Bad date recorded by AccessServer in Audit Log File
Hi all,
I have installed OAM and configure Audit Log File to AccessServer:
Access System Configuration >> Access Server Configuration >> and put ON "Audit to File"
The log is recorded OK, but when compare the date writed in log file with SO date, there are 6hs of diference
LOG FILE
01\/28\/2009 *00:18:07* \-0500 - AUTHZ_SUCCESS - GET - AccessServer - 192.168.3.105 - sec.biosnettcs.com\/access\/oblix\/lang\/en\-us\/msgctlg.js - cn=orcladmin\,cn=Users\,dc=biosnettcs\,dc=com - 00:18:07 - http - AccessGate - - 2
SO date
# date
mar ene 27 *18:18:15 CST* 2009
# date -u
mié ene 28 *00:18:23 UTC* 2009
How we can see in this lines the audit log is recording date in UTC, but a need this in the timezone setted in SO.
How can do this (print date in audit log file with the same timezone setted by SO)??
Thaks in advance,
Julio
I response myself.
There is no way to set the Date/Time format to any other than UTC for the OAM component logs
See note 742777.1 for deeph information.
Julio.
Similar Messages
-
How change sStart and End Date and time in the Audit log ???
Install C2S BM39SP1. Work.
Go to the: https://bmserver:8009
Open : VPN Monitor | Audit log information.
Problem - can not cahnge Date and time in the Audit Log Start(End)
How i vcan do this ?
How i can get every day stat log:
login ; date_time_login ; dtae_timie_logout ; bite_in ; bite_out
SergSerg,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Oblix v7 audit log file missing
Hi,
I'm using oblix v7.
I have enabled audit logs and specified the file name as: C:\audit33.txt
But on the machine there is no such file. It is somehow missing.
The same configuration works on another machine.
Any idea why the audit log file is missing?
Thanks.
Sash.I response myself.
There is no way to set the Date/Time format to any other than UTC for the OAM component logs
See note 742777.1 for deeph information.
Julio. -
We have a perl script to extract data from Audit log files(Oracle Database 10g Release 10.2.0.1.0) which have format as bellow.
Audit file /u03/oracle/admin/NIKKOU/adump/ora_5037.aud
Oracle Database 10g Release 10.2.0.1.0 - Production
ORACLE_HOME = /u01/app/oracle/product/10.2.0
System name: Linux
Node name: TOYDBSV01
Release: 2.6.9-34.ELsmp
Version: #1 SMP Fri Feb 24 16:54:53 EST 2006
Machine: i686
Instance name: NIKKOU
Redo thread mounted by this instance: 1
Oracle process number: 22
Unix process pid: 5037, image: oracleNIKKOU@TOYDBSV01
Sun Jul 27 03:06:34 2008
ACTION : 'CONNECT'
DATABASE USER: 'sys'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL:
STATUS: 0
After we update the db from Release 10.2.0.1.0 to Release 10.2.0.4.0, the format of Audit log file had been changed to something likes below.
Audit file /u03/oracle/admin/NIKKOU/adump/ora_1897.aud
Oracle Database 10g Release 10.2.0.4.0 - Production
ORACLE_HOME = /u01/app/oracle/product/10.2.0
System name: Linux
Node name: TOYDBSV01
Release: 2.6.9-34.ELsmp
Version: #1 SMP Fri Feb 24 16:54:53 EST 2006
Machine: i686
Instance name: NIKKOU
Redo thread mounted by this instance: 1
Oracle process number: 21
Unix process pid: 1897, image: oracle@TOYDBSV01
Tue Oct 14 10:30:29 2008
LENGTH : '135'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'SYS'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[0] ''
CLIENT TERMINAL:[7] 'unknown'
STATUS:[1] '0'
Because we have to rewrite the perl script, could anyone tell us where we can find the manual to describe the format of the Audit log file.Oracle publishes views of the audit trail data. You can find a list of the views for the 11.1 database here:
http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGIICFE
The audit trail does not really change between patchsets as that would constitute underlying structure changes and right now, the developers are not allowed to change the underlying structure of tables in patchsets. But, we can change what may be displayed in a column from patchset to patchset. For example, we are getting ready to update the comment$text field to display more information like dblinks and program names.
I personally don't like overloading the comment$text field like that, but sometimes when you need the information, that is the only choice except to wait for the next major release :)
As for the output of the audit log files, those can change between patchsets because of bugs that were found and some changes to support Audit Vault. My apologies out there for anyone that is reading the audit files written to the OS directly, I would recommend using the views.
Hope that helps. Tammy -
BOE XI 3.1 Removing Audit log files
Hi there experts,
we have an issue with our production BOE install (3.1 SP7) whereby we have over 39,000 audit log files awaiting processing in the BOE_HOME/auditing folder. These audit files were generated a few months back when we had an issue with the system whereby thousands of scheduled events were created, we are not sure how. The removal of these events has had a knock on effect in that we have too many audit files to process, ie the system just cant process them all quickly enough.
So my question is can we just remove these audit files from the auditing directory with no knock on effects as we dont need them loading into the audit database anyways as they are all multiples of the same event.
As an aside when we upgraded from SP3 to SP7 the problem went away, ie no new audit files for these delete events being generated. We are still to establish how/why these audit events were created but for the time being we just want to be able to remove them. Unfortunately as its a production system we don't want to just take a chance and remove them without some advice first.
thanks in advance
ScottIs your auditing running now? Or still pending? Can you check in Audit DB, what is the max(audit_timestamp? This will tell you when was the recent actvitiy happened.
Deleting the audit files, will not harm to your BO system. You will not be able to see auditing details for that period.
Is the new auditing files are processed? or you still see the files created in auditing folder without processing?
If the auditing file size shows 0 okb, than it means they were processed. -
Maximum number of events per audit log file must be greater than 0.
BOE-XI (R2)
Windows Server 2003
Running AUDIT features on all services.
Report Application Server (RAS) keeps giving the following error in the Windows Application Event Log.
Maximum number of events per audit log file must be greater than 0. Defaulting to 500.
I am assuming that this is because the RAS is not being used by anyone at this time - and there is nothing in the local-audit-log to be copied to the AUDIT database.
Is there any way to suppress this error...?
Thanks in advance for the advice!A couple more reboots after applying service pack 3 seemed to fix the issue.
Also had to go to IIS and set the BusinessObjects and CrystalEnterprise11 web sites to use ASP .NET 1.1 instead of 2. -
Any software/program that can read audit log files
Hi,
Currently i am searching for a program/tools that can read audit log files and format it into a readable format. Anyone know is there any in the market or any open source program?
Thank You.Not sure what you mean by "audit log".
Anyway. Pete Finnigan's tools page has only one thing that might be what you're looking for - LMON, which runs on BSD, Solaris, Linux. As he's the go-to guy for Oracle security the chances of there being a good free log analyzer tool that he hasn't heard of is slight.
Cheers, APC -
Remote management audit log file
I've read the documentation @
http://www.novell.com/documentation/...a/ad4zt4x.html
which indicates that the audit file is auditlog.txt and is located in the
system directory of the managed workstation. The problem is I can't find the
log file in that location or anywhere else on the computer. I even looked in
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent but I can't find
anything. Any ideas? Can someone point me in the right direction.
BTW, I'm using ZDM 6.5 SP2 for both the server and the workstations.
Jim WebbJust an FYI, with ZDM 6.5 HP3 the file name changed from AuditLog.txt to
ZRMAudit.txt still located under system32 on Windows XP.
Jim Webb
>>> On 5/22/2006 at 3:27 PM, in message
<[email protected]>,
Jim Webb<[email protected]> wrote:
> Well I found out the ZDM 6.5 HP2 fixes the problem of the log file not
> being
> created.
>
> Jim Webb
>
>>>> On 5/19/2006 at 8:37 AM, in message
> <[email protected]>,
> Jim Webb<[email protected]> wrote:
>> Well, it does show up in the event log but not in the inventory. If I
>> disable inventory the log file won't be deleted, correct?
>>
>> Jim Webb
>>
>>>>> On 5/18/2006 at 10:03 AM, in message
>> <[email protected]>, Marcus
>> Breiden<[email protected]> wrote:
>>> Jim Webb wrote:
>>>
>>>> I did a search on a machine I am remote controlling, no log file. What
>>>> next?
>>> good question... does the session show up in the eventlog? -
Growing nsure audit log file in sys\etc\logcache
I have a Netware 6.5 OES2 server that suddenly had a quickly growing file in the \sys\etc\logcache folder. The file has just recently stabilized, but I would like to shrink the file. I am aware that this is part of NSure auditing and would like to leave that running. Can the files in this directory be deleted, or how to I go about shrinking or truncating them?
Thanks.That would be OES, as OES2 only exists on Linux.
TID 10089097 seems to cover this in a general sense:
configuring the PA on NetWare, is to configure the eDirectory, Filesystem, and Netware OS instrumentation. This is done at the NCP server object in iManager. From the eDirectory Administration task list, select Modify Object. Browse for server object. This is the NCP server object, in the tree, not the Secure Logging Server object in the Logging Services container. Click on the Nsure Audit tab. Below the tab, there will links to the individual components, eDirectory, NetWare, and Filesystem.
Without having it installed myself, I would expect that you could reset log files and suchlike in there. -
Hello,
I started binary audit some of my servers. It works fine.
Generated files has 600 mask and root:root group:user. This makes my backup routines sick. Backup scripts work as another user and permission denied errors arises.
How can i change audit files mask?
Thanks,
OsmanAlthough I'm not sure I don't think you can since audit data will always need solid protection due to the included information. The only liable option I see is to use syslog as your logging daemon.
-
Date and time stamp on dump & log file using EXPDP in HP-UX
Hi All,
Can someone help me with the below issue
O.S Version HP-UX B.11.31 U ia64
Oracle DB Version 11.2.0.3.0 , Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
#!/usr/local/bin/bash
ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2; export ORACLE_HOME
PATH=/u01/app/oracle/product/11.2.0/dbhome_2/bin; export PATH
mydate=`date +%Y_%m_%d_%H_%M_%S`; export mydate
ORACLE_SID=PD; export ORACLE_SID
expdp system/0@PD DIRECTORY=prod_exports DUMPFILE=FULL_EXP_PD_${mydate}.
dmp LOGFILE=FULL_EXP_PD_${mydate}.log compression=all schemas=SYSADM991805 wrote:
Hi
Thank you very much for your reply. The problem is the time stamp is not coming on my dumpfile
So what are you getting?
Works for me:
#!/bin/bash
export ORAENV_ASK=NO
export ORACLE_SID=orcl
. oraenv
mydate=`date +%Y_%m_%d_%H_%M_%S`; export mydate
echo mydate is $mydate
expdp system/halftrack directory=data_pump_dir dumpfile=full_exp_${mydate}.dmp logfile=full_exp_${mydate}.log schemas=scott
ls -l /u01/app/oracle/admin/orcl/dpdump
2014-01-03 15:28:36
oracle:orcl$ ll
total 260
-rwx------ 1 oracle oinstall 300 Jan 3 15:27 doit
-rw-r----- 1 oracle asmadmin 116 Jan 31 2013 dp.log
-rw-r----- 1 oracle asmadmin 249856 Jan 3 15:28 full_exp_2014_01_03_15_27_34.dmp
-rw-r--r-- 1 oracle asmadmin 1974 Jan 3 15:28 full_exp_2014_01_03_15_27_34.log -
Does anyone know of any tools (SAP or third-party) to protect SAP log files (system logs, security audit logs, etc.) from alteration by an authorized user (e.g., someone with SAP_ALL)? We are looking for an audit-friendly method to protect log files such that someone with SAP_ALL privileges (via Firefighter or special SAP userid (DDIC, SAP*)) can't perform actions and then cover up their tracks by deleting log entries etc. For example, we're wondering if any tools exist that enable the automatic export of the log files to a protected area (that's inaccessible to users with SAP privileges)? We'd certainly appreciate any advice or insight as to how to resolve this issue.
Regards,
GailFor anyone who is interested, I wanted to pass along what we did (this was in response to an audit finding):
First, SAP_ALL access is restricted to monitored Firefighter accounts (we already had that in place). Recognizing that users with SAP_ALL and super-user access at the UNIX level (i.e., our Basis Team) can still circumvent pretty much any measure we take (e.g., can disable alerts in CCMS, delete batch jobs, deactivate Security Audit Log filters, delete Security Audit Log files, etc.), at least the actions would be captured via FF (although they could disable that as well) or other utilities at the UNIX level. And the more things the person has to disable/deactivate, the more likely it becomes that someone would notice that something was amiss.
Our company was already using SPLUNK to capture logs from other (non-SAP) systems so we decided to leverage that to capture and retain certain SAP Security Audit Log entries. We created a batch job on SAP that runs a custom program at 5 minute intervals to extract records from the Security Audit Log files into a UNIX file (the program includes some logic that uses timestamps in the UNIX file to determine which records to extract). The UNIX file is monitored by the UNIX tail-f command which is spawned by a Perl script. The output from the tail-f command is then piped to a file on a central syslog server via the logger command in the script. Finally, a SPLUNK process, which monitors syslog entries, extracts the information into SPLUNK real-time.
This process is not bulletproof as our Basis Team (with SU privileges at the UNIX level) could disable the Perl script or delete/change entries within the UNIX file. All we can really do is make it difficult for them to cover their tracksu2026
Gail -
I am new at the SQL auditing feature. I have played around with it, and I have one problem that I hope someone can help me with. When I first turn on the SQL audit and the audit file is small I can view the log on my local machine with the log viewer in
SSMS. However, as the log files continue to be created and grow, the log file viewer no longer works. It sits there for several minutes saying "initializing log file #1", then just comes back 0 records processed. Sometimes it comes back with an OutOfMemoryException.
I have the SQL audit set to go to files, and the files are set to be 250 MB each.
Is there some better way to look at the SQL audit log files generated, or is there some way to make the log file viewer actually work once the log files begin to grow? I know I can use Transact-SQL statements, but I was hoping to use the log file viewer
or some other GUI viewer. Another issue I'm concerned about is being able to archive the log files to another location and having the ability to look at them.
