Protecting the Audit Log

Similar Messages

• Attribute Encryption in the Audit log

  All,
  I am encrypting attributes so sensitive data is encyrpted at rest. Found out that the audit log doesn't encrypt these attributes. It encrypts userpassword, but not these. Is there a setting or configuration I can extend that will encrypt these attributes in the audit file?
  And if there is, what happens if I need to expand the list of encrypted attributes.
  I am currently running v 6.3.x, and in process of upgrading to ODSEE 11g.x
  Frank

  Hello,
  as far as I can understand, I'm afraid that what you're trying to accomplish is not possible, since attribute encryption is something that happens 'within the Directory Server instance, between the protocol and the DB'... so the informations are sent in clear over the protocol, and this is what the audit log captures. According to the official product documentation:
  http://docs.oracle.com/cd/E19261-01/820-2763/bcaeg/index.html
  "Attribute encryption protects sensitive data while it is stored in the directory. Attribute encryption allows you to specify that certain attributes of an entry are stored in an encrypted format. This prevents data from being readable while stored in database files, backup files, and exported LDIF files.
  With this feature, attribute values are encrypted before they are stored in the Directory Server database, and decrypted back to their original value before being returned to the client. You must use access controls to prevent clients from accessing such attributes without permission, and SSL to encrypt the attribute values when in transit between the client and Directory Server."
  HTH,
  Marco

• Same Application Error - while checking the auditing log report in site settings

  dear all,
  I am getting application error - when I am checking the audit log report from
  Site Settings ->Audit log->Run a custom report ->In the save location - when I click browse button.
  Any inputs to solve the issue will be helpful?
  Cheers
  Sathya

  Hi,
  Try to configure audit settings for a site collection as the link below:
  https://support.office.com/en-us/article/Configure-audit-settings-for-a-site-collection-f5a346d0-ee0f-4412-a5e6-d9b5abaa1012
  Or check the blogs below:
  http://sharepointthomas.blogspot.com/2011/07/how-to-enable-audit-functionality-in.html
  http://www.codeproject.com/Articles/431342/Auditing-A-Built-in-Feature-of-SharePoint
  Did you check the ULS log?
  Best Regards,
  Dennis Guo
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• An error occurred while trying to access the audit log

  Hi I have run Set-Mailbox ian.shapton -AuditOwner Update, Move, MoveToDeletedItems, SoftDelete, HardDelete
  I then created and deleted an email and ran Search-MailboxAuditLog -Identity "ian shapton" -LogonTypes Owner -StartDate "12/21/2014 12:00" -EndDate "12/21/2014 13:00" -ShowDetails
  I see An error occurred while trying to access the audit log. For more details, see the inner exception.
      + CategoryInfo          : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogException
      + FullyQualifiedErrorId : [Server=Mailbox01,RequestId=07f17915-f25d-4fd5-b23e-f07a2482f4a4,TimeStamp=21/12/2014 16:45:39] [FailureCategory=Cmdlet-AuditLogException] 255D6156,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog
  MSExchange CmdletLogs shows Microsoft.Exchange.Data.ApplicationLogic.AuditLogServiceException: The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired','The search operation could
  not be completed within the allotted time limit. Please try to narrow down your scope to reduce the result set.'.
  I am a Recipient Admin and Org Admin and can search other mailboxes using -LogonTypes Delegate
  Any idea what I am missing here?
  shapi

  Hi,
  I have the same problem when I run the Search-MailboxAuditLog command.  It has been working for 2 weeks but suddenly after moving databases from one datacenter to another and back again it stopped working.  The account running the command
  is in all necessary roles needed.
  This is what I have tested after it stopped working:
  - Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) = Works
  - Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) -showdetails = does not work and comes with an error.
  "The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired',
  'The search operation could not be completed within the allotted time limit. 
  Please try to narrow down your scope to reduce the result set.'."
  This is very bad for us because we use a lot of shared mailboxes with delegates and want to report delegate action on these mailboxes.
  Environment:
  - 3 datacenters
  - Exchange 2013 CU7
  Thorir
  thorir

