AccAD Audit events - explained

Similar Messages

• Audit Event Logging - attributes automatically converted to uppercase?

  Hi,
  we have the issue of registering auditing events; when we register a new audit event having our set of attributes, for some unknown reason all these attributes are changed to all capital letters, we can see it directly in the waveset database.
  How can we avoid this behaviour?, our customer requires to avoid this since some attributes are user input comments.
  Please advice.
  <Action id='1' name='Audit_the_Approval' application='com.waveset.session.WorkflowServices'>
  <ReportTitle>
  <s>Audit_the_Approval</s>
  </ReportTitle>
  <Argument name='op' value='audit'/>
  <Argument name='type' value='User'/>
  <Argument name='name' value='custom description'/>
  <Argument name='status' value='Success'/>
  <Argument name='action' value='approve'/>
  <Argument name='subject' value='config'/>
  <Argument name='resource' value='MySupplierPortal'/>
  <Argument name='accountId' value='501130222'/>
  <Argument name='attributes'>
  <Map>
  <MapEntry key='fullname' value='Edgar Alejandro'/>
  </Map>
  </Argument>
  <Argument name='logResultErrors' value='true'/>
  <Argument name='approver' value='configurator'/>
  <Argument name='originalAttributes'>
  <Map>
  <MapEntry key='fullname' value='Edgar'/>
  </Map>
  </Argument>
  <Return from='WF_ACTION_ERROR' to='bol_hasError'/>
  <Return from='WF_ACTION_RESULT' to='str_errMessage'/>
  </Action>

  When will SUN explain why they do this?
  This behaviour, the audit log converting and storing data in upper case, has been in IDM since version 5.0 at least.
  Maybe SUN can comment why they see an "audit" as not quite the same thing as a record that shows what events happened.
  GF

• Unable to capture Exchange Mailbox Auditing events for email creation

  We are looking to capture Owner mailbox auditing events using the native Exchange 2013 auditing tools (Search-MailboxAuditLog). I have auditing enabled with all actions for Owner, and capture items performed via Outlook, except for new emails created.
  If I create new emails via OWA, I am able to capture the event, but as soon as I go back to Outlook and create a new message, I don’t see anything audited. I also tried this is our Dev environment and seeing the same behavior. Has anyone else experience this
  behavior?

  Hi,
  I have a test in my environment. If I create a message on Outlook as a owner, the mailbox audit logging can't record it.
  If I create a message on Outlook as a delegate, when using the Search-MailboxAuditLog cmdlet to search the audit log, it will be displayed as follows:
  The operation is "SendAs", not "Create".
  Hope this can be helpful to you.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Amy Wang
  TechNet Community Support

• Variant "_$$audit-event-count" has not been declared in the current scope.

  I migrated my bpel process manager from Version 2.1.2 [oc4j linux] to 10.1.2.0.0 [using jboss as application server].
  The orabpel schema for 10.1.2.0.0 seems to be a bit different.
  I installed the new schema and then dumped all the data from my previous schema. I also successfully deployed the 2.1.2 processes onto 10.1.2 version.
  I can initiate a new instance of the process, however , the previously completed instances or not completed instances fail with the following error,
  16:28:06,061 INFO [STDOUT] <2006-01-31 16:28:06,061> <ERROR> <default.collaxa.cube> <BaseCubeSessionBean::logError> Error while invoking bean "instance manager": Variant not found.
  The variant "_$$audit-event-count" has not been declared in the current scope. All variants must be declared in the scope before being accessed.
  Any advice is greatly appreciated. Thanks.

  JScript is JavaScript.
  Ah, now there's part of the confusion :)
  If you're asking about a Windows Script Host (WSH) script, you don't have to declare stdin because it's part of the host.
  Ok... So if I understand you correctly, I'm actually programming in J(ava)Script on windows for WSH. Simply trying to call ReadLine fails as well, as it is not defined according to the compiler.
  Be specific: What are you trying to do? Tell what you want to do, not
  how you think it needs to be done.
  which brings me to my current issue: attempting to ReadLine() (in order to get the program to pause for a moment, from
  this example)
  I know I put up a pretty big wall of text back there, sorry about that.
  EDIT: Well, I think I've learned
  about J*script. It sounds like JScript and Javascript are more just versions of ECMAScript.

• Solaris 10 with Trusted Extensions - Security Audit Events [short] Descript

  {color:#000000}I know that the security audit events and classes in Solaris 10 have changed when viewing these files: audit_class, audit_event, and audit_control with that of the same files for TSOL8. In order to perform an accurate and acceptable review of the audit events, I need to find either a file or document that provides a short description for each of the audit events within each audit class. Can anyone point me in the right direction or a URL? I have tried to search through the Sun docs and have not yielded any results. {color}

  been there, done that
  The problem is a function of your network definitions. The non-global zones do not have an IP address to match for your global zonename. The error message results from the system established default of the DISPLAY variable failing (DISPLAY=globalzonename:0.0).
  To confirm this, login to the global zone as root and "zlogin -S" to the non-global zone. Once there, the command "netstat -r" should show the IP address of the global zone instead of the expected global zonename. (combine this with a look at your output for "ifconfig -a" within the same non-global zones) Another command you should fail with will be the "getent hosts galaxy". Anyway, if you manually set your DISPLAY variable to the "IP Address" of the globalzonename and execute a "dtterm" ... it should work fine.
  If it does not violate a security policy, I suggest you add the IP address of the global zone to either the /etc/inet/hosts or /etc/inet/ipnodes file within each non-global zone.

• Reporting on ADFS Audit Events

  I haven't had much luck researching potential solutions for how to report on ADFS activity. Most articles describe how to enable debugging for troubleshooting purposes, but haven't found anything to build a report off of that info.
  Basically I am looking for a way to aggregate the ADFS auditing events into a consumable format by a person.  There is the instance ID for a session that in consistent amongst the 299, 500, 501 events, but how to organize the claim values that are shown
  is the part I struggle with.
  Ideally I am just looking to build a report to show the Date/time, Relying Party Name, Username, source IP, Device and/or client application in a sortable format to view by application or by user, etc.  Its just a matter of parsing the claim values
  that span multiple events and putting it into a readable format. 
  Or Are there any other solutions out there that do something comparable?

  Hi,
  Thank you for your posting!
  Since Active Directory Federation Service is not an extension of Active Directory schema, I suggest you refer to the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  In addition, you may also need to consult experts from scripting forum due to your request.
  The Official Scripting Guys Forum
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  Best Regards,
  Amy

• Looking for different audit events in Oracle Linux

  Hi,
  I am looking for different audit events in Oracle Linux. I did lot of googling but could not find anything relevant. Can you please share some doc/info if you have.
  Thanks,
  Ravi

  You can probably spent all day searching in https://linux.oracle.com/documentation/ or http://docs.redhat.com/docs/en-US/index.html for information about this topic. Finding relevant information appears to be difficult.
  The information you are looking for is about configuring the Linux Audit subsystem. There are some rules examples in /usr/share/doc/audit*
  I found the following link in Google that seems to provide a reasonable overview:
  http://dgz.dyndns.org/mediawiki/index.php/%28RHEL%29_HOWTO_configure_the_auditing_of_the_system_%28auditd%29

• Controlling #views/#prints and getting audit event notifications

  We have an evaluation of LiveCycle up and running, and we are negotiatons for purchase. In doing some quick proof-of-concept work, we ran across a couple issues we are looking to get help with.
  Background: We are working in .Net using LiveCycle web services. We can successfully apply a policy to a PDF using web services, and we can successfully manipulate a PDF using reader extensions using web services.
  1. We see where we can apply validity dates in the Policy, but where can we limit the number of views or prints allowed on the document? Is this even controlled by the policy, or somewhere else? We see where we can assign permissions to principles, but this is more of "Can print" or "Can view offline" but not a control on the Quantity of prints or views. Is this something we can setup via the web interface, or is it something we need to supply custom java extensions for? And if we need to supply extensions, is there any way to point us in the proper direction? (this seems like it would be fairly typical usage)
  2. How do we setup livecycle so we can get notified of audit events like "# allowed views reached" or "# allowed prints reached" or just "someone viewed this PDF". We are a .net house, so is there any way to get notifications of this externally? Or do we have to supply some sort of extensions to LiveCycle? And if we have to supply an extension, can you point us in the proper direction?
  Many thanks for any insights we can get on these issues.
  Michael

