Audit Log Management

I cannot get my Audit Log Management job to run. It fails because "Invalid audit archive path. Please check your setting." Where do I check the setting? I am running 5.0.3 with Collab 4.0. Thanks.

Just an FYI, with ZDM 6.5 HP3 the file name changed from AuditLog.txt to
ZRMAudit.txt still located under system32 on Windows XP.
Jim Webb
>>> On 5/22/2006 at 3:27 PM, in message
<[email protected]>,
Jim Webb<[email protected]> wrote:
> Well I found out the ZDM 6.5 HP2 fixes the problem of the log file not
> being
> created.
>
> Jim Webb
>
>>>> On 5/19/2006 at 8:37 AM, in message
> <[email protected]>,
> Jim Webb<[email protected]> wrote:
>> Well, it does show up in the event log but not in the inventory. If I
>> disable inventory the log file won't be deleted, correct?
>>
>> Jim Webb
>>
>>>>> On 5/18/2006 at 10:03 AM, in message
>> <[email protected]>, Marcus
>> Breiden<[email protected]> wrote:
>>> Jim Webb wrote:
>>>
>>>> I did a search on a machine I am remote controlling, no log file. What
>>>> next?
>>> good question... does the session show up in the eventlog?

Similar Messages

Audit Log Fails Access Denied

Hi all,
We just recently installed SP1 for AQ6.0 and it has helped out alot. Fixed alot of our small issues, but seems to have brougt up a new one. Our Audit Log Management job is now failing every run. It is getting an Access denied error. Actually the error line is JobShell: Exception occurred when processing operation operation 0:103: \\ntapmd01\Plumtree5\PtAudit\audit 9-8-06 2.log (Access is denied). Running verbose dosen't help. I see that the job is running as owner Administrator and I am trying to copy the audit log to a shared network location, but this worked before. Nothing changed except for installing the SP. Any ideas?
Berney

First off, it seems like installing the patch reset the user account that ran the plumtree automation service. All I had to do was change the user who runs the automation service and that fixed it.
As far as service patch 1 goes we had alot of issues when we went to 6.0 with remote users opening documents. SSO redirect kept sending them back to the home page. We had issues with the Intrinsic Community Links portlet, protected excel files, along with some others I can't think of right now. Everything looked fine from the admin point of view, but users were going crazy. All of that went away with the service patch.
Thanks,
Berney

Security Audit Log SM19 and Log Management external tool

Hi all,
we are connecting a SAP ECC system with a third part product for log management.
Our SAP system is composed by many application servers.
We have connected the external tool with the SAP central system.
The external product gathers data from SAP Security Audit Log (SM19/SM20).
The problem is that we see, in the external tool, only the data available in the central system.
The mandatory parameters have been activated and the system has been restarted.
The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
In our scenario, we do not use SM20 since we want read the collected data in the external tool.
Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
Thanks in advance.
Andrea Cavalleri

I am always amazed at these questions...
For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
Cheers,
Julius

Monitoring audit logs from solution manager

Hi All,
Is it possible to moniotor the audit logs of other systems from Solution manager system..?
If it can be done,please throw some light on that ..thanks

Can you please put some more info to the kind of monitoring you are looking for?. Is it on Security Audit log oor general Application Audit log?.
Regards,
Jagan