Thank you.Its looks like bug.
http://connect.microsoft.com/SQLServer/feedback/details/709364/sql-server-audit-logs-do-not-display
http://thomaslarock.com/2012/10/viewing-sql-server-2008-r2-audit-logs-using-ssms-2012/
Use sys.fn_get_audit_file() system function to see the data that you already doing.
http://msdn.microsoft.com/en-us/library/cc280765.aspx
-Prashanth -
Does Identity Manager keep a record of all events like adds/deletes/modifies to entries it manages?
Are all attributes and values added recorded?
Are all attributes and values (before and after modification) recorded on updates?
Are all delete entry events recorded?
If so, how would I extract this information out of IdM to a log FILE?
Also, about how much effort is involved in creating the desired audit log FILE.
(Potential) Customers of Identity manager here have asked, after being shown a quick demo of IdM where is the ability to get statistical info e.g. how many entries added in past 24 hours/week/month? how many email accounts were created in past 24 hours/week/month etc etc...
I/they see a screen audit report as an IdM task but it doesnt seem to be able to dump useful information to a file. A file can be manipulated to produce these statistics, a screen cannot. This file can also be used by other external systems of course.I cannot agree more with Mr greenfan88:
Clients should have a HIGH expectation in a system such as IDM which relates to provisionning, meta-directory and workflow
The main reason beeing that business processes are the core driver of successfull projects. Technical things comes in second place. Thus processes need to be highly traceable and reports customizable
What I think of IDM Reports:
* Nearly half of the standard reports are administrative reports (ex: list the connectors status, list the admins...) => No business value
* Other reports are pure AuditLog reports that correspond to a grep on logs => Low business value
* There are as well resource risk reports that scan inactive accounts... => No business value
* One report type provide statistical information which is good
* Only one report consolidate information (<> from just an audilog grep listing)
All these reports have low business value:
1) the attributes are technical ones
2) the reports types are frozen
3) Consolidation is very low
4) Scoping/Security of reports is based on ORGANIZATIONS. Very limited
5) Inputing parameters such as a date range, people/account status (active/inactive), or departement perimeter is impossible or very difficult to achieve
What I think of IDM AUDITOR:
* Quite the same since lots of reports are administratove
* Auditor introduces the notion of COMPLIANCE rules. This is good BUT it should be extended to business attributes, time ranges, active/inactive status...
Except the COMPLIANCE addition, I don't see much interesting features from Auditor. It is still in V1 or beta ?
=> I hope the product line will improve to include REAL REPORTS like the ones we can make with BUSINESS OBJECTS or CRYSTAL REPORTS...
Rgds, -
Security Audit Log SM19 and Log Management external tool
Hi all,
we are connecting a SAP ECC system with a third part product for log management.
Our SAP system is composed by many application servers.
We have connected the external tool with the SAP central system.
The external product gathers data from SAP Security Audit Log (SM19/SM20).
The problem is that we see, in the external tool, only the data available in the central system.
The mandatory parameters have been activated and the system has been restarted.
The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
In our scenario, we do not use SM20 since we want read the collected data in the external tool.
Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
Thanks in advance.
Andrea CavalleriI am always amazed at these questions...
For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
Cheers,
Julius
Maybe you are looking for
-
Absence Quota Accruals from days to hrs
Hi Guys, I need to change the Absence Quota Accruals process in SAP ERP ECC 6.0 system from Accruing time in days to hours. All necessary configuration changes are to be made in the development system (including Time and Payroll Schema changes for ab
-
HELP! My MacBook won't boot an OS X DVD and I can't install from elsewhere
Okay, so my cousin completely erased and installed Windows XP by itself on a MacBook, and now it's mine and I'm trying to install OS X on it. I managed to do FWTD mode and erase the drive and partition it as a guid. When I start it up afterwards, it
-
Macbook pro data transfer to macbook air ????????, macbook pro data transfer to macbook air ????????
How (without using Migration assistant) can I (using an ethernet connection from my Macbook pro on 10.6.8 to a Macbook air on 10.7.3 with a thunderbolt ethernet adaptor) make a connection between the 2 computers and selectively transfer files and app
-
Reusing JAXB generated classes for XSDs included in other XSDs
Hi, I use xsds with jaxb in a number of related projects. To avoid duplication I've factored out commonly used elements into their own xsd in a separate project. I then include these in the xsds that need them. I generate classes with jaxb for each p
-
Has anyone found a solution for attaching video and audio files in mail with Mavericks. It works fine on my macbook pro but does not work on my desktop. I get the spinning wheel of death. It worked fine before I upgraded to Mavericks. 2x2.4 HGz Qu