Audit log files user rights

Similar Messages

• The format of Audit log file

  We have a perl script to extract data from Audit log files(Oracle Database 10g Release 10.2.0.1.0) which have format as bellow.
  Audit file /u03/oracle/admin/NIKKOU/adump/ora_5037.aud
  Oracle Database 10g Release 10.2.0.1.0 - Production
  ORACLE_HOME = /u01/app/oracle/product/10.2.0
  System name:     Linux
  Node name:     TOYDBSV01
  Release:     2.6.9-34.ELsmp
  Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
  Machine:     i686
  Instance name: NIKKOU
  Redo thread mounted by this instance: 1
  Oracle process number: 22
  Unix process pid: 5037, image: oracleNIKKOU@TOYDBSV01
  Sun Jul 27 03:06:34 2008
  ACTION : 'CONNECT'
  DATABASE USER: 'sys'
  PRIVILEGE : SYSDBA
  CLIENT USER: oracle
  CLIENT TERMINAL:
  STATUS: 0
  After we update the db from Release 10.2.0.1.0 to Release 10.2.0.4.0, the format of Audit log file had been changed to something likes below.
  Audit file /u03/oracle/admin/NIKKOU/adump/ora_1897.aud
  Oracle Database 10g Release 10.2.0.4.0 - Production
  ORACLE_HOME = /u01/app/oracle/product/10.2.0
  System name:     Linux
  Node name:     TOYDBSV01
  Release:     2.6.9-34.ELsmp
  Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
  Machine:     i686
  Instance name: NIKKOU
  Redo thread mounted by this instance: 1
  Oracle process number: 21
  Unix process pid: 1897, image: oracle@TOYDBSV01
  Tue Oct 14 10:30:29 2008
  LENGTH : '135'
  ACTION :[7] 'CONNECT'
  DATABASE USER:[3] 'SYS'
  PRIVILEGE :[6] 'SYSDBA'
  CLIENT USER:[0] ''
  CLIENT TERMINAL:[7] 'unknown'
  STATUS:[1] '0'
  Because we have to rewrite the perl script, could anyone tell us where we can find the manual to describe the format of the Audit log file.

  Oracle publishes views of the audit trail data. You can find a list of the views for the 11.1 database here:
  http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGIICFE
  The audit trail does not really change between patchsets as that would constitute underlying structure changes and right now, the developers are not allowed to change the underlying structure of tables in patchsets. But, we can change what may be displayed in a column from patchset to patchset. For example, we are getting ready to update the comment$text field to display more information like dblinks and program names.
  I personally don't like overloading the comment$text field like that, but sometimes when you need the information, that is the only choice except to wait for the next major release :)
  As for the output of the audit log files, those can change between patchsets because of bugs that were found and some changes to support Audit Vault. My apologies out there for anyone that is reading the audit files written to the OS directly, I would recommend using the views.
  Hope that helps. Tammy

• Bad date recorded by AccessServer in Audit Log File

  Hi all,
  I have installed OAM and configure Audit Log File to AccessServer:
  Access System Configuration >> Access Server Configuration >> and put ON "Audit to File"
  The log is recorded OK, but when compare the date writed in log file with SO date, there are 6hs of diference
  LOG FILE
  01\/28\/2009 *00:18:07* \-0500 - AUTHZ_SUCCESS - GET - AccessServer - 192.168.3.105 - sec.biosnettcs.com\/access\/oblix\/lang\/en\-us\/msgctlg.js - cn=orcladmin\,cn=Users\,dc=biosnettcs\,dc=com - 00:18:07 - http - AccessGate - - 2
  SO date
  # date
  mar ene 27 *18:18:15 CST* 2009
  # date -u
  mié ene 28 *00:18:23 UTC* 2009
  How we can see in this lines the audit log is recording date in UTC, but a need this in the timezone setted in SO.
  How can do this (print date in audit log file with the same timezone setted by SO)??
  Thaks in advance,
  Julio

  I response myself.
  There is no way to set the Date/Time format to any other than UTC for the OAM component logs
  See note 742777.1 for deeph information.
  Julio.

