - 00:14 JeanNeron subrs.xslt extracts all events where the process type is SUBR and produces an HTML summary table that shows the user id, date, time, event ID, application ID, version, and process name.
Edit | Attach | Watch | Print version | History: r24 < r23 < r22 < r21 < r20 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r24 - 2020-11-05 - MisaghKarimi
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback