Auditing / Logging of policy updates/publishing?
Is there such a thing? Is any publishing of the policy logged anywhere?
We've had a couple of issues in last few weeks where one of our admins has pushed the wrong policy out to groups of people overwriting their proper policy and causing no end of headache's.
Is there any sort of auditing in place showing who changed policy, or what changes were made, or who pushed out what policy, when, and who to?
This is what I got:
The Management Console will show the last user that edited a particular policy (on the main screen with the list of policies). Details of what changed would have to be done through manual SQL queries.
If this is not enough (which I suspect), please enter an enhancement request in order for PM to priorize this feature accordingly for future release.
>>>
From: Daniel Spinatto<[email protected]>
To:novell.support.zenworks.endpoint-security-management
Date: 12/15/2010 3:31 pm
Subject: Re: Auditing / Logging of policy updates/publishing?
Hey Andy,
Good question. There's nothing with 4.1 that I know of.
Let me ask anyway and I'll get back to you.
>>>
From: andystewartSL<[email protected]>
To:novell.support.zenworks.endpoint-security-management
Date: 12/10/2010 6:36 am
Subject: Auditing / Logging of policy updates/publishing?
Is there such a thing? Is any publishing of the policy logged anywhere?
We've had a couple of issues in last few weeks where one of our admins
has pushed the wrong policy out to groups of people overwriting their
proper policy and causing no end of headache's.
Is there any sort of auditing in place showing who changed policy, or
what changes were made, or who pushed out what policy, when, and who to?
Andy Stewart - Somewhere In Scotland
zcm 10.2.2, 4 servers in esx vm environment, 2000 users so far...
(i'd still rather be snowboarding)
andystewartSL's Profile: http://forums.novell.com/member.php?userid=1054
View this thread: http://forums.novell.com/showthread.php?t=427867
Similar Messages
-
SPAuditQuery wssQuery = new SPAuditQuery(SPContext.Current.Web.Site);
wssQuery.RestrictToUser(SPContext.Current.Web.CurrentUser.ID);
wssQuery.AddEventRestriction(SPAuditEventType.View);
wssQuery.RestrictToList(list)
//set the query date range
wssQuery.SetRangeEnd(DateTime.Now);
wssQuery.SetRangeStart(DateTime.Now.AddMinutes(-30));// To get the last 30 Mins of data
SPContext.Current.Web.Site.Audit.Update();
SPContext.Current.Web.Update();
SPAuditEntryCollection auditCol = SPContext.Current.Web.Site.Audit.GetEntries(wssQuery);From your response, I understood that, The coding is okay. So no need to change the code.
I am not sure what/How to be validated the Lag. Can you please suggest more on detail ?
One more thing observed based on the below steps
1. Downloaded 3 documents sequentially
2. Gave pause for 15 seconds
3. Downloaded next 2 documents sequentially
4. Executed my above mentioned program
Result : Fetched only first 3 documents, documents which are downloaded after pause is not retrieved
5. Generated the custom report (or ) Do new Download
Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
6: Executed my above mentioned program
Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
Conclusion: Most recent download event is pushed by other relevant(Custom Report Generation or Download or Page Refresh) event
Am i Missing anything to obtain the proper result ? -
We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
Errors:
Error 1043: Timeout during name resolution request
Error 1129: Group policy updates could not be processed due to DC not available
Error 5719: Could not establish secure connection to DC, DC not available
Occasionally but disappears after a while
Error 134: As a result of a DNS resolution timeout could not reach time server
Symptoms
On Win 7 Clients
Network shares added through Group Policy will not show sometimes
Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
nslookup during the incident returns cannot resolve error
ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
On Win 8.1 Clients
Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
drive shares but usually only for the active session. After logoff / logon the shares are gone again.
The issue does appear to be load related since it occurs even if there are only one or two workstations active.
Server Configuration
Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
Zyxel 1910-48 Port Switch
VDSL 50Mbps Down / 20Mbps Up
Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
Currently only one Network card is active for problem determination reasons.
There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
Best Practice Analyzer Results
DNS server scavening not enabled
Root hint server XYZ must respond to NS queries for the root zone
More than one forwarding server should be configured (although 3 are configured)
NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
set to 3 second.
Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
issues. Any help would be appreciatedHello Milos thx for your reply.. my comments below
1. What does it "switched"? You may mean migration or new installation. We do not know...
>> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
>> Correct, and I am aware of that
3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
>> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
>> Will post as soon as available
5. I do not use forwarders and the system works
>> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
required apart from that it does work for you that way?
6. DHCP should sit on DC (DHCP on router is disabled)
>> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
7. NIC settings in DC points to itself (loopback address 127.0.0.1)
>> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
>> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
9. Test your system with dcdiag.
>> See result below
10. Share your findings.
Regards
Milos
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = GSERVER2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\GSERVER2
Starting test: Connectivity
......................... GSERVER2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\GSERVER2
Starting test: Advertising
......................... GSERVER2 passed test Advertising
Starting test: FrsEvent
......................... GSERVER2 passed test FrsEvent
Starting test: DFSREvent
......................... GSERVER2 passed test DFSREvent
Starting test: SysVolCheck
......................... GSERVER2 passed test SysVolCheck
Starting test: KccEvent
......................... GSERVER2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... GSERVER2 passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... GSERVER2 passed test MachineAccount
Starting test: NCSecDesc
......................... GSERVER2 passed test NCSecDesc
Starting test: NetLogons
......................... GSERVER2 passed test NetLogons
Starting test: ObjectsReplicated
......................... GSERVER2 passed test
ObjectsReplicated
Starting test: Replications
......................... GSERVER2 passed test Replications
Starting test: RidManager
......................... GSERVER2 passed test RidManager
Starting test: Services
......................... GSERVER2 passed test Services
Starting test: SystemLog
......................... GSERVER2 passed test SystemLog
Starting test: VerifyReferences
......................... GSERVER2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : GS2
Starting test: CheckSDRefDom
......................... GS2 passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... GS2 passed test CrossRefValidation
Running enterprise tests on : GS2.intra
Starting test: LocatorCheck
......................... GS2.intra passed test LocatorCheck
Starting test: Intersite
......................... GS2.intra passed test Intersite
Server: gserver2.g2.intra
Address: 192.168.240.6
*** gserver2.g2.intra can't find g2: Non-existent domain
> gserver2
Server: gserver2.g2.intra
Address: 192.168.240.6
g2.intra
primary name server = gserver2.g2.intra
responsible mail addr = hostmaster.g2.intra
serial = 443
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
> wikipedia.org
Server: gserver2.g2.intra
Address: 192.168.240.6
Non-authoritative answer:
wikipedia.org MX preference = 10, mail exchanger = polonium.wikimedia.org
wikipedia.org MX preference = 50, mail exchanger = lead.wikimedia.org
polonium.wikimedia.org internet address = 208.80.154.90
polonium.wikimedia.org AAAA IPv6 address = 2620:0:861:3:208:80:154:90
lead.wikimedia.org internet address = 208.80.154.89
lead.wikimedia.org AAAA IPv6 address = 2620:0:861:3:208:80:154:89
Final benchmark results, sorted by nameserver performance:
(average cached name retrieval speed, fastest to slowest)
192.168.240. 6 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
+ Cached Name | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
+ Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
+ DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
gserver2.g2.intra
Local Network Nameserver
195.186. 4.162 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
- Cached Name | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
- Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
- DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
cns8.bluewin.ch
BLUEWIN-AS Swisscom (Schweiz) AG,CH
195.186. 1.162 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
- Cached Name | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
- Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
- DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
cns7.bluewin.ch
BLUEWIN-AS Swisscom (Schweiz) AG,CH
8. 8. 8. 8 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
- Cached Name | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
- Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
- DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
google-public-dns-a.google.com
GOOGLE - Google Inc.,US
UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
15: 40
192.168.240. 6 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
+ Cached Name | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
+ Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
+ DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
gserver2.g2.intra
Local Network Nameserver
195.186. 1.162 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
- Cached Name | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
- Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
- DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
cns7.bluewin.ch
BLUEWIN-AS Swisscom (Schweiz) AG,CH
195.186. 4.162 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
- Cached Name | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
- Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
- DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
cns8.bluewin.ch
BLUEWIN-AS Swisscom (Schweiz) AG,CH
8. 8. 8. 8 | Min | Avg | Max |Std.Dev|Reliab%|
----------------+-------+-------+-------+-------+-------+
- Cached Name | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
- Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
- DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
---<-------->---+-------+-------+-------+-------+-------+
google-public-dns-a.google.com
GOOGLE - Google Inc.,US
UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363 -
Audit log + manual update + specify download location
Hi all,
I'm evaluating whether we can use Java Web Start for our new product, for geographically distributed software deployment.
I've the following questions that I could not find answers in the official documentation:
- Can it support manual update? i.e. is there any way I can put a button on the application UI so that instead of checking latest version on every program start, the end-user can manually initiate software update.
- Can I extend it to support audit log? i.e. we need to keep track of which client upgrade to which version in a centralized database (as audit trail), and when such update occurred. Can we do this?
- Some of our end-user has no access to local filesystem, they only have access to dedicated shared network drive, can we customize Web Start so that it download and save the new version to a specific location, instead of C:\temp?
- We have a few jar files for the application. How can we ensure that all jar files are either updated, or not updated at all? i.e. kind of transaction concept.
- One of the jar files contains some configuration files, which need to be expanded in exploded format (to allow runtime change of configuration options). How can we do that?
Thanks a million.Hi all,
I'm evaluating whether we can use Java Web Start for
our new product, for geographically distributed
software deployment.
I've the following questions that I could not find
answers in the official documentation:
- Can it support manual update? i.e. is there any
way I can put a button on the application UI so that
instead of checking latest version on every program
start, the end-user can manually initiate software
update.currently, no - this is a requested feature being considered for 6.0
>
- Can I extend it to support audit log? i.e. we need
to keep track of which client upgrade to which
version in a centralized database (as audit trail),
and when such update occurred. Can we do this?only by controling a servlet or jsp page that generates the jnlp file and keeps track of what requests are made for the jnlp file and the resources of the app. Java Web Start itself runs on the client machine.
>
- Some of our end-user has no access to local
filesystem, they only have access to dedicated shared
network drive, can we customize Web Start so that it
download and save the new version to a specific
location, instead of C:\temp?webstart itself only downloads into its own cache (by default on windows XP at c:\Doccuments and settings\<user name>\Application Data\Sun\java\deployment\cache\javaws
this cache location can be configured.
in version 6.0 we will have capability to disable caching, but curent version must have a cache.
>
- We have a few jar files for the application. How
can we ensure that all jar files are either updated,
or not updated at all? i.e. kind of transaction
concept.
Java web Start currently checks timestamps of all downloaded jars before launching application, and will only update all or none.
- One of the jar files contains some configuration
files, which need to be expanded in exploded format
(to allow runtime change of configuration options).
How can we do that?If you must access these resources as files, you will have to extract them using ClassLoader.getresourceAsStream(), and then write them to disk yourself.
>
Thanks a million./Andy -
Audit Log update using Xchange or Webservice
Hello,
We are looking for the functionality to update Audit logs for Items.
Do we have possibility to update the Audit logs for some Particular Item by using web service or Xchange message?
The idea is to update the Audit log using some external service...
Thanks in Advance,
Regards,
PushkarHi Pushkar ,
I think we cannot do this . But can you please tell me in which business scenrio you want to modified the audit Log. Audit log is meant to record changes of those selected using the audit log feature in SAP ME 5.2 .
Any update with to item would anyway (Internal or External) get updated in the audit log i believe .
Thanks
Kishore K V -
DBA Opinion on Audit Logs in Oracle Database
As the title suggests - what are your initial reaction when your auditors come to you and say "why arent audit logs turned on table a, b, c, d.....z, a1 etc".
Scenario - say the auditor is interested in audit logs and settings as the Database houses PII and bank account data....
The common response from the DBA from what I have seen is "do you realise how much this will cost and what impact it will have on performance" (waving your fists).
So please tell me as a profressional Oracle DBA:
What financial (broke down in detail if poss) considerations need to be made when deploying an audit policy to a database housign sensitive data.
What technical (broke down in detail if poss) considerations need to be made when deploying an audit policy to a database housign sensitive data.
I look forward to your replies.Many, many things to consider.
It will be generally not practical to audit everything down to excruciating detail (as usually requested by well-meaning but technically challenged auditors) without causing significant overhead. Having said that it will be equally irresponsible not to setup auditing on a database that will be used for production. So every DBA needs to find a happy medium that is acceptable to the management, users, auditors, plus compliance with industry/state/federal regulations, etc.
If you wish to use Fine-grained Auditing (FGA), it requires an Enterprise Edition license.
If you need a crash course, Rampant publishes a book that addresses Oracle Auditing:
Oracle Privacy Security Auditing -
Audit logs for read operation on tables
I have a requirement of implementing audit logs for tables on read / select operation in addition to insert,update,delete operations. Is there any way to achieve this since triggers are present only for insert,update and delete ?
thanks in advanceHi,
yes there are many ways you can audit the Source database according to your requirments. as you need to audit the select , insert etc you can audit in many ways
1) By implementing policies , (i.e) FGA , or statement policy on a given table or a given user.