  Rob
  If you want to revoke or expire a document based on user action (i.e. printing or viewing the document) then you can do this by capturing the print or view event in your process and then have your process perform the desired steps (i.e. revoke the document).
  If you simply want to have the document revoked after a certain date or for it to only be valid for a specific period, you can do this as part of the policy definition itself.  When you create a policy, you can specifiy one of the following:
  1)  Document will not be valid after x days
  2)  Document will not be valid after this date: x
  3)  Valid from "date 1" to "date 2"
  or
  4)  Document is always valid  (which means you would need to revoke\expire the document manually or via a process)
  This functionality has always been a part of Rights management.
  Regards
  Steve

• CSA 6 Continuing Audit Events on Hosts with Non-Audit Policies

  I have two groups for desktop PCs, with the same policies. In the group I'm using for auditing, most policies are set to audit mode -- at policy level, not rule module level. In the other group, those same policies are not in audit mode.
  The original agent kit included membership in both groups, but hosts now belong to one group or the other. The hosts are all polling frequently and are up to date, as is rule generation.
  But in the event log, certain events on hosts that are not in the audit group are reporting as "Audit:" events. Why am I getting audit events on hosts in the group where policies are not in audit mode?

  Thank you, Tom, for your reply. Looking at the group details screen in CSA 6, and referencing the Policy Audit Mode documentation, attached policies can be set to audit mode for a group, on a per-policy basis.
  I'm seeing logged Audit: events on hosts belonging solely to a group that is not in audit mode, its policies are not in audit mode and the underlying rule modules are not in audit mode. Yet audit events continue in the log for those hosts.
  Carole

• Data Access Service is unable to log audit events to the security event log

  Hi,
  Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
  Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
  The service account for "System Center Data Access Service" service is "Local System".
  The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
  The question is:
  how to resolve this alert? (Where look for to obtain more information to resolve this problem)
  Thanks in advance!

  Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
  LocalService Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
  LocalSystem Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
  Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
  is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
  For identified the SDK account
  1) open services.msc
  2) From the system Center Data Access Service, you can see the SDK logon on as account 
  Roger

• How to post audit event from my application ?

  Hi All,
  I'm newbie in weblogic(server) field. I'm working on audit trail for my application. We are using weblogic server8.1 SP4.
  I read thru the documentation in weblogic site and understood the default and custom auditing providers/auditing events and how to configure them from the admin console.
  I would like to know how to programatically invoke/trigger/post that audit from wherever I want from the application.
  Hope I'm clear.
  Any help in this regard is highly appreciated.
  Thanks
  Viji

  If you find out.... I'm curious too.

• Auditd Failed to parse/match audit event

  I am seeing many auditd errors in our syslog that look like this:
  Mar  4 10:25:18 xm4000gz-01 auditd[7458]: [ID 702911 local0.info] Audit: Failed to parse/match audit event: Unable To parse Event:header,116,2,seteuid(2),,xm4000gz-01,2015-03-04 10:25:18.776 -08:00   argument,1,0x193f,euid  subject,joeuser,joeuser,ops,joeuser,ops,3702,218603507,12598 131094 172.20.0.173       return,success,0        zone,xadm01     sequence,547113737      trailer,116
  Want to know what "Failed to parse/match audit event" means.  If the audit daemon is saying it doesn't understand what's going on, it does not inspire confidence.  I'd like to know what is not being understood by auditd.
  Thanks in advance.