SharePoint 2013 audit log unexpected error

In one of my SharePoint 2013 site collection, when i try to save a audit log, i get unexpected error. It worked fine before last week and no any special setting has been applied before the issue appeared. The issue doesn't appear in other site collection.
i have tried to reproduce the issue with farm admin account and site collection admin, no success for all these accounts. However, i can see access denied error in the ULS log although i think the permission is not the problem. You may check the ULS log below.
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 0xC33B005
2jtj Assert
ShipAssert location: (0) condition: StackTrace: at onetnative.dll: (sig=7b7c0170-6822-4da2-8b1b-70510b777a4a|2|onetnative.pdb, offset=12700) at onetnative.dll: (offset=125F1)
ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 SharePoint Foundation
Unified Logging Service c91s
Monitorable Watson bucket parameters: Microsoft SharePoint Foundation 4, ULSShipAssert12, 2jtj, 15.0.4481.0
ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 0xEB2D00B
2jtk High
Metro library failure (0x80070005): ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 0xEB2D00B
2jtq High
Metro library failure (0x80070005): ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 0xEB2D005
2jx8 High
Metro library failure (0x80070005): ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 0xEB2D005
5s03 High
Metro library failure (0x80070005): ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 0xEB2D005
5s02 High
Metro library failure (0x80070005): ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.41 w3wp.exe (0x77C0)
0x2918 0xEB2D005
2jw0 High
Metro library failure (0x80070005): ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.43 w3wp.exe (0x77C0)
0x2918 SharePoint Foundation
Database ahjqp
High [Forced due to logging gap, cached @ 06/19/2014 10:48:07.68, Original Level: Verbose] SQL connection time: 0.064296296654057
ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.43 w3wp.exe (0x77C0)
0x2918 SharePoint Foundation
General 8nca
Medium Application error when access /_layouts/15/CustomizeReport.aspx, Error=拒绝访问。 (异常来自 HRESULT:0x80030005 (STG_E_ACCESSDENIED)) 在 System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) 在 Microsoft.Office.Server.OpenXml.Internal.ByteStream.Write(Byte[] rgb, Int32 offset, Int32 cb) 在 System.IO.BufferedStream.FlushWrite() 在 System.IO.StreamWriter.Dispose(Boolean disposing)
在 System.IO.StreamWriter.Close() 在 System.Xml.XmlTextWriter.Close() 在 Microsoft.Office.RecordsManagement.Reporting.AuditReportGenerator.Dispose() 在 Microsoft.Office.RecordsManagement.Reporting.ReportData.Dispose()
在 Microsoft.Office.RecordsManagement.Reporting.ReportBase.AggregateReports(Hashtable query, SPFolder folder, ReportNameGenerator reportNameGenerator) 在 Microsoft.Office.RecordsManagement.Reporting.ApplicationPages.CustomizeReport.OKBtn_Click(Object
sender, EventArgs e) 在 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) 在 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.44 w3wp.exe (0x77C0)
0x2918 SharePoint Foundation
Runtime tkau
Unexpected System.Runtime.InteropServices.COMException: 拒绝访问。 (异常来自 HRESULT:0x80030005 (STG_E_ACCESSDENIED)) 在 System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr
errorInfo) 在 Microsoft.Office.Server.OpenXml.Internal.ByteStream.Write(Byte[] rgb, Int32 offset, Int32 cb) 在 System.IO.BufferedStream.FlushWrite() 在 System.IO.StreamWriter.Dispose(Boolean disposing) 在
System.IO.StreamWriter.Close() 在 System.Xml.XmlTextWriter.Close() 在 Microsoft.Office.RecordsManagement.Reporting.AuditReportGenerator.Dispose() 在 Microsoft.Office.RecordsManagement.Reporting.ReportData.Dispose()
在 Microsoft.Office.RecordsManagement.Reporting.ReportBase.AggregateReports(Hashtable query, SPFolder folder, ReportNameGenerator reportNameGenerator) 在 Microsoft.Office.RecordsManagement.Reporting.ApplicationPages.CustomizeReport.OKBtn_Click(Object
sender, EventArgs e) 在 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) 在 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
ea429c9c-4288-00dd-4f6f-d2bb079f3d44
06/19/2014 10:48:09.44 w3wp.exe (0x77C0)
0x2918 SharePoint Foundation
General ajlz0
High Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): 引发类型为“System.Web.HttpUnhandledException”的异常。 ---> System.Runtime.InteropServices.COMException (0x80030005): 拒绝访问。 (异常来自 HRESULT:0x80030005
(STG_E_ACCESSDENIED)) 在 System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo) 在 Microsoft.Office.Server.OpenXml.Internal.ByteStream.Write(Byte[] rgb, Int32 offset, Int32 cb)
在 System.IO.BufferedStream.FlushWrite() 在 System.IO.StreamWriter.Dispose(Boolean disposing) 在 System.IO.StreamWriter.Close() 在 System.Xml.XmlTextWriter.Close() 在 Microsoft.Office.RecordsManagement.Reporting.AuditReportGenerator.Dispose()
在 Microsoft.Office.RecordsManagement.Reporting.ReportData.Dispose() 在 Microsoft.Office.RecordsManagement.Reporting.ReportBase.AggregateReports(Hashtable query, SPFolder folder, ReportNameGenerator reportNameGenerator)
在 Microsoft.Office.RecordsManagement.Reporting.ApplicationPages.CustomizeReport.OKBtn_Click(Object sender, EventArgs e) 在 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) 在 System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 在 System.Web.UI.Page.HandleError(Exception e) 在 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
在 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 在 System.Web.UI.Page.ProcessRequest() 在 System.Web.UI.Page.ProcessRequest(HttpContext context)
在 System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 在 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
ea429c9c-4288-00dd-4f6f-d2bb079f3d44

