Configuring Audit Logs with Registry Parameters
Audit log is designed for auditors who need to take a detailed look at what occurs in the system. By activating the audit log, you keep a record of the activities you consider relevant for auditing. You can later on access this information for evaluation.
The audit logs’ main objective is to record:
-
Security-related changes to the system environment
-
Information that provides a higher level of transparency
-
Information that enables the reconstruction of a series of events.
Specifically, you can record the following information in the audit log:
-
Successful and unsuccessful logon attempts
-
Successful and unsuccessful attempts to change user information or access rights
-
Successful and unsuccessful access to protected user information
-
Changes to the audit configuration
-
Changes to the system configuration
-
Start and stop of a server process (for example, when AS starts or stops) *
-
Start of a user session *
-
Opening and closing of communication channel between a client and a server *
-
Rejecting of communication channel request from a client.*
* Added in SP06. User session and channel related events are not applicable in Online Monitoring or Reporting, only CDT, Convergence and SC are covered.
Securing the Audit Log Directory
Audit log contains personal information that may be protected by data protection regulations. Therefore system administrators should protect the audit log directory with proper operating system user rights in order to prevent unauthorized access. It is recommended to give only read access to the allowed users. In addition, the directory itself can be audited using operating system auditing tools. Before using the audit log, make sure that you adhere to the data protection laws that apply to your area of application.
By default, audit logs are written into the same directory as trace log files (defined during installation with a virtual unit variable Log Path). To write audit logs into a different directory than the trace logs, set the path to AuditLogPath registry parameter on the module level.
Audit Events
Each audit event has a type as listed in the table below.
|
Even Type |
Number |
Description |
|---|---|---|
|
presence |
1 |
Event implies event in presence of a user or device |
|
config |
2 |
Event is related to configuration data or process |
|
rights |
4 |
Event relates to user rights and access control |
|
modify |
8 |
Event implies modifying the indicated information |
|
read |
16 |
Event implies reading the indicated information |
|
failure |
32 |
Event implies that something has failed |
|
system |
64 |
Events relating to server system state, such as starting and stopping a server module. Added in SP06. |
Configuring Audit Logs
Audit logs have their own version of the formatters too, but they use the same technical names as normal logs: bcm, list and glf. Detailed settings of the audit log formatters cannot be changed as in normal log files to make sure that audit logs always contain the required information. Audit logs are configured using the registry settings below . They all start with prefix Audit.
|
Setting |
Description |
|---|---|
|
AuditEventMask |
Sets the event mask of the audit log either as a number or a string. In string-formatted mask values, multiple event type names are separated with + or − signs. For example, string value mask for producing only presence, failure and configuration related audit events would be presence+failure+config. |
|
AuditLogFormatter |
For changing the default format of the audit log. |
|
AuditLogPath |
For changing the default path and name of the audit log. |