2) you can also do the required task by implementing the alerts on specific conditions like select on a specifc table etc
you can use these utileties from AV console.
Regards. -
We have a perl script to extract data from Audit log files(Oracle Database 10g Release 10.2.0.1.0) which have format as bellow.
Audit file /u03/oracle/admin/NIKKOU/adump/ora_5037.aud
Oracle Database 10g Release 10.2.0.1.0 - Production
ORACLE_HOME = /u01/app/oracle/product/10.2.0
System name: Linux
Node name: TOYDBSV01
Release: 2.6.9-34.ELsmp
Version: #1 SMP Fri Feb 24 16:54:53 EST 2006
Machine: i686
Instance name: NIKKOU
Redo thread mounted by this instance: 1
Oracle process number: 22
Unix process pid: 5037, image: oracleNIKKOU@TOYDBSV01
Sun Jul 27 03:06:34 2008
ACTION : 'CONNECT'
DATABASE USER: 'sys'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0
After we update the db from Release 10.2.0.1.0 to Release 10.2.0.4.0, the format of Audit log file had been changed to something likes below.
Audit file /u03/oracle/admin/NIKKOU/adump/ora_1897.aud
Oracle Database 10g Release 10.2.0.4.0 - Production
ORACLE_HOME = /u01/app/oracle/product/10.2.0
System name: Linux
Node name: TOYDBSV01
Release: 2.6.9-34.ELsmp
Version: #1 SMP Fri Feb 24 16:54:53 EST 2006
Machine: i686
Instance name: NIKKOU
Redo thread mounted by this instance: 1
Oracle process number: 21
Unix process pid: 1897, image: oracle@TOYDBSV01
Tue Oct 14 10:30:29 2008
LENGTH : '135'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'SYS'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[0] ''
CLIENT TERMINAL:[7] 'unknown'
STATUS:[1] '0'
Because we have to rewrite the perl script, could anyone tell us where we can find the manual to describe the format of the Audit log file.Oracle publishes views of the audit trail data. You can find a list of the views for the 11.1 database here:
http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGIICFE
The audit trail does not really change between patchsets as that would constitute underlying structure changes and right now, the developers are not allowed to change the underlying structure of tables in patchsets. But, we can change what may be displayed in a column from patchset to patchset. For example, we are getting ready to update the comment$text field to display more information like dblinks and program names.
I personally don't like overloading the comment$text field like that, but sometimes when you need the information, that is the only choice except to wait for the next major release :)
As for the output of the audit log files, those can change between patchsets because of bugs that were found and some changes to support Audit Vault. My apologies out there for anyone that is reading the audit files written to the OS directly, I would recommend using the views.
Hope that helps. Tammy -
An error occurred while trying to access the audit log
Hi I have run Set-Mailbox ian.shapton -AuditOwner Update, Move, MoveToDeletedItems, SoftDelete, HardDelete
I then created and deleted an email and ran Search-MailboxAuditLog -Identity "ian shapton" -LogonTypes Owner -StartDate "12/21/2014 12:00" -EndDate "12/21/2014 13:00" -ShowDetails
I see An error occurred while trying to access the audit log. For more details, see the inner exception.
+ CategoryInfo : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogException
+ FullyQualifiedErrorId : [Server=Mailbox01,RequestId=07f17915-f25d-4fd5-b23e-f07a2482f4a4,TimeStamp=21/12/2014 16:45:39] [FailureCategory=Cmdlet-AuditLogException] 255D6156,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog
MSExchange CmdletLogs shows Microsoft.Exchange.Data.ApplicationLogic.AuditLogServiceException: The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired','The search operation could
not be completed within the allotted time limit. Please try to narrow down your scope to reduce the result set.'.
I am a Recipient Admin and Org Admin and can search other mailboxes using -LogonTypes Delegate
Any idea what I am missing here?
shapiHi,
I have the same problem when I run the Search-MailboxAuditLog command. It has been working for 2 weeks but suddenly after moving databases from one datacenter to another and back again it stopped working. The account running the command
is in all necessary roles needed.
This is what I have tested after it stopped working:
- Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) = Works
- Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) -showdetails = does not work and comes with an error.
"The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired',
'The search operation could not be completed within the allotted time limit.
Please try to narrow down your scope to reduce the result set.'."
This is very bad for us because we use a lot of shared mailboxes with delegates and want to report delegate action on these mailboxes.