i have added the account to the local admin group of SQL Server and SharePoint Server. the issue remains. it is the system admin of the SQL server.
Logging Correlation Data
Medium
Name=Request (POST:https://xxx/_layouts/15/CustomizeReport.aspx?ReportId=df9e0f20-f356-4115-9286-ac6eecbc03ce&Category=Auditing)
Authentication Authorization
Medium
Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|tlw\farmadmin, ClaimsCount=28
Logging Correlation Data
Medium
Site=/
Information Rights Management
Medium
Information Rights Management (IRM): Requesting user is System account.
Files
High
UserAgent not available, file operations may not be optimized.    在 Microsoft.SharePoint.SPFileStreamManager.CreateCobaltStreamContainer(SPFileStreamStore spfs, ILockBytes ilb, Boolean copyOnFirstWrite, Boolean
disposeIlb)     在 Microsoft.SharePoint.SPFileStreamManager.SetInputLockBytes(SPFileInfo& fileInfo, SqlSession session, PrefetchResult prefetchResult)     在 Microsoft.SharePoint.CoordinatedStreamBuffer.SPCoordinatedStreamBufferFactory.CreateFromDocumentRowset(Guid
databaseId, SqlSession session, SPFileStreamManager spfstm, Object[] metadataRow, SPRowset contentRowset, SPDocumentBindRequest& dbreq, SPDocumentBindResults& dbres)     在 Microsoft.SharePoint.SPSqlClient.GetDocumentContentRow(Int32
rowOrd, Object ospFileStmMgr, SPDocumentBindRequest& dbreq, SPDocumentBindResults& dbres)     在 Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet,
String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages, Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean&
pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String& pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String&
pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64& pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies,
Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder, Guid& pgDocScopeId)     在 Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte
bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages, Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument,
Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String& pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object&
pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64& pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object&
pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder, Guid& pgDocScopeId)     在 Microsoft.SharePoint.Library.SPRequest.GetFileAndMetaInfo(String
bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages, Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean&
pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String& pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object&
pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64& pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel,
UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder, Guid& pgDocScopeId)     在 Microsoft.SharePoint.SPWeb.GetWebPartPageContent(Uri
pageUrl, Int32 pageVersion, PageView requestedView, HttpContext context, Boolean forRender, Boolean includeHidden, Boolean mainFileRequest, Boolean fetchDependencyInformation, Boolean& ghostedPage, String& siteRoot, Guid& siteId, Int64& bytes,
Guid& docId, UInt32& docVersion, String& timeLastModified, Byte& level, Object& buildDependencySetData, UInt32& dependencyCount, Object& buildDependencies, SPWebPartCollectionInitialState& initialState, Object& oMultipleMeetingDoclibRootFolders,
String& redirectUrl, Boolean& ObjectIsList, Guid& listId)     在 Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.FetchWebPartPageInformationForInit(HttpContext context, SPWeb spweb, Boolean mainFileRequest, String
path, Boolean impersonate, Boolean& isAppWeb, Boolean& fGhostedPage, Guid& docId, UInt32& docVersion, String& timeLastModified, SPFileLevel& spLevel, String& masterPageUrl, String& customMasterPageUrl, String& webUrl, String&
siteUrl, Guid& siteId, Object& buildDependencySetData, SPWebPartCollectionInitialState& initialState, String& siteRoot, String& redirectUrl, Object& oMultipleMeetingDoclibRootFolders, Boolean& objectIsList, Guid& listId, Int64&
bytes)     在 Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.GetWebPartPageData(HttpContext context, String path, Boolean throwIfFileNotFound)     在 Microsoft.SharePoint.ApplicationRuntime.SPVirtualPathProvider.GetCacheKey(String
virtualPath)     在 System.Web.Compilation.BuildManager.GetVPathBuildResultFromCacheInternal(VirtualPath virtualPath, Boolean ensureIsUpToDate)     在 System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath
virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)     在 System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath
virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)     在 System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath,
Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate)     在 System.Web.UI.MasterPage.CreateMaster(TemplateControl owner, HttpContext context, VirtualPath masterPageFile, IDictionary contentTemplateCollection)
在 System.Web.UI.Page.ApplyMasterPage()     在 System.Web.UI.Page.PerformPreInit()     在 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
在 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     在 System.Web.UI.Page.ProcessRequest()     在 System.Web.UI.Page.ProcessRequest(HttpContext context)
在 System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     在 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)     在 System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception
error)     在 System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)     在 System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
在 System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     在 System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer,
IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     在 System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)     在 System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr
pHandler, RequestNotificationStatus& notificationStatus)     在 System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
在 System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
Files
Medium
Spent 0 ms to bind 29783 byte file stream
Monitoring
High
Leaving Monitored Scope (GetFileAndMetaInfo). 执行时间=17.6751425083646
Monitoring
High
Leaving Monitored Scope (GetWebPartPageContent). 执行时间=17.8435806939653
OpenXml
Medium
OfficePackageLibrary::OpenPackage(app=3, path=C:\Users\FarmAdmin\AppData\Local\Temp\tmpBFE2.tmp, fcm=3)
Database
High
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
Database
High
[Forced due to logging gap, cached @ 06/20/2014 14:36:33.08, Original Level: Verbose] SQL connection time: 0.0727483919888626
Database
High
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
Database
High
[Forced due to logging gap, cached @ 06/20/2014 14:36:35.00, Original Level: Verbose] SQL connection time: 0.07969118458531
Database
High
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
0xC33B005
Assert
ShipAssert location: (0) condition:   StackTrace: at onetnative.dll: (sig=7b7c0170-6822-4da2-8b1b-70510b777a4a|2|onetnative.pdb, offset=12700) at onetnative.dll: (offset=125F1)
Unified Logging Service
Monitorable
Watson bucket parameters: Microsoft SharePoint Foundation 4, ULSShipAssert12, 2jtj, 15.0.4481.0
0xEB2D00B
High
Metro library failure (0x80070005):
0xEB2D00B
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
0xC33B005
Assert
ShipAssert location: (0) condition:   StackTrace: at onetnative.dll: (sig=7b7c0170-6822-4da2-8b1b-70510b777a4a|2|onetnative.pdb, offset=12700) at onetnative.dll: (offset=125F1)
Unified Logging Service
Monitorable
Watson bucket parameters: Microsoft SharePoint Foundation 4, ULSShipAssert12, 2jtj, 15.0.4481.0
0xEB2D00B
High
Metro library failure (0x80070005):
0xEB2D00B
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
0xEB2D005
High
Metro library failure (0x80070005):
Database
High
[Forced due to logging gap, cached @ 06/20/2014 14:36:36.86, Original Level: Verbose] SQL connection time: 0.0706353681551612
General
Medium
Application error when access /_layouts/15/CustomizeReport.aspx, Error=拒绝访问。 (异常来自 HRESULT:0x80030005 (STG_E_ACCESSDENIED))   在 System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode,
IntPtr errorInfo)     在 Microsoft.Office.Server.OpenXml.Internal.ByteStream.Write(Byte[] rgb, Int32 offset, Int32 cb)     在 System.IO.BufferedStream.FlushWrite()     在 System.IO.StreamWriter.Dispose(Boolean
disposing)     在 System.IO.StreamWriter.Close()     在 System.Xml.XmlTextWriter.Close()     在 Microsoft.Office.RecordsManagement.Reporting.AuditReportGenerator.Dispose()     在 Microsoft.Office.RecordsManagement.Reporting.ReportData.Dispose()
在 Microsoft.Office.RecordsManagement.Reporting.ReportBase.AggregateReports(Hashtable query, SPFolder folder, ReportNameGenerator reportNameGenerator)     在 Microsoft.Office.RecordsManagement.Reporting.ApplicationPages.CustomizeReport.OKBtn_Click(Object
sender, EventArgs e)     在 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)     在 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Runtime
Unexpected
System.Runtime.InteropServices.COMException: 拒绝访问。 (异常来自 HRESULT:0x80030005 (STG_E_ACCESSDENIED))    在 System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
在 Microsoft.Office.Server.OpenXml.Internal.ByteStream.Write(Byte[] rgb, Int32 offset, Int32 cb)     在 System.IO.BufferedStream.FlushWrite()     在 System.IO.StreamWriter.Dispose(Boolean disposing)
在 System.IO.StreamWriter.Close()     在 System.Xml.XmlTextWriter.Close()     在 Microsoft.Office.RecordsManagement.Reporting.AuditReportGenerator.Dispose()     在 Microsoft.Office.RecordsManagement.Reporting.ReportData.Dispose()
在 Microsoft.Office.RecordsManagement.Reporting.ReportBase.AggregateReports(Hashtable query, SPFolder folder, ReportNameGenerator reportNameGenerator)     在 Microsoft.Office.RecordsManagement.Reporting.ApplicationPages.CustomizeReport.OKBtn_Click(Object
sender, EventArgs e)     在 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)     在 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
General
High
Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): 引发类型为“System.Web.HttpUnhandledException”的异常。 ---> System.Runtime.InteropServices.COMException (0x80030005): 拒绝访问。 (异常来自 HRESULT:0x80030005
(STG_E_ACCESSDENIED))     在 System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)     在 Microsoft.Office.Server.OpenXml.Internal.ByteStream.Write(Byte[] rgb, Int32 offset,
Int32 cb)     在 System.IO.BufferedStream.FlushWrite()     在 System.IO.StreamWriter.Dispose(Boolean disposing)     在 System.IO.StreamWriter.Close()     在 System.Xml.XmlTextWriter.Close()
在 Microsoft.Office.RecordsManagement.Reporting.AuditReportGenerator.Dispose()     在 Microsoft.Office.RecordsManagement.Reporting.ReportData.Dispose()     在 Microsoft.Office.RecordsManagement.Reporting.ReportBase.AggregateReports(Hashtable
query, SPFolder folder, ReportNameGenerator reportNameGenerator)     在 Microsoft.Office.RecordsManagement.Reporting.ApplicationPages.CustomizeReport.OKBtn_Click(Object sender, EventArgs e)     在 System.Web.UI.WebControls.Button.RaisePostBackEvent(String
eventArgument)     在 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     在 System.Web.UI.Page.HandleError(Exception e)     在 System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     在 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     在 System.Web.UI.Page.ProcessRequest()
在 System.Web.UI.Page.ProcessRequest(HttpContext context)     在 System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     在 System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously)