• BOE XI 3.1 Removing Audit log files

  Hi there experts,
  we have an issue with our production BOE install (3.1 SP7) whereby we have over 39,000 audit log files awaiting processing in the BOE_HOME/auditing folder. These audit files were generated a few months back when we had an issue with the system whereby thousands of scheduled events were created, we are not sure how. The removal of these events has had a knock on effect in that we have too many audit files to process, ie the system just cant process them all quickly enough.
  So my question is can we just remove these audit files from the auditing directory with no knock on effects as we dont need them loading into the audit database anyways as they are all multiples of the same event.
  As an aside when we upgraded from SP3 to SP7 the problem went away, ie no new audit files for these delete events being generated. We are still to establish how/why these audit events were created but for the time being we just want to be able to remove them. Unfortunately as its a production system we don't want to just take a chance and remove them without some advice first.
  thanks in advance
  Scott

  Is your auditing running now? Or still pending? Can you check in Audit DB, what is the max(audit_timestamp? This will tell you when was the recent actvitiy happened.
  Deleting the audit files, will not harm to your BO system. You will not be able to see auditing details for that period.
  Is the new auditing files are processed? or you still see the files created in auditing folder without processing?
  If the auditing file size shows 0 okb, than it means they were processed.

• Maximum number of events per audit log file must be greater than 0.

  BOE-XI (R2)
  Windows Server 2003
  Running AUDIT features on all services.
  Report Application Server (RAS) keeps giving the following error in the Windows Application Event Log.
  Maximum number of events per audit log file must be greater than 0.  Defaulting to 500.
  I am assuming that this is because the RAS is not being used by anyone at this time - and there is nothing in the local-audit-log to be copied to the AUDIT database.
  Is there any way to suppress this error...?
  Thanks in advance for the advice!

  A couple more reboots after applying service pack 3 seemed to fix the issue.
  Also had to go to IIS and set the BusinessObjects and CrystalEnterprise11 web sites to use ASP .NET 1.1 instead of 2.

• Any software/program that can read audit log files

  Hi,
  Currently i am searching for a program/tools that can read audit log files and format it into a readable format. Anyone know is there any in the market or any open source program?
  Thank You.

  Not sure what you mean by "audit log".
  Anyway. Pete Finnigan's tools page has only one thing that might be what you're looking for - LMON, which runs on BSD, Solaris, Linux. As he's the go-to guy for Oracle security the chances of there being a good free log analyzer tool that he hasn't heard of is slight.
  Cheers, APC

• Oblix v7 audit log file missing

  Hi,
  I'm using oblix v7.
  I have enabled audit logs and specified the file name as: C:\audit33.txt
  But on the machine there is no such file. It is somehow missing.
  The same configuration works on another machine.
  Any idea why the audit log file is missing?
  Thanks.
  Sash.

  I response myself.
  There is no way to set the Date/Time format to any other than UTC for the OAM component logs
  See note 742777.1 for deeph information.
  Julio.

• Remote management audit log file

  I've read the documentation @
  http://www.novell.com/documentation/...a/ad4zt4x.html
  which indicates that the audit file is auditlog.txt and is located in the
  system directory of the managed workstation. The problem is I can't find the
  log file in that location or anywhere else on the computer. I even looked in
  C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent but I can't find
  anything. Any ideas? Can someone point me in the right direction.
  BTW, I'm using ZDM 6.5 SP2 for both the server and the workstations.
  Jim Webb

  Just an FYI, with ZDM 6.5 HP3 the file name changed from AuditLog.txt to
  ZRMAudit.txt still located under system32 on Windows XP.
  Jim Webb
  >>> On 5/22/2006 at 3:27 PM, in message
  <[email protected]>,
  Jim Webb<[email protected]> wrote:
  > Well I found out the ZDM 6.5 HP2 fixes the problem of the log file not
  > being
  > created.
  >
  > Jim Webb
  >
  >>>> On 5/19/2006 at 8:37 AM, in message
  > <[email protected]>,
  > Jim Webb<[email protected]> wrote:
  >> Well, it does show up in the event log but not in the inventory. If I
  >> disable inventory the log file won't be deleted, correct?
  >>
  >> Jim Webb
  >>
  >>>>> On 5/18/2006 at 10:03 AM, in message
  >> <[email protected]>, Marcus
  >> Breiden<[email protected]> wrote:
  >>> Jim Webb wrote:
  >>>
  >>>> I did a search on a machine I am remote controlling, no log file. What
  >>>> next?
  >>> good question... does the session show up in the eventlog?

