Reporting on ADFS Audit Events

Similar Messages

• OpsMgr EventId 26007 on Domain Controllers "The EventLog service reported that the Security event log on computer ' ' is corrupt."

  Hi,
  We are receiving several eventids '26007' from the OpsMgr log on our Domain Controllers, also eventids '26008' with similar description are logged
  The EventLog service reported that the Security event log on computer '<Domain Controller Computer>' is corrupt. The Windows Event Log Provider will attempt to recover by re-opening log.
  I'll appreciate any suggestion in order to solve this issue.
  Regards.

  I guess this issue is caused by event ID 4661 is corrupted in security event log.
  Please check if you have many 4661 events in security event log and XML view cannot be viewed.
  Running the below command on DC will disable the auditing of the SAM Object access. This should stop the Event ID 4661 from being logged which should stop the Alert regarding corrupt Event log:
  auditpol /set /subcategory:"SAM" /success:disable /failure:disable
  Regards,

• AccAD Audit events - explained

  Here is a list of messages
  "DEVICE_ACTIVATED" generated during startup of AccAD device
  "DEVICE_UNACTIVATED" generated during shutdown of AccAD device
  "LINK_ESTABLISHED" every time one AccAD device connected to other - Wed Dec 7 07:23:33 0 INFO LINK_ESTABLISHED INFO_LOGS Link [1001,1002] is operational
  "LINK_CANCELED"  - every time connection between AccAD devices broken - Wed Dec 7 07:23:33 0 INFO LINK_CANCELED INFO_LOGS Link [1001,1002] failed
  "POLICY_DOWNLOAD_FAILURE" AccAD device failed to download policy part from repository
  "POLICY_EXECUTION_FAILURE" AccAD device failed to execute part of policy
  "SERVICEONHOST_NOT_FUNCTIONING" Backend is not available for communication ( communication failure reason is provided ) Tue Dec 6 13:12:32 WARNING SERVICEONHOST_NOT_FUNCTIONING INFO_LOGS Connection timed out 172.16.60.21:80
  "SERVICEONHOST_ACTIVATION_DETECTED" Communication problems with backend was fixed e.g. backend is available again - Tue Dec 6 13:12:40 2011 WARNING SERVICEONHOST_ACTIVATION_DETECTED INFO_LOGS  Restored connection to server 172.16.60.21:80
  "SRM_CONNECTOR_NOT_FOUND_ERROR" Reported each time when for particular service connector not found ( connector is a part of AccAD that creates sockets for communication with backend
  "SRM_HTTP_AGGREGATION_TIMEOUT_ERROR" Generated in case if aggregation process in socket is failed with timeout e.g. client or backend stops to send HTTP header for example
  "SRM_HTTP_HEADER_PROCESSING_ERROR" Received HTTP header is too long or in wrong format
  "SUSPECTED_FLOOD" Currently unused, reserved for cases when download rate of sockets was adjusted
  "VLM_SSL_VERIFICATION_FAIL" Generated when other AccAD device certificates are incorrect, could be DoS attack or attempt to hack
  "VLM_DEVICE_ID_VERIFICATION_FAIL" Generated when device id in certificate is different from actual device id
  "VLM_VERSION_VERIFICATION_FAIL" Generated when versions of AccAD devices are different
  "VLM_INCORRECT_CONFIGURATION" Currently unused, reserved for cases of VMlink Manager misconfiguration, for example number of streams requested by user are unsupported
  "VLM_ACCEPT_FAIL" AccAD Link / tunnel could not accept incoming connections or incoming connection is problematic. For example, two AccAD devices with same device id tries to connect to this device. Most popular reason for this audit event is incorrect link ip or port.
  "VLM_CONNECT_FAIL" AccAD device fails to connect to specified AccAD device due various reasons e.g. check audit events generated by other device or check link ip / port
  "COMPRESSION_ERROR" Compression / Decompression / Online Offline analysis errors reported under this category
  "NODE_IN_CLUSTER_NOT_FUNCTIONING" One of nodes in backend cluster are not available
  "NODE_IN_CLUSTER_ACTIVATION_DETECTED" node in backend cluster become available

  Kenneth,
  By default, the events are generated in GMT-0 timezone to allow distributed environment with machines in different timezones to record a coherent time.
  You can add a formula in your reports to adjust to your timezone.
  Regards,
  Julian

• CSA 6 Continuing Audit Events on Hosts with Non-Audit Policies

  I have two groups for desktop PCs, with the same policies. In the group I'm using for auditing, most policies are set to audit mode -- at policy level, not rule module level. In the other group, those same policies are not in audit mode.
  The original agent kit included membership in both groups, but hosts now belong to one group or the other. The hosts are all polling frequently and are up to date, as is rule generation.
  But in the event log, certain events on hosts that are not in the audit group are reporting as "Audit:" events. Why am I getting audit events on hosts in the group where policies are not in audit mode?