Not able to generate "Audit Log Tampering report"

Hi,
I am not able to generate the Audit Log tampering report in version 8.0 of Sun Identity Manager. I am encountering the following message when I am trying to generate the report.
"Tamper-resistant logging is disabled. Unable to verify the integrity of the audit logs." I did not find any option to set the tamper-resistant logging feature in version 8.0 of Sun Idm.
In version 6 there is an option to set the tamper resistant audit log box by "Enabling tamper-resistant audit logs box" ( Please refer: http://docs.sun.com/source/819-4483/auditing.html)
The generated report (in version 6) did not show any data inspite of me deleting a row in the audit log.
I hope you can help me with this problem. Thanks in advance
Regards,
Sharon

1) It shouldnt matter, but try
destype=file (FILE small case)
2) In builder, in property pallette see if you have given any "initial value" for these parameters (especially desname, destype etc) ?
3) Do not give "batch=yes" in command line and try
Thanks
Ratheesh

An error occurred while trying to access the audit log

Hi I have run Set-Mailbox ian.shapton -AuditOwner Update, Move, MoveToDeletedItems, SoftDelete, HardDelete
I then created and deleted an email and ran Search-MailboxAuditLog -Identity "ian shapton" -LogonTypes Owner -StartDate "12/21/2014 12:00" -EndDate "12/21/2014 13:00" -ShowDetails
I see An error occurred while trying to access the audit log. For more details, see the inner exception.
+ CategoryInfo : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogException
+ FullyQualifiedErrorId : [Server=Mailbox01,RequestId=07f17915-f25d-4fd5-b23e-f07a2482f4a4,TimeStamp=21/12/2014 16:45:39] [FailureCategory=Cmdlet-AuditLogException] 255D6156,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog
MSExchange CmdletLogs shows Microsoft.Exchange.Data.ApplicationLogic.AuditLogServiceException: The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired','The search operation could
not be completed within the allotted time limit. Please try to narrow down your scope to reduce the result set.'.
I am a Recipient Admin and Org Admin and can search other mailboxes using -LogonTypes Delegate
Any idea what I am missing here?
shapi

Hi,
I have the same problem when I run the Search-MailboxAuditLog command. It has been working for 2 weeks but suddenly after moving databases from one datacenter to another and back again it stopped working. The account running the command
is in all necessary roles needed.
This is what I have tested after it stopped working:
- Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) = Works
- Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) -showdetails = does not work and comes with an error.
"The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired',
'The search operation could not be completed within the allotted time limit.
Please try to narrow down your scope to reduce the result set.'."
This is very bad for us because we use a lot of shared mailboxes with delegates and want to report delegate action on these mailboxes.
Environment:
- 3 datacenters
- Exchange 2013 CU7
Thorir
thorir

Ms-exchange 2013 audit logs retrieving in csv format not working?

I need help regarding pulling specific information from exchange 2013. The information pertains to mail-exchange audit logs. The exchange in my environment is ms-exchange 2013. Steps performed so far are:-
**step#1**
Create test Environment on Exchange Server 2010 and Active Directory:
Two Mailboxes for testing (with dummy email messages) (i.e., test-mailbox-1, test-mailbox-2)
Two Active Directory Accounts for testing (testAcct01, testAcct02)
Assign Permission to Test Mailboxes: Owner of Email Box test-mailbox-1: testAcct01, Owner of Email Box test-mailbox-2: testAcct02
**step 2**
Enable Mailbox Auditing on the test-mailbox-1:
Use EMS to enable mailbox auditing on mailbox: test-mailbox-1
Commands:
o Set-Mailbox -Identity "test-mailbox-1" -AuditDelegate Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
o Set-Mailbox -Identity "test-mailbox-1" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
Note: You must have permission for Organization Management and Record Management if you want to enable mailbox auditing.
**step#3**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
 Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#4**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#5**
Perform test activities on mailbox “test-mailbox-1” using account id: testAcct02
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#6**
Perform test activities on mailbox “test-mailbox-1” using “Administrator” Account.
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#7**
Use EMS Cmdlet to retrieve Mailbox audit logs for mailbox “test-mailbox-1”
Command:
o Search-MailboxAuditLog -Identity test-mailbox-1 -LogonTypes Admin,Delegate –ShowDetails -StartDate mm/dd/2014 -EndDate mm/dd/2014 | Export-Csv “c:\test-Audit-Results.csv”
o New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes " test-mailbox-1" -LogonTypes Admin,Delegate -StartDate mm/dd/2014 -EndDate mm/dd/2014 -StatusMailRecipients [email protected]
I'm unable to go past step#7, as I see nothing in csv file. I don't know why is this? any help.

Hi,
I will perform these steps in my lab and paste the result.
Beg your patient waiting.
Thanks
Mavis
Mavis Huang
TechNet Community Support

URM Disposition Approval Error - Audit log

Hi there,
We have a URM environment installed and configured.
When attempting to approve a disposition action on an item in a retention schedule, the following error message appears:
"Unable to update DispositionsHistory table. Failed to check in audit log. Please reference '/appl/ucm/ContentServer/data/recordsManagement/log/##########.htm' audit log. You must save default metadata for checked in audit entries."
What is it here that we need to adjust in order to complete the approval?