• SQLException in the audit log for the Message Display Tool

  Hi
  I´m newbie in PI Technology, and i have some issues when i try to do the next.
  This is the scenario:
  I need to communicate two systems, for one side i have SAP, and for the other side i have ADI (legal system) so, i use PI to do this (the communication), PI receive the data from SAP by means abap proxy, until this everything is correct, then i do the mapping of the data and i send a message to ADI (with the SAP XI Runtime Workbench) by means JDBC adapter, if i check the sended message with "Message Display Tool" show that the message was sent (status "Delivered") but if i check the received messages option, in the audit log displays the five next errors:
  Error: Could not execute statement for table/stored proc. "FADIA4" (structure "StatementFADIA4") due to java.sql.SQLException: FADIA4 in FILEMET not valid for operation.
  Error: JDBC Message processing failed, due to Error processing request in sax parser: Error when executing statement for table/stored proc. 'FADIA4' (structure 'StatementFADIA4'): java.sql.SQLException: FADIA4 in FILEMET not valid for operation.
  Error: MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error processing request in sax parser: Error when executing statement for table/stored proc. 'FADIA4' (structure 'StatementFADIA4'): java.sql.SQLException: FADIA4 in FILEMET not valid for operation.
  Error: Adapter Framework caught exception: null
  Error: Delivering the message to the application using connection JDBC_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error processing request in sax parser: Error when executing statement for table/stored proc. 'FADIA4' (structure 'StatementFADIA4'): java.sql.SQLException: FADIA4 in FILEMET not valid for operation..
  if there are somebody that maybe could know what is the problem?, could the problem be the side of the legal system?, because inside of PI when i do the Test Configuration in the Integration Directory, the end of the test is successful.
  Any comment is well received!!
  Thanks,
  Vicman
  P.D. sometimes the error is: java.sql.SQLException: Token ) was not valid. Valid tokens: DAY PATH YEAR LABEL MONTH OPTION RESULT CONNECTION TRANSACTION.
  what does it means?

  Hi Pooja,
  thanks for you quickly response!
  XML sended:
  <?xml version="1.0" encoding="UTF-8"?>
  <ns0:MT_PgDocVentaECC_req xmlns:ns0="http://gmodelo.com/ECC/enviarCobranza">
     <DT_DatosDeControl>
        <MIDDLEWARE_ID/>
        <QUICK_ID/>
        <INTERFACE_NAME/>
        <MESSAGE_ID/>
        <LOG_ID/>
        <USER_ID/>
        <SOURCE_SYSTEM/>
        <TARGET_SYSTEM/>
     </DT_DatosDeControl>
     <DT_PagoDocVentaECC>
        <VKORG>TVKO</VKORG>
        <VKBUR>TVBUR</VKBUR>
        <VKBUR1>TVBUR</VKBUR1>
        <ROUTE>TVRO</ROUTE>
        <ROUTE1>TVRO</ROUTE1>
        <BLART>Q</BLART>
        <BELNR>100</BELNR>
        <WRBTR>200</WRBTR>
        <LFART>100</LFART>
        <VBELN>100</VBELN>
     </DT_PagoDocVentaECC>
  </ns0:MT_PgDocVentaECC_req>
  this is the XML received:
  <?xml version="1.0" encoding="UTF-8"?>
  <ns1:MT_PgDocVentaADI_req xmlns:ns1="http://gmodelo.com/ADI/recibirCobranza">
  <StatementFADIA7>
  <FADIA7action="INSERT">
  <Table>FADIA7</Table>
  <Access>
  <NUMCIA>123</NUMCIA>
  <NUMALM>234</NUMALM>
  <SUBALM>300</SUBALM>
  <CVETOP>16</CVETOP>
  <FOLOPV>22</FOLOPV>
  <SECOVA></SECOVA>
  <IMPOVA>200</IMPOVA>
  <ALMOVA>5678</ALMOVA>
  <SUBOVA>21</SUBOVA>
  <TOPOVA>21</TOPOVA>
  <FOPOVA>41</FOPOVA>
  <FECOVA>100</FECOVA>
  <STSOVA> </STSOVA>
  </Access>
  </FADIA7></StatementFADIA7>
  </ns1:MT_PgDocVentaADI_req>
  what do you think about it?, anything wrong?

• How change sStart and End Date and time in the Audit log ???

  Install C2S BM39SP1. Work.
  Go to the: https://bmserver:8009
  Open : VPN Monitor | Audit log information.
  Problem - can not cahnge Date and time in the Audit Log Start(End)
  How i vcan do this ?
  How i can get every day stat log:
  login ; date_time_login ; dtae_timie_logout ; bite_in ; bite_out
  Serg

  Serg,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Content of the Audit Log

  Hello,
  It seems that the text of the audit log is contained in table xi_af_msg_audit ins the J2EE schema under field text_key.
  If I access this key directly from the database it seems to be unnecessarily long, with a lot of blank space padding.
  Is it possible to control what is recorded in this field and hence what is displayed in the Audit Log?
  Kind regards,
  Peter

  You can simply use the AuditMessageKey class to write your own audit log entries. A similar code would be
  AuditMessageKey auditMKey = new AuditMessageKey(message.getMessageId(), AuditDirection.INBOUND);
            Audit.addAuditLogEntry(
                 auditMKey,
                 AuditLogStatus.SUCCESS,
                 "Custom Message");
  Regards,
  Prateek

• Extending the Audit Log

  Hi folks!
  I'm setting up a workflow that grants a role to a user that includes a basic approval.
  The audit log for the workflow only seems to include the reason given when approving or declining the role. For my client's purposes, both the reason for wanting the role and the final decision need to be recorded.
  My thought is that I can prepend the initial request reason (Which we have already transferred to a temporary attribute) to the final Reason (MX_REASON I believe) however I'm not sure when I can slip this into the workflow.
  Has anyone done something similar to this before or have any ideas about another methodology? 
  For various reasons we need to keep with the basic approval.
  Thanks,
  Matt

  if in your env. DBA's also have access to OS files ( note oracle does not require that ), maybe you need to consider writing a cron job to keep polling from OS/DB audit trail and send it over to some remote archive.
  Technically, the separation of duty is not fully in place because DBA could easily turn off auditing. you have to trust somebody to do the auditing. eventually the UNIX root user owns the machine and can even install a rogue oracle executable if the person is determined.

• How to check the audit logs

  Hi,
  I would like to know the "lastsucessfullogindate" for portal users.
  I cam across that that this is present in the UME API's
  but this method is deprecated.
  does this information also comes in the security audit logs.
  If yes then how should be auditng be done.
  Regards
  Manoj

  Hi Manoj,
  well sort of, you can look up, when a certain person did log in. The last log in then is the date you are looking for. There is however no log saying User X last successful log in at ....
  The info what is getting logged can be found <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/03/37dc4c25e4344db2935f0d502af295/frameset.htm">in the docs</a>.
  The location of the log files is also described <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/a0/58db515b95b64181ef0552dc1f5c50/frameset.htm">in the docs</a>.
  regards,
  Patrick

• Getting From unity the audit log configurations

  Hi,
  I am trying to get from unity the configurations regarding audit log
  if it enabled or purge enabled, number of files or file sizes ....
  Anybody have an idea?
  thanks

  Hi,
  I am trying to get from unity the configurations regarding audit log
  if it enabled or purge enabled, number of files or file sizes ....
  Anybody have an idea?
  thanks

• While fetching the Audit Log Programmatically last Downloaded document is not fetched from Auditing Log. To update the events it is taking 5 to 10 mins. After that i can fetch the data. Is there any way to refresh the log to be reflected immediatly?

  SPAuditQuery wssQuery = new SPAuditQuery(SPContext.Current.Web.Site);
  wssQuery.RestrictToUser(SPContext.Current.Web.CurrentUser.ID);
  wssQuery.AddEventRestriction(SPAuditEventType.View);
  wssQuery.RestrictToList(list)       
  //set the query date range
  wssQuery.SetRangeEnd(DateTime.Now);
  wssQuery.SetRangeStart(DateTime.Now.AddMinutes(-30));// To get the last 30 Mins of data
  SPContext.Current.Web.Site.Audit.Update();
  SPContext.Current.Web.Update();                     
  SPAuditEntryCollection auditCol = SPContext.Current.Web.Site.Audit.GetEntries(wssQuery); 

  From your response, I understood that, The coding is okay. So no need to change the code.
  I am not sure what/How to be validated the Lag. Can you please suggest more on detail ?
  One more thing observed based on the below steps
  1. Downloaded 3 documents sequentially
  2. Gave pause for 15 seconds
  3. Downloaded next 2  documents sequentially
  4. Executed my above mentioned program
  Result : Fetched only first 3 documents, documents which are downloaded after pause is not retrieved
  5. Generated the custom report (or ) Do new Download
  Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
  6:  Executed my above mentioned program
  Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
  Conclusion: Most recent download event is pushed by other relevant(Custom Report Generation or Download or Page Refresh) event
  Am i Missing anything to obtain the proper result ?

• Problem with the XI-Audit log entries in the table "XI_AF_MSG_AUDIT"

  Hi,
  I have an async-szenarios for PO:
  We send Idoc's from SAP ERP to a WebService via SOAP. And we take Ack's. We use Integrationsprocess with deadline block to catche the errors after the retrying (three times) and to send they via e-mail.
  Our problem is, the number of the audit logs in the table "XI_AF_MSG_AUDIT":
  In the RTW only we see one audit log (with three retries) in an error case. But in the table XI_AF_MSG_AUDIT there are about 76 entries for the same audit log in the error case and about 20 entries in the case of the succuessfull processing.
  This number of the entries in the table causes problem with the size of the redo log file and delete job of cours the large size of the table and therefore problem on the data base. The table can not be controlled. The delete job can not run and cancels every time due this redo log problems
  What can cause that?
  How can it be prevented, that so much entries are not be made in the  table "XI_AF_MSG_AUDIT".
  Best regards
  Gueltekin

  Hi Gueltekin,
  I am only aware of the general property auditLogEnabled of J2EE Engine Service SAP XI AF Core, which controls in general (default = true) that entries in the AF Message Audit log are written at all.
  (see [http://help.sap.com/saphelp_nw70/helpdata/en/5c/22ee41c334c717e10000000a155106/frameset.htm|http://help.sap.com/saphelp_nw70/helpdata/en/5c/22ee41c334c717e10000000a155106/frameset.htm])
  I assume that your scenarios in the error case is sending up to three messages and for each message the number of audit log infos are created. You might want to check the detailed entries in the log and see from where they are comming, you might use customer modules etc. as well.
  Best regards,
  Silvia

• Trying to configure syslog process,to write the database audit logs

  Folks,
  Running Oracle 10g R2 on Sun Solaris v 10.
  I am trying to configure my database environment, so it will write all the database audit logs to a location, where Oracle userid on unix cannot modify/delete it.
  To accomplish my goal, so far I have done the following:
  I have set the following parameter with these values
  audit_file_dest /flood/u01/app/oracle/product/10.2.0/db_1/rdbms/audit
  audit_sys_operations TRUE
  audit_trail OS
  Also I asked my system administrator , to make an entry in the syslog.conf file at location /etc
  He made the following entry
  local3.notice /var/log/oraaudit.log
  and restarted the syslog process
  I also made the following entry
  alter system set audit_syslog_level='LOCAL3.NOTICE' scope=spfile and bounced the database.
  But after starting the database, i will don't see any oraaudit.log file at the location /var/log
  Any help will be much appreciated.
  Regards
  Ashish