Environment:
- 3 datacenters
- Exchange 2013 CU7
Thorir
thorir -
I am trying to figure out why a query of the OID audit logs is taking so long....
the search filter is:
(&(orcleventtime>=20070426)(orcleventtime<=20070427)(orcleventtype=User login))
it takes 97 seconds to return 1622 entries.
when i run a query with this filter....
(&(orcleventtime>=20070426)(orcleventtype=User login))
it takes 0.2 seconds
any ideas?Purging an AUD$ table is good idea after taking the export....
Yeah...that could be better idea to audit those things that application skips...
I was just getting calls from finance and operations departments... complaining that their ERP applications were haning taking long time to execute day end procedures and in reports...around 20 to 30 minutes.... as I recalled that my last deployment on live was enabling of auditing as I executed noaudit all and noaudit select, update, delete, insert on erp, The user got their day end procedures executed and report in less than 1 minute...
Can anybody explain me....Does auditing degrades performance..?
Regards? -
Audit Log is required for Project server
Hi,
Audit Log is required for EPM / Project Server 2010
Following are the requirements.
Project Name, Resource Name and Date of Following Events.
1. Project checked Out By, Date (This is highly important)
2. Project Checked In By, Date
3. Project Published By, Date
4. Project Saved By, DateHi Hachishti,
Please refer to a recent similar thread with excellent answer from Paul.
http://social.technet.microsoft.com/Forums/projectserver/en-US/435fbb7a-1c82-419c-b83e-e89419dc66aa/project-server-2010-view-plan-save-history?forum=projectserver2010general
Hope this helps.
Guillaume Rouyre - MBA, MCP, MCTS -
Search-MailboxAuditLog is empty - Mailbox Audit Logging not working in Exchange 2013 CU6 environment
Hello,
i activated Mailbox Audit Logging for Admin, delegate and owner with all supported operations (update, delete, etc..)
like mentioned here:
http://exchangeserverpro.com/using-exchange-server-2013-mailbox-audit-logging/
But also two days later (and also one Server reboot later) search-MailboxAuditLog is still empty.
any ideas how to fix this?
Best,
martinHi S.Nithyanandham,
i looked up the mailboxfolderstatistics. There are items in the folder:
[PS] C:\Windows\system32>Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}
RunspaceId : a95e32b8-93c3-4330-8d42-45cade9d64d4
Date : 18.09.2014 16:35:20
Name : Audits
FolderPath : /Audits
FolderId : LgAAAADmBpGVdb8iQp3F89WOcmcHAQBpQNFODkTESLeLj74B887wAAAAAAESAAAB
FolderType : Audits
ItemsInFolder : 147
DeletedItemsInFolder : 0
FolderSize : 434.2 KB (444,649 bytes)
ItemsInFolderAndSubfolders : 147
DeletedItemsInFolderAndSubfolders : 0
FolderAndSubfolderSize : 434.2 KB (444,649 bytes)
OldestItemReceivedDate :
NewestItemReceivedDate :
OldestDeletedItemReceivedDate :
NewestDeletedItemReceivedDate :
OldestItemLastModifiedDate :
NewestItemLastModifiedDate :
OldestDeletedItemLastModifiedDate :
NewestDeletedItemLastModifiedDate :
ManagedFolder :
DeletePolicy :
ArchivePolicy :
TopSubject :
TopSubjectSize : 0 B (0 bytes)
TopSubjectCount : 0
TopSubjectClass :
TopSubjectPath :
TopSubjectReceivedTime :
TopSubjectFrom :
TopClientInfoForSubject :
TopClientInfoCountForSubject : 0
SearchFolders :
Identity : mailboxname\Audits
IsValid : True
ObjectState : New
What do you think?
why cant i search and find these entries the auditlog?
best,
martin -
Ms-exchange 2013 audit logs retrieving in csv format not working?
I need help regarding pulling specific information from exchange 2013. The information pertains to mail-exchange audit logs. The exchange in my environment is ms-exchange 2013. Steps performed so far are:-
**step#1**
Create test Environment on Exchange Server 2010 and Active Directory:
Two Mailboxes for testing (with dummy email messages) (i.e., test-mailbox-1, test-mailbox-2)
Two Active Directory Accounts for testing (testAcct01, testAcct02)
Assign Permission to Test Mailboxes: Owner of Email Box test-mailbox-1: testAcct01, Owner of Email Box test-mailbox-2: testAcct02
**step 2**
Enable Mailbox Auditing on the test-mailbox-1:
Use EMS to enable mailbox auditing on mailbox: test-mailbox-1
Commands:
o Set-Mailbox -Identity "test-mailbox-1" -AuditDelegate Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
o Set-Mailbox -Identity "test-mailbox-1" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
Note: You must have permission for Organization Management and Record Management if you want to enable mailbox auditing.