Hello
You have to give your audit trail default metadatas. Under Administration-Configure Records Management-Audit-CheckedIn_Audit Entries you can find the Link for "Default Metadata for Checked-in Audit Entries".
Regards

Audit log level

Hello there,
When i update an attribute to be multi-value in the schema section of DSCC, i want to see update in audit log. Now with default audit log level, i can see only the following but it does not show what attribute and what value is being modified. Is there audit log level i should set to ?
dn: cn=schema
changetype: modify
replace: modifiersname
modifiersname: cn=admin,cn=administrators,cn=dscc

Hi,
You hit defect 6997464 due to the fact in-memory schema entry is managed differently from the other entries.
Please contact your local Oracle support representative to get a relief if needed.
Regards
Sylvain

Departname in audit log report

Hi,
I am getting user data of viewing the pages within the site from audit log reports.
But our customer is expecting to see the department name of the user that he belongs to.
I dont see this value in the report.
So please let me know to get the department name of the user.
Regards,
Sudheer
Thanks & Regards, Sudheer

Hi,
Use custom code
http://sharepoint.stackexchange.com/questions/62929/get-current-users-department-name-and-manager-from-active-directory
http://sharepoint.stackexchange.com/questions/89703/getting-user-job-title-from-a-sharepoint-list-through-active-directory
Use designer workflows
http://www.sharepointanalysthq.com/2011/04/user-profile-data-in-sharepoint-designer-workflows/
Please remember to click 'Mark as Answer' on the answer if it helps you

DBA Opinion on Audit Logs in Oracle Database

As the title suggests - what are your initial reaction when your auditors come to you and say "why arent audit logs turned on table a, b, c, d.....z, a1 etc".
Scenario - say the auditor is interested in audit logs and settings as the Database houses PII and bank account data....
The common response from the DBA from what I have seen is "do you realise how much this will cost and what impact it will have on performance" (waving your fists).
So please tell me as a profressional Oracle DBA:
What financial (broke down in detail if poss) considerations need to be made when deploying an audit policy to a database housign sensitive data.
What technical (broke down in detail if poss) considerations need to be made when deploying an audit policy to a database housign sensitive data.
I look forward to your replies.

Many, many things to consider.
It will be generally not practical to audit everything down to excruciating detail (as usually requested by well-meaning but technically challenged auditors) without causing significant overhead. Having said that it will be equally irresponsible not to setup auditing on a database that will be used for production. So every DBA needs to find a happy medium that is acceptable to the management, users, auditors, plus compliance with industry/state/federal regulations, etc.
If you wish to use Fine-grained Auditing (FGA), it requires an Enterprise Edition license.
If you need a crash course, Rampant publishes a book that addresses Oracle Auditing:
Oracle Privacy Security Auditing

Regd. Security Audit log

Hi,
We have a requirement from business to activate Security audit log for all Business users. We have around 160 Business users but in SM19 I am able to set filters for only 10 users maximum.
Also I tried creating 16 profiles and maintained 10 users each but still I was able to activate only one profile at a time.
If I put * in the user tab then system starts logging for all users including our ESS users. But we don't want to log for ESS users as there are 1000+ ESS users which will affect the growth of the security log as well the performance.
Please suggest is there any way to enable security log only for around 160 users using SM19.
Regards,
Nalla.

> Thanks for the update. But rsau/user_selection will not help us because our user ids are similar to our employee ids and we cant use wild card option like RFC* or ESS*.
I thought it worth mentioning, to consider for next time...
> Also in detailed selection option in SM19, i tried removing the RFC related options but still when our ESS users login, it is getting logged.
Possibly it is logging the RFC call and not the RFC authentication. Try the other way around and filter out the successfull logins in SM20N.
> Is there any way we can restrict using user group or licensing type?
No, not to my knowledge.
> Will it be a minor development if I ask our ABAPER to create a Z Tcode similar to SU19 by including user group or is there any user exit which can help us to put restriciton on user group wise.
You can make the screen program glow in the dark in a Z-tcode, but the location where the log is written is not accessible to you and that is where the music is.
The best option is to set a carefully chosen and tested filter in SM19 which covers your requirement without stopping the log, and then use SM20N to filter a subset of that.
You can also define the selection methods and reaction methods in transaction RZ21 and then activate them in a monitoring template in RZ20. This way you are faster and will only see what you want.
You can also do the same in Solution Manager for the managed systems and have a central monitoring and reaction from there. Then you are on the right track in my opinion.
Cheers,
Julius