  Thank you, Tom, for your reply. Looking at the group details screen in CSA 6, and referencing the Policy Audit Mode documentation, attached policies can be set to audit mode for a group, on a per-policy basis.
  I'm seeing logged Audit: events on hosts belonging solely to a group that is not in audit mode, its policies are not in audit mode and the underlying rule modules are not in audit mode. Yet audit events continue in the log for those hosts.
  Carole

• Need Report in Training and Event Management

  Dear All,
  I want a report in Training and Event Management consisting of attendee name and training date and venue details, price for training event and would like to know any standard report available.
  Kindly let me know the std report name.
  Thanks and Regards
  Suresh,V

  Hi!
  for all reports try T-code : SAP1 ( Report Selection ) & SAP2 ( Info catalog ) here you will get all the standard reports available for that module .
  Regards
  Sheetal
  Edited by: sheetal Gulati on May 14, 2009 7:51 AM

• Unable to capture Exchange Mailbox Auditing events for email creation

  We are looking to capture Owner mailbox auditing events using the native Exchange 2013 auditing tools (Search-MailboxAuditLog). I have auditing enabled with all actions for Owner, and capture items performed via Outlook, except for new emails created.
  If I create new emails via OWA, I am able to capture the event, but as soon as I go back to Outlook and create a new message, I don’t see anything audited. I also tried this is our Dev environment and seeing the same behavior. Has anyone else experience this
  behavior?

  Hi,
  I have a test in my environment. If I create a message on Outlook as a owner, the mailbox audit logging can't record it.
  If I create a message on Outlook as a delegate, when using the Search-MailboxAuditLog cmdlet to search the audit log, it will be displayed as follows:
  The operation is "SendAs", not "Create".
  Hope this can be helpful to you.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Amy Wang
  TechNet Community Support

• GENERATING ORACLE REPORT IN ADF

  Hi,
  i need to generate offer letter for student.
  an admin will need to generate offer letter of student bases on their intakeId, branchId, degId, and typeofferletter.
  currently im doing this in adf form. from here how to transfer the information in adf form into offer letter template and print it in pdf?

  Hi,
  actually there are two questions in one:
  1: How to call an Oracle Reports from ADF?
  Answer is to use the Oracle Reports URL to request a report. The data submitted by an ADF form could be passed as URL parameters or - if sensitive information is involved - saved in a temporary table for reports to look it up. Have a look at for an option to download the PDF by referenring the Reports URL http://docs.oracle.com/cd/E23943_01/apirefs.1111/e12419/tagdoc/af_fileDownloadActionListener.html
  2: How to generate PDF from ADF
  Jasper Reports, BI Publisher or POI are the options people use for reporting in ADF. Jasper Reports and BI Publisher allow the creation of PDF documents based on form content submitted from ADF
  Frank

• Report on Opportunity Audit Trail

  We need to write a report on the Audit Trail within opportunities. Has anyone done this? Is it possible in R16 or 17?

  I'm really surprised that this isn't possible. What is the point of the auditing of fields if we can't report on it? How do you handle SOX compliance for customers? Can we get an audit report from Oracle with a special request?
  -Frustrated... :(

• How to trigger a report based on a event/stored proc or sql dts completion

  Post Author: Crystaldev
  CA Forum: Publishing
  I want to run/trigger a crystal report based on file existence or based on a stored proc/sql dts/a value present in a sql table. The way I want to do is schedule a crystal report in crystal enterprise and then run the report based on a event like file existence or based on a sql dts completion or a value existence in a sql table. We are using crystal reports v10.
  I am not sure how we can do this, any help is appreciated. Thanks.

  Hi
  When you click on View Data, at bottom click on Edit button
  It will prompt a connection details tab wherein you can view and modify the connections
  Nik

• How to Show BI report in adf form ?

  How to show bi Report in adf form ?
  (i dont show dashboard in adf form

  Hi,
  check this : http://husaindalal.blogspot.com/2009/11/integrating-bi-publisher-standalone.html
  there are some other helpful links as well:
  http://brendenanstey.blogspot.com/2007/01/adf-faces-and-xml-publisher-success.html
  http://technology.amis.nl/blog/2296/building-a-report-in-xml-publisher
  http://technology.amis.nl/blog/1597/xml-publisher-display-input-parameter-sqllims
  ~Abhijit

• How to generate a PDF report using ADF RichTable?