**step#3**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#4**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#5**
Perform test activities on mailbox “test-mailbox-1” using account id: testAcct02
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#6**
Perform test activities on mailbox “test-mailbox-1” using “Administrator” Account.
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#7**
Use EMS Cmdlet to retrieve Mailbox audit logs for mailbox “test-mailbox-1”
Command:
o Search-MailboxAuditLog -Identity test-mailbox-1 -LogonTypes Admin,Delegate –ShowDetails -StartDate mm/dd/2014 -EndDate mm/dd/2014 | Export-Csv “c:\test-Audit-Results.csv”
o New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes " test-mailbox-1" -LogonTypes Admin,Delegate -StartDate mm/dd/2014 -EndDate mm/dd/2014 -StatusMailRecipients [email protected]
I'm unable to go past step#7, as I see nothing in csv file. I don't know why is this? any help.Hi,
I will perform these steps in my lab and paste the result.
Beg your patient waiting.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Consistency Problem In Audit Logs and Datafile
Hi,
We have audit logs of a transaction in audit files, however we do not see any changes in the table that the transaction affects.
We use point-in-time recovery and flashback feature to figure out the changes in the table . DML Audit Granularity is "ACCESS".
The transaction is java application transaction and we use hibernate.
How can this be possibble? Thank you.
Edited by: 867331 on 14.Ara.2012 07:05
Edited by: 867331 on 14.Ara.2012 07:07Thanks for the reply,
jgarry wrote:
You've flashed or recovered back to a transaction in progress and the transaction was rolled back as part of recovery.We have duplicated the database(2 months early version of the database) from backup. We use Flashback Version Query to figure out the changes in the audited table.
Ex:
SELECT STATE FROM X
VERSIONS BETWEEN TIMESTAMP
TO_TIMESTAMP ('07-09-12 05:15:30','dd-mm-yy hh24:mi:ss')
AND TO_TIMESTAMP ('07-09-12 16:00:30','dd-mm-yy hh24:mi:ss')
where ID=1
We cannot find update transaction from this query. The "STATE" column is always null. However in audit xml file we see the "UPDATE" sql.
jgarry wrote:
Some code for a report or inquiry incorrectly does a select for update and doesn't actually update anything.There is no "select for update" statement.
Thank you. -
URM Disposition Approval Error - Audit log
Hi there,
We have a URM environment installed and configured.
When attempting to approve a disposition action on an item in a retention schedule, the following error message appears:
"Unable to update DispositionsHistory table. Failed to check in audit log. Please reference '/appl/ucm/ContentServer/data/recordsManagement/log/##########.htm' audit log. You must save default metadata for checked in audit entries."
What is it here that we need to adjust in order to complete the approval?Hello
You have to give your audit trail default metadatas. Under Administration-Configure Records Management-Audit-CheckedIn_Audit Entries you can find the Link for "Default Metadata for Checked-in Audit Entries".
Regards
Maybe you are looking for
-
IPod Doesn't Show In iTunes (Windows XP)
My iPod Classic won't show up in iTunes because earlier, I had accidentally checked a box on my iPod settings (within the iTunes program) that said not to display settings for that iPod in iTunes automatically, or not to automatically sync the iPod.
-
I have multiple sites that I've created with iWeb and have used the program for years. However, in an attempt to update one of my sites I encountered a road block. I was trying to embed html from my Vimeo site using the html snippet function but the
-
ABAP Coding for uploading flat file
Hello experts, I have a requirement like this.. i am uploading a flat to SEM-BPS transactional cube.my requirement is like this. my flat file structure is PP;QQ;RR;SS A; X; 1; 1 B: 1: X: X. Here the PP QQ RR SS are the
-
Shopping Cart status not updated in BW system
Hello All, The status of a Shopping Cart is still appearing as"awaiting approval" in the BW system while in the R/3 system, it is already showing "approved"status. How to make the update in the BW system. Please advise.
-
Messages in Pop-over Message Area
Hi, I have a Pop-over where I have defined a Message Area. But whenever I try to show a message in the Pop-over's Message Area, the message gets displayed in the Message Area of the View from where this pop-over is invoked. Please let me know how t