  Hello Srini,
  I mentioned in my posting , that I already set AUDIT_SYSLOG_LEVEL=LEVEL3.NOTICE value.
  Also the permission on /var/log is such the Oracle unix userid cannot write to it and that is what I want. Since if Oracle userid can write, it can modify/delete the audit log also , which we are trying to prevent.
  Thanks
  Ashish

• Need details of people logged on when the Security audit log was deactive

  Respected Guru's,
  Security audit log was deactivated, i have activated it recently in sm19.
  Now, i should get the details of people logged on when the audit log was deactive.
  What are the posibilities of Security audit being deactivated.
  Regards,
  Daya.

  Dear Alex,
  Please let me know how to check in ST03N.
  Further, how to retrive user logon data which is not recorded in the audit files.
  Edited by: Dayananadan Anandan on Nov 12, 2009 10:03 AM

• The format of Audit log file

  We have a perl script to extract data from Audit log files(Oracle Database 10g Release 10.2.0.1.0) which have format as bellow.
  Audit file /u03/oracle/admin/NIKKOU/adump/ora_5037.aud
  Oracle Database 10g Release 10.2.0.1.0 - Production
  ORACLE_HOME = /u01/app/oracle/product/10.2.0
  System name:     Linux
  Node name:     TOYDBSV01
  Release:     2.6.9-34.ELsmp
  Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
  Machine:     i686
  Instance name: NIKKOU
  Redo thread mounted by this instance: 1
  Oracle process number: 22
  Unix process pid: 5037, image: oracleNIKKOU@TOYDBSV01
  Sun Jul 27 03:06:34 2008
  ACTION : 'CONNECT'
  DATABASE USER: 'sys'
  PRIVILEGE : SYSDBA
  CLIENT USER: oracle
  CLIENT TERMINAL:
  STATUS: 0
  After we update the db from Release 10.2.0.1.0 to Release 10.2.0.4.0, the format of Audit log file had been changed to something likes below.
  Audit file /u03/oracle/admin/NIKKOU/adump/ora_1897.aud
  Oracle Database 10g Release 10.2.0.4.0 - Production
  ORACLE_HOME = /u01/app/oracle/product/10.2.0
  System name:     Linux
  Node name:     TOYDBSV01
  Release:     2.6.9-34.ELsmp
  Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
  Machine:     i686
  Instance name: NIKKOU
  Redo thread mounted by this instance: 1
  Oracle process number: 21
  Unix process pid: 1897, image: oracle@TOYDBSV01
  Tue Oct 14 10:30:29 2008
  LENGTH : '135'
  ACTION :[7] 'CONNECT'
  DATABASE USER:[3] 'SYS'
  PRIVILEGE :[6] 'SYSDBA'
  CLIENT USER:[0] ''
  CLIENT TERMINAL:[7] 'unknown'
  STATUS:[1] '0'
  Because we have to rewrite the perl script, could anyone tell us where we can find the manual to describe the format of the Audit log file.

  Oracle publishes views of the audit trail data. You can find a list of the views for the 11.1 database here:
  http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGIICFE
  The audit trail does not really change between patchsets as that would constitute underlying structure changes and right now, the developers are not allowed to change the underlying structure of tables in patchsets. But, we can change what may be displayed in a column from patchset to patchset. For example, we are getting ready to update the comment$text field to display more information like dblinks and program names.
  I personally don't like overloading the comment$text field like that, but sometimes when you need the information, that is the only choice except to wait for the next major release :)
  As for the output of the audit log files, those can change between patchsets because of bugs that were found and some changes to support Audit Vault. My apologies out there for anyone that is reading the audit files written to the OS directly, I would recommend using the views.
  Hope that helps. Tammy