  Hi,
  I am using JDEVADF_11.1.1.3.PS2_GENERIC_100408.2356.5660. I am displaying my data from db in a JSF Fragment(JSFF) using ADF RichTable component. Actually now I want to generate a PDF report using that data shown in the table on click of a Generate Button. Can anyone please provide me code or sample for that?
  Thanks,
  Vikas

  http://kohlivikram.blogspot.com/2009/04/generate-pdf-report-in-adf.html
  Thanks,
  Navaneeth

• Any way to automatically run discoverer reports based on an event ?

  I am using discoverer 3.1.36. I am trying to automate the
  running of discoverer reports - the objective is to
  automatically run a set of discoverer reports after a particular
  event.
  This is part of a very critical solution for a large bank.
  One of the solution that i am trying is to schedule the set of
  reports for a future date and then after the event has occurred,
  use a trigger to update the scheduled times of these reports.
  But by just updating the 'next run time' field in the
  eul_batch_reports table, there is no effect. The reports still
  run at the initially scheduled time.
  Can any one help me with this? or suggest any alternate
  solutions.
  Thanks in advance
  Sandeep

  you will need a javascript function something like - define in the page header or region header:
  <script type="text/javascript">
  function checkTheBox() {
    document.getElementById('YOURCHECKBOXNAME').checked='checked';
  </script>and then in the form element attributes of your textbox, have an onchange event:
  onChange=checkTheBox();

• Variant "_$$audit-event-count" has not been declared in the current scope.

  I migrated my bpel process manager from Version 2.1.2 [oc4j linux] to 10.1.2.0.0 [using jboss as application server].
  The orabpel schema for 10.1.2.0.0 seems to be a bit different.
  I installed the new schema and then dumped all the data from my previous schema. I also successfully deployed the 2.1.2 processes onto 10.1.2 version.
  I can initiate a new instance of the process, however , the previously completed instances or not completed instances fail with the following error,
  16:28:06,061 INFO [STDOUT] <2006-01-31 16:28:06,061> <ERROR> <default.collaxa.cube> <BaseCubeSessionBean::logError> Error while invoking bean "instance manager": Variant not found.
  The variant "_$$audit-event-count" has not been declared in the current scope. All variants must be declared in the scope before being accessed.
  Any advice is greatly appreciated. Thanks.

  JScript is JavaScript.
  Ah, now there's part of the confusion :)
  If you're asking about a Windows Script Host (WSH) script, you don't have to declare stdin because it's part of the host.
  Ok... So if I understand you correctly, I'm actually programming in J(ava)Script on windows for WSH. Simply trying to call ReadLine fails as well, as it is not defined according to the compiler.
  Be specific: What are you trying to do? Tell what you want to do, not
  how you think it needs to be done.
  which brings me to my current issue: attempting to ReadLine() (in order to get the program to pause for a moment, from
  this example)
  I know I put up a pretty big wall of text back there, sorry about that.
  EDIT: Well, I think I've learned
  about J*script. It sounds like JScript and Javascript are more just versions of ECMAScript.

• In ALV reports how double click event works?

  in ALV reports how double click event works? Explain in detail.....