• Growing nsure audit log file in sys\etc\logcache

  I have a Netware 6.5 OES2 server that suddenly had a quickly growing file in the \sys\etc\logcache folder. The file has just recently stabilized, but I would like to shrink the file. I am aware that this is part of NSure auditing and would like to leave that running. Can the files in this directory be deleted, or how to I go about shrinking or truncating them?
  Thanks.

  That would be OES, as OES2 only exists on Linux.
  TID 10089097 seems to cover this in a general sense:
  configuring the PA on NetWare, is to configure the eDirectory, Filesystem, and Netware OS instrumentation. This is done at the NCP server object in iManager. From the eDirectory Administration task list, select Modify Object. Browse for server object. This is the NCP server object, in the tree, not the Secure Logging Server object in the Logging Services container. Click on the Nsure Audit tab. Below the tab, there will links to the individual components, eDirectory, NetWare, and Filesystem.
  Without having it installed myself, I would expect that you could reset log files and suchlike in there.

• Help!! HD is about to crash and I can't get files, user rights issue

  hi guys,
  ok I know my harddrive is about to go byebye it's really slow and makes this really bad noise...
  so the thing I need help with is, I can't login my account, it takes forever than it goes back to the startpage
  I have another user set up that I can use, its still responding very very slow but at least I could rescue some files
  BUT some of my folders are locked, is there any way to open them "as a different user"
  I'm the only one using my computer, got all the codes just don't know if theres a way...
  thanks for any help
  (oh and sorry bout my english, I'm german)

  xkimofriend,
  Welcome to the Apple Discussions!
  Do you have another Mac (your own or borrowed from a friend) to which you can connect the affected Mac in FireWire target disk mode? Or an external Firewire hard drive? It doesn't sound as if you'd be able to sucessfully complete backing up in the Mac's DVD-R/CD-R, if you have one. Once you have a destination to which to save your data, you can try the 'manual backup' steps in Mac OS X: How to back up and restore your files.
  Good luck!

• Audit Log for user

  Hi,
  Is there a way we can trace the activity or the Transaction Codes accessed by a user? We want to trace on a past date (ie June transactions).
  Thank you and best regards.
  Rachelle

  Hi Rachelle,
  You probably posted on a wrong forum.  Are you using SAP Business One ? If not, please close your thread.
  Thanks,
  Gordon

• Protection of SAP Log Files

  Does anyone know of any tools (SAP or third-party) to protect SAP log files (system logs, security audit logs, etc.) from alteration by an authorized user (e.g., someone with SAP_ALL)?  We are looking for an audit-friendly method to protect log files such that someone with SAP_ALL privileges (via Firefighter or special SAP userid (DDIC, SAP*)) can't perform actions and then cover up their tracks by deleting log entries etc.  For example, we're wondering if any tools exist that enable the automatic export of the log files to a protected area (that's inaccessible to users with SAP privileges)?  We'd certainly appreciate any advice or insight as to how to resolve this issue.
  Regards,
  Gail

  For anyone who is interested, I wanted to pass along what we did (this was in response to an audit finding):
  First, SAP_ALL access is restricted to monitored Firefighter accounts (we already had that in place).  Recognizing that users with SAP_ALL and super-user access at the UNIX level (i.e., our Basis Team) can still circumvent pretty much any measure we take (e.g., can disable alerts in CCMS, delete batch jobs, deactivate Security Audit Log filters, delete Security Audit Log files, etc.), at least the actions would be captured via FF  (although they could disable that as well) or other utilities at the UNIX level.  And the more things the person has to disable/deactivate, the more likely it becomes that someone would notice that something was amiss. 
  Our company was already using SPLUNK to capture logs from other (non-SAP) systems so we decided to leverage that to capture and retain certain SAP Security Audit Log entries.  We created a batch job on SAP that runs a custom program at 5 minute intervals to extract records from the Security Audit Log files into a UNIX file (the program includes some logic that uses timestamps in the UNIX file to determine which records to extract).  The UNIX file is monitored by the UNIX tail-f command which is spawned by a Perl script.  The output from the tail-f command is then piped to a file on a central syslog server via the logger command in the script.  Finally, a SPLUNK process, which monitors syslog entries, extracts the information into SPLUNK real-time.
  This process is not bulletproof as our Basis Team (with SU privileges at the UNIX level) could disable the Perl script or delete/change entries within the UNIX file.  All we can really do is make it difficult for them to cover their tracksu2026
  Gail

• What is in the PostgreSQL_Server_Services.log File and How do I Shrink it?