DSEE 6.3.1 audit logging of binary data such as usercertificates

I've noticed on some of my DSEE 6.3.1 boxes that the audit logs do not include the entire value for attributes such as usercertificate and certificaterevocationlist. Instead there is just the first line of the attribute value. Is this normal and does it depend upon whether the attribute was set thru replication or directly to the server instance? In comparison, our DS 5.2 systems include the entire attribute value for binary subtyped attributes in the audit logs.

In the same vein as this, I've noticed that 6.3.1's audit log regarding MODRDN command appears to be incomplete... when calling MODRDN with the same RDN but a new superior, the latter is not logged although the operation is successful:
time: 20100114151549
dn: uid=ab3,ou=staff,o=example.com
changetype: modrdn
newrdn: uid=ab3
deleteoldrdn: 1
replace: modifiersname
modifiersname: cn=directory manager
replace: modifytimestamp
modifytimestamp: 20100114151549Z
time: 20100114151549
dn: uid=ab3,ou=students,o=example.com
changetype: modify
add: examplestatus
examplestatus: id modified 14/01/2010 15:15:49
replace: modifiersname
modifiersname: cn=directory manager
replace: modifytimestamp
modifytimestamp: 20100114151549Z
-The (simplified) Net::LDAP perl fragment which performs this operations is:
                my $en = find_uid_in_ldap( ... );
                my $newrdn = "uid=" . $params->{_login};
                my $newsup =
                    "ou="
                  . $conf->{acctypemap}->{ $params->{acctype} } . ","
                  . $conf->{ds}->{basedn};
                my $res = $ldap->moddn(
                                   $en->dn(),
                                   newrdn       => $newrdn,
                                   newsuperior => $newsup,
                                   deleteoldrdn => 1
                );Is this deliberate? This means that the audit log knows that a MODRDN operation occurred, but hasn't logged the location where the object was moved to.
For completeness:
# /opt/SUNWdsee/ds6/bin/dsadm -V
[dsadm]
dsadm               : 6.3.1                B2008.1121.0156 NAT
[slapd 64-bit]
Sun Microsystems, Inc.
Sun-Java(tm)-System-Directory/6.3.1 B2008.1121.0156 64-bit
ns-slapd            : 6.3.1                B2008.1121.0156 NAT
Slapd Library       : 6.3.1                B2008.1121.0156
Front-End Library   : 6.3.1                B2008.1121.0156

Alert & Audit Log Purging sample script

Hi Experts,
Can somebody point to sample scripts for
1. alert & audit log purging?
2. Listener log rotation?
I am sorry if questions look too naive, I am new to DBA activities; pls let me know if more details are required.
As of now the script is required to be independent of versions/platforms
Regards,

34MCA2K2 wrote:
Thank a lot for your reply!
If auditing is enabled in Oracle, does it generate Audit log or it inserts into a SYS. table?
Well, what do your "audit" initialization parameters show?
For the listener log "rotation", just rename listener.log to something else (there is an OS command for that), then bounce the listener.
You don't want to purge the alert log, you want to "rotate" it as well. Just rename the existing file to something else. (there is an OS command for that)
So this has to be handled at operating system level instead of having a utility. Also if that is the case, all this has to be done when database is shut down right?
No, the database does not have to be shut down to rotate the listener log. The database doesn't give a flying fig about the listener log.
No, the database does not have to be shut down to rotate the alert log. If the alert log isn't there when it needs to write to it, it will just start a new one. BTW, beginning with 11g, there are two alert logs .. the old familiar one, now located at $ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/trace, and the xml file used by adrci. There are adrci commands and configurations to manage the latter.
Again, I leave the details as an exercise for the student to practice his research skills.
Please confirm my understanding.
Thanks in advance!

Audit Log Management

Similar Messages

Maybe you are looking for