  hi,
  last lines is used for clicking
  *& Report  Z_SWAS_FUNCTIONAL
  report  z_swas_functional.
  tables: qmel,viqmel,iloa,afko.
  -- global data declerations--
  data: ok_code like sy-ucomm,
        gt_itab type table of zfunctional,
        t_output type table of zfunctional,
        g_container type scrfname value 'CUSTOM_CONTROL',
        grid1  type ref to cl_gui_alv_grid,
        g_custom_container type ref to cl_gui_custom_container,
        e_row type lvc_s_row,
        e_column type lvc_s_col,
        es_row_no type lvc_s_roid.
  *CLASS DECLARATION
  class z_functional definition.
  public section.
  class-methods : handle_double_click
                  for event double_click of cl_gui_alv_grid
                       importing e_row  e_column.
  endclass.
  *CLASS IMPLEMENTATION
  class z_functional implementation.
  method handle_double_click.
         perform handle_double_click using e_row e_column es_row_no.
  endmethod.
  endclass.
  *CODE FOR SELECTION SCREEN
  selection-screen begin of block 84433  with frame title text-t01.
  parameters : n_number like viqmel-qmnum,
                  n_type like qmel-qmart,
                  f_loca like iloa-tplnr,
                  name like qmel-qmnam.
  selection-screen end of block 84433.
                      screen validation event                          *
  at selection-screen on n_number.
    select single *
      from viqmel
        where qmnum eq n_number.
  if sy-subrc ne 0.
    MESSAGE 'NOTIFICATION NUMBER DOESNOT EXIST' TYPE 'E'.
  endif.
  select qmart from qmel into qmel where qmart eq N_TYPE.
  endselect.
  if sy-subrc ne 0.
    MESSAGE 'NOTIFICATION TYPE DOES NOT EXIST' TYPE 'E'.
  endif.
  *START OF SELECTION EVENT
  start-of-selection.
      perform fetchdata.
  end-of-selection.
  *Call screen event
  call screen 100.
  *PERFORM DISPLAY.
  *&      Form  FETCHDATA
        text
  -->  p1        text
  <--  p2        text
  form fetchdata .
  *SELECT VIQMEL~QMNUM VIQMEL~QMTXT VIQMEL~QMDAT VIQMEL~LTRMN VIQMEL~PRIOK
        VIQMELBEZDT VIQMELAUFNR VIQMELTPLNR AFKOGLTRP into corresponding fields of table GT_ITAB
           FROM VIQMEL INNER JOIN AFKO ON VIQMELAUFNR = AFKOAUFNR
                 WHERE VIQMELQMNUM IN N_NUMBER and VIQMELQMART IN N_TYPE AND VIQMEL~QMNAM IN NAME.
  call function 'ZSWAS_TEST'
    exporting
      qmnum         = n_number
     qmart         = n_type
     tplnr         = f_loca
     qmnam         = name
    tables
      output        = gt_itab
  if sy-subrc ne 0.
     message e000(z84433_msg_class).
  endif.
  endform.                    " FETCHDATA
  *&      Module  STATUS_0100  OUTPUT
        text
  module status_0100 output.
    set pf-status 'MAIN'.
  SET TITLEBAR 'xxx'.
  *creating custom container and grid instance
  if g_custom_container is initial.
      create object g_custom_container
             exporting container_name = g_container.
      create object grid1
             exporting i_parent = g_custom_container.
      call method grid1->set_table_for_first_display
        exporting
          i_structure_name = 'ZFUNCTIONAL'
        changing
          it_outtab        = gt_itab.
  *set handler events
      set handler z_functional=>handle_double_click for grid1.
    endif.
  endmodule.                 " STATUS_0100  OUTPUT
  *&      Module  USER_COMMAND_0100  INPUT
        text
  module user_command_0100 input.
  case ok_code.
     when 'EXIT'.
      perform exit_program.
  endcase.
    clear ok_code.
  endmodule.                 " USER_COMMAND_0100  INPUT
  *&      Form  EXIT_PROGRAM
        text
  -->  p1        text
  <--  p2        text
  form exit_program .
  leave program.
  endform.                    " EXIT_PROGRAM
  *&      Form  handle_double_click
        text
       -->P_E_ROW  text
       -->P_E_COLUMN  text
       -->P_ES_ROW_NO  text
  form handle_double_click  using   e_row type lvc_s_row
                                    e_column type lvc_s_col
                                    es_row_no type lvc_s_roid.
  data: t_output type  zfunctional.
      read table gt_itab into t_output index e_row-index .
    if sy-subrc = 0 and e_column-fieldname eq 'QMNUM'.
      set parameter id 'K01' field t_output-qmnum.
      call transaction 'ZSMART' and skip first screen .
    endif.
  endform.                    " handle_double_click
  regards,
  swaroop.

• Solaris 10 with Trusted Extensions - Security Audit Events [short] Descript

  {color:#000000}I know that the security audit events and classes in Solaris 10 have changed when viewing these files: audit_class, audit_event, and audit_control with that of the same files for TSOL8. In order to perform an accurate and acceptable review of the audit events, I need to find either a file or document that provides a short description for each of the audit events within each audit class. Can anyone point me in the right direction or a URL? I have tried to search through the Sun docs and have not yielded any results. {color}

  been there, done that
  The problem is a function of your network definitions. The non-global zones do not have an IP address to match for your global zonename. The error message results from the system established default of the DISPLAY variable failing (DISPLAY=globalzonename:0.0).
  To confirm this, login to the global zone as root and "zlogin -S" to the non-global zone. Once there, the command "netstat -r" should show the IP address of the global zone instead of the expected global zonename. (combine this with a look at your output for "ifconfig -a" within the same non-global zones) Another command you should fail with will be the "getent hosts galaxy". Anyway, if you manually set your DISPLAY variable to the "IP Address" of the globalzonename and execute a "dtterm" ... it should work fine.
  If it does not violate a security policy, I suggest you add the IP address of the global zone to either the /etc/inet/hosts or /etc/inet/ipnodes file within each non-global zone.