OpenTP1 Version 7 Operation

[Contents][Index][Back][Next]

3.7.6 Examples of audit log operation

An auditing policy that utilizes audit logs requires that you retain all the audit logs produced by the system. For this reason, backups must be taken of any audit log files deleted in the course of file rotation, and measures such as stopping the system must be put in place in case audit log acquisition fails. We recommend that these tasks be carried out automatically by using an operation management program such as JP1. By using JP1/NETM/Audit, audit logs located on multiple hosts can be automatically collected and centrally managed.

This section describes examples of working with audit logs by linking with an operation management program such as JP1.

Organization of this subsection
(1) Example of operation in which audit logs are backed up automatically
(2) Example of operation in which the system is stopped when audit log output fails
(3) Example of operation in which audit logs are collected automatically and centrally managed

(1) Example of operation in which audit logs are backed up automatically

When the destination file for audit log output is changed, a message reporting this fact is output to standard output and syslog. An operation management program such as JP1 can monitor for this message and back up files automatically when it appears.

The following figure shows the process of automatic audit log backup using an operation management program.

Figure 3-23 Flow of automatic audit log backup

[Figure]

  1. The file serving as the output destination for audit logs (current file) is swapped out and becomes a backup file.
  2. OpenTP1 outputs a message (KFCA01925-I) reporting that the output destination for audit logs has changed.
  3. JP1 or another operation management program detects that the message has been output.
  4. JP1 or another operation management program acquires the old audit log file.

(2) Example of operation in which the system is stopped when audit log output fails

An operation management program such as JP1 can monitor for messages that report failed attempts to output audit logs, and stop the system automatically if they appear.

The following figure shows the process of shutting down the system automatically when audit log output fails.

Figure 3-24 Flow of automatic system shutdown when audit log output fails

[Figure]

  1. OpenTP1 fails in an attempt to output an audit log entry, due to an error.
  2. OpenTP1 outputs an error message (KFCA01921-E to KFCA01924-E) reporting that audit log output has failed.
  3. JP1 or another operation management program detects that the message has been output.
  4. JP1 or another operation management program shuts down OpenTP1.

(3) Example of operation in which audit logs are collected automatically and centrally managed

By using JP1/NETM/Audit as an operation management program, you can collect audit logs automatically, and manage them from a centralized viewpoint. This provides a simple way to retrieve and summarize audit logs gathered from multiple servers, and output the results. The following figure shows an example of the process of collecting and centrally managing audit logs using JP1/NETM/Audit.

Figure 3-25 Example of collecting and centrally managing audit logs using JP1/NETM/Audit

[Figure]

In this example, the audit logs output by a number of OpenTP1 servers to their respective disks are collected automatically by an audit log management server. The audit logs collected by the audit log management server are managed centrally as an audit log management database.

The following table shows the JP1 series products required to link with JP1/NETM/Audit.

Table 3-29 JP1 series products required for linkage with JP1/NETM/Audit

JP1 series product Function Location
JP1/NETM/Audit Links with JP1/Base to collect the audit logs output by OpenTP1 servers. Also centrally manages the audit logs it collects as a database on an audit log management server. Audit log management server
JP1/Base Sends and receives the output audit logs as JP1 events.
  • Audit log management server
  • OpenTP1 servers

The automatic collection of audit logs can take place at the following times:

The setup required on the OpenTP1 servers and the audit log management server is as follows:

Setup required on OpenTP1 servers
Perform the following setup on the OpenTP1 servers:
  1. Set up JP1/Base.
  2. Copy the JP1/Base adapter command file, and the definition files required for command execution, from the audit log management server to each OpenTP1 server where you intend to collect audit logs.
  3. Start the event service.

Setup required on audit log management server
JP1/NETM/Audit support is provided as standard in OpenTP1, allowing you to set OpenTP1 as the target for collection of audit information by JP1/NETM/Audit.
The product definition file and operation definition file which JP1/NETM/Audit uses to collect log information from OpenTP1 are stored in the following locations:
  • Location of product definition file:
    installation-directory/jp1_template/JP1_NETM_Audit/OpenTP1.conf
  • Location of operation definition file:
    installation-directory/jp1_template/JP1_NETM_Audit/admjevlog_OpenTP1.conf

For details about the collection and centralized management of audit logs by JP1/NETM/Audit, see the manual for JP1/NETM/Audit.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2006, 2010, Hitachi, Ltd.