  I know OS X Server uses PostgreSQL now instead of MySQL which is fine by me. I am trying to figure out what is in the PostgreSQL_Server_Services.log file in Library/Logs/PostgreSQL/ . It is about 188 GB right now and ideally instead of relocating it along with other services to another drive from the nice 256GB SSD that is in the system I would like to understand what is in the database and how to manage it's size better.
  Any pointers for best practice on managing the database or what the heck is in it?
  Thanks!

  Thanks for the response. I mistyped in the question as I understood it was a log file. The DB itself is only about 1-2GB. As for reviewing I am fine with modifying the permissions and examining the file in the console or other app but I am most interested in how to manage it safely. Can I just clear the log contents? If so what is the safe way to do so? I know with many DB's the log file is critical to it's function and if things happen to the log file it can render the DB unusable. In addition what is the best way to modify the rotation routine it uses and set the logging level? (I have pasted the .plist contents for Postgresql for Server Services below)
  I have also downloaded and installed pgAdmin but have not gone through the steps of connecting it to the DB and log file (users setup etc.)
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
      <key>ProgramArguments</key>
      <array>
          <string>-D</string>
          <string>/Library/Server/PostgreSQL For Server Services/Data</string>
          <string>-c</string>
          <string>unix_socket_directory=/Library/Server/PostgreSQL For Server Services/Socket</string>
          <string>-c</string>
          <string>logging_collector=on</string>
          <string>-c</string>
          <string>log_connections=on</string>
          <string>-c</string>
          <string>log_lock_waits=on</string>
          <string>-c</string>
          <string>log_statement=ddl</string>
          <string>-c</string>
          <string>log_line_prefix=%t </string>
          <string>-c</string>
          <string>listen_addresses=</string>
          <string>-c</string>
          <string>log_directory=/Library/Logs/PostgreSQL</string>
          <string>-c</string>
          <string>log_filename=PostgreSQL_Server_Services.log</string>
          <string>-c</string>
          <string>unix_socket_group=_postgres</string>
          <string>-c</string>
          <string>unix_socket_permissions=0770</string>
      </array>
  </dict>
  </plist>

• How do you get rsync to output a log file - don't understand the MAN pages sorry

  Hi There,
  Just trying to backup our web hosting server using rsync but can't figure out how to add a log file.
  The MAN pages say to use the following syntax:
  rsync -av --rsync-path="rsync --log-file=/tmp/rlog" src/ dest/
  But when I add that log command into my call like this:
  rsync -avz -e --rsync-path="rsync --log-file=/Users/username/rsync.log" ssh user@server:/home/ /Volumes/ServerVolume/webserver-backups/LIVE/home/
  I get errors and the command won't run - obviously my syntax is wrong somehow.
  Does anyone know how to add a log file to an rsync command?
  Any help would be much appreciated.

  If that second example is your specific entry then the answer is obvious.
  You need to more closely follow your quotes. All quotes have to be balanced (meaning that whenever you open a set of quotes there needs to be a matching close quote).
  In your case you state:
  rsync -avz -e --rsync-path="rsync --log-file=/Users/username/rsync.log"
  Note how your quotes are arranged... you're telling rsync that --rsync-path is "rsync --log-file=/Users/username/rsync.log", and there's no surprise that it fails.
  The correct format for this would be more like:
  rsync -avz -e --rsync-path="rsync" --log-file="/Users/username/rsync.log"
  (although I also question the validity of the --rsync-path command... are you sure that's right? because I'm not.
  Beyond that, though, the file arguments are incorrect - or, at least, there's a superflous 'ssh' command that's snuck its way in there somehow...

• How can I audit specific file??

  I have some important files used by more than one user and i want to audit only these files ( removing or renameing events ... )
  Can any body tel me how to do it on solaris 8?

  As you know, auditting is usually done on a system basis which is selected when the Basic Security Model (BSM) is initialized (example: /etc/security/bsmconv /). In your case, the solution may be to modify the audit_user files to track the users who may be accessing the files in question. Still, this will not give you exactly the behavior that you want. You could always post-process the audit.log files a priori.