7.2.1 Audit log
The audit log is a file to which a history of operations is output. The output data contains information about when operations were performed, who performed them, and what the operations were. SLM obtains information about the operations of users (operation of windows and execution of commands) as an audit log. An audit log that has been output can be utilized as materials for internal control and auditing.
- Organization of this subsection
(1) Types of events output in the audit log
The types of events output in the audit log and the occurrence at which SLM outputs the audit log are shown in the following table. The event type is an indicator used within the audit log to categorize the events output to the audit log.
|
Event type |
Description |
Occurrence of output by SLM |
|---|---|---|
|
Authentication |
An event indicating successful/failed user authentication. |
|
|
ConfigurationAccess |
An event indicating successful/failed implementation of an administrator or user action such as that for applying changes to settings information. |
|
|
ManagementAction |
An event indicating the execution of an action or command. |
Execution of the following commands
|
(2) Output format of the audit log
This section explains the output format, output destination, output items, and an output example of the audit log.
Output format
CALFHM x.x, output item 1 = value 1, output item 2 = value 2,..., output item n = value n
Output destination
SLM-Manager-installation-folder\mgr\logs\audit\slmauditN#.log
#: N represents a number between 1 to the number specified for the number of files.
The output file size and number thereof for the audit log can be changed with the system definition file (jp1itslm.properties or jp1itslmur.properties). For details, see 5.6.1 Editing the system definition files and 5.6.2 Editable definitions.
Output items
The output items are categorized into the two following categories.
-
Common output items
Items commonly output by JP1 products that output audit logs.
-
Fixed output items
Items arbitrarily output by JP1 products that output audit logs.
- Common output items
-
The values output in the common output items and the details of the items are shown in the following table.
Table 7‒4: Common output items of the audit log Item number
Output items
Value
Description
Item name
Output attribute name
1
Common specification identifiers
-
CALFHM
Indicator of the audit log format
2
Common specification revision number
-
x.x
Revision number for managing audit logs
3
Sequence number
seqnum
Sequence number
Sequence number of the audit log record
In the case of a command, the sequence number will be 1.
4
Message ID
msgid
Kxxxnnn[n][n]-y
Message ID of the product
5
Date/time
date
YYYY-MM-DDThh:mm:ss.sssTZD#
Output date/time and time zone of the audit log
6
Generated program name
progid
JP1SLM
Name of program in which the auditing event has been generated
7
Generated component name
compid
Manager
Name of component in which the auditing event has been generated
8
Generated process ID
pid
Process ID
Process ID of process in which the auditing event has been generated
9
Generated location
ocp:host
Host name
Host identification information of host in which the auditing event has been generated
10
Event type
ctgry
-
Authentication
-
ConfigurationAccess
-
ManagementAction
Category of auditing event
11
Result of event
result
-
Success
-
Failure
Result of auditing event
12
Subject identification information
subj:uid
JP1 user name
Information about the user who generated the auditing event
13
subj:euid
Windows login user name
- (Legend)
-
-: None.
- #:
-
T is a separator for the date and time.
TZD is a time zone specifier. One of the following is output.
+hh:mm: Indicates being ahead of the UTC by hh:mm.
-hh:mm: Indicates being behind the UTC by hh:mm.
Z: Indicates being identical to the UTC.
-
- Fixed output items
-
The values output in the fixed output items and the details of the items are shown in the following table.
Table 7‒5: Fixed output items of the audit log Item number
Output items
Value
Description
Item name
Output attribute name
1
Object information
obj
-
View
-
Command
Subject of auditing event
2
Action information
op
-
Login
-
Logout
-
Refer
-
Re-sort
-
Add
-
Delete
-
Update
-
Start
-
Stop
-
Command
Action information that generated the auditing event
3
Information about the output source
outp:host
Host name
Host identification information of host that has output the audit log common message
4
Free description
msg
Text of message corresponding to the message ID
Free description
-
Output example
The following shows an output example of an audit log.
CALFHM 1.0, seqnum=1, msgid= KNAS09500-I, date=2015-01-01T15:00:00.000+09:00, progid=JP1SLM, compid=Manager, pid=1234, ocp:host=host01, ctgry= Authentication, result=Success, subj:euid=user01, obj= WindowsService, op=Start, outp:host =host01, msg=" Logged in. User name = user01"
(3) Settings for output of the audit log
The settings for output of the audit log are defined with the system definition file (jp1itslm.properties). When not configured, the audit log will not be output. For details on how to edit the system definition file, see 5.6.1 Editing the system definition files.
The items to set with the system definition file are shown in the following table.
|
Item number |
Property |
Specified content |
Permitted range |
Default value |
|---|---|---|---|---|
|
1 |
loggerAuditEnable |
Specifies whether to output the audit log. |
true (output), or false (do not output) |
false |
|
2 |
loggerAuditFileCount |
Specifies the maximum number of files for the audit log file. |
Integer from 1 to 16 (units: number of files) |
4 |
|
3 |
loggerAuditMaxFileSize |
Specifies the maximum size of the audit log file. |
Integer from 8192 to 4194304 (units: bytes) |
1048576 (1MB) |