  First, you have not correctly annotated your SEI and implemenation class. If you want to use a SEI to define your web service. Then your implementation class should not have any JAX-WS/ JSR 181 annotations except the following.
  @WebService(endpointInterface="whateverpackage.HelloWorld", portName="HelloWorldPort",serviceName="HelloWorld" )
  public class HelloWorldImpl implements HelloWorld{
  public Greeting createGreeting(Person per) {
  Greeting grt = new Greeting();
  grt.setMessage("Welcome back " + per.getFirstName() + "," +
  per.getLastName());
  grt.setDateTime(new Date());
  return grt;
  and the SEI should be:
  @WebService(name="HelloWorldPort")
  @SOAPBinding(style=SOAPBinding.Style.DOCUMENT,
  use=SOAPBinding.Use.LITERAL)
  public interface HelloWorld {
  @WebMethod(operationName="greet", action="urn:greet")
  @WebResult(name="greeting")
  Greeting createGreeting(@WebParam(name="person") Person per);
  This is because the SEI defines the abstract description of the web service in the WSDL which is the PortType definition. Therefore no serviceName should be specified on the SEI. The implementation class defines the concrete portion of the WSDL so it will only specify the portName, serviceName and then reference the SEI via the endpointInterface element of the @WebService annotation.
  As for helping out with Eclipse I can't be of any help. You might want to give NetBeans 5.5.1 or later a try.
  Edited by: dkohlert on Sep 13, 2007 9:19 PM

• Auditing Event Type problem

  Hi Experts,
  We are on BO 4.1 SP2 (Windows) and are using version 4.0 of the Auditing universe (UNX).
  I need to create an Audit report that lists the reports our Professional Licence Holders have created in Web Intelligence (By clicking 'New' in Webi). This is part of our attempt to make sure that people who have been given these licences are actually using them to create content for their users!
  My problem is that I don't know how to ensure that I am only listing reports that are manually created by the business user. I don't want to list reports that are created by system users or processes, such as the backup files created in a user's temporary storage folder, .../~WebIntelligence/.
  I don't how to exclude those automatically generated ones. Can someone explain how to do it? I tried excluding the
  /~WebIntelligence/ folder on the OBJECT FOLDER PATH object, but it didn't work. Here is my current query below. Would also appreciate it if someone can explain what is covered in each event type. I couldn't find anything on this.
  Thanks,
  Andrew

  Hi Andrew,
  I think you must change the operator in condition with "Object Folder path"
  Instead of "Not equal to" you have to use "Not like"
  Regards,
  Carlos

• Determining Oracle Auditing events/objects

  I am testing some software using an Oracle database and I have confirmed that auditing has been enabled (and I can find the logs ok). I have not been able to figure out what events/objects are being audited however.
  Does anyone know which table contains this information??
  Thanks,
  dirby.

  DBA_OBJ_AUDIT_OPTS lists auditing options for all objects.
  DBA_PRIVS_AUDIT_OPTS lists system privileges being audited.

• How to audit events from RAS Unmanaged API.

  Hi, I use unmanaged RAS API to open a report. I enabled the audit and all events from CMC for the ReportApplicationServer. I can open a report successfully, but I do not see audit info under the default audit dir, which is C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\Auditing. The version I am running is Crystal Report Server 2008 V1.
  The code to open up the report using RAS unmanaged API is listed as follows. The code works. But no audit logs.
            ReportClientDocument lo_ReportClientDoc = new ReportClientDocument();
            ReportAppSession reportAppSession = new ReportAppSession();
            reportAppSession.createService("com.crystaldecisions.sdk.occa.report.application.ReportClientDocument");
            reportAppSession.setReportAppServer(servername);
            reportAppSession.initialize();
            lo_ReportClientDoc.setReportAppServer(reportAppSession.getReportAppServer());
            lo_ReportClientDoc.open(asReportName,OpenReportOptions._openAsReadOnly); //4194304
            ReportServerControl control = new ReportServerControl();
            control.setReportSource(lo_ReportClientDoc.getReportSource());
  Please help. Thank you!

  I wouldn't expect you to have anything in the auditing since you are using unmanaged ras.   Auditing is for the managed Enterprise environment.