A.10 Outputting audit logs
Audit logs in JP1/IT Desktop Management 2 indicate who executed what operations, as well as when and from where those operations were executed. You can use audit logs to evaluate and assess internal controls. Note that the information necessary for running JP1/IT Desktop Management 2 is stored in the audit logs. This topic explains audit logs that are output from management servers. For details about audit logs of the distribution function using Remote Install Manager, see the JP1/IT Desktop Management 2 Distribution Function Administration Guide.
- Tip
-
Audit logs are output not only from JP1/IT Desktop Management 2, but also from other JP1 products and OS (Windows event log). By using JP1/Audit Management - Manager#1 to collect and manage audit logs, you can use audit logs for evaluation and audit of the internal control. You can link with JP1/Audit Management - Manager only when the OS language for the management server is Japanese or English#2.
#1: JP1/Audit Management - Manager is a program that collects and manages audit logs to support evaluation and audit of the internal control for the whole system. In version 9 or earlier, this product was called JP1/NETM/Audit - Manager.
#2: If the language set in the OS of the management server is English, audit logs are output in UTF-8. Therefore, characters in audit logs might not be displayed properly in JP1/Audit Management - Manager.
- Organization of this subsection
(1) Types of events output to audit logs
The following table describes the types of events that are output to audit logs and when JP1/IT Desktop Management 2 outputs audit logs. Events to be output to audit logs are classified by an event type identifier.
|
Event type |
Description |
When JP1/IT Desktop Management 2 outputs audit logs |
|---|---|---|
|
StartStop |
This event type indicates that this is an audit log related to the start and end of software. |
|
|
Authentication |
This event type indicates that this is an audit log related to the authentication results of a JP1/IT Desktop Management 2 - Manager user. |
|
|
ConfigurationAccess |
This event type indicates that this is an audit log related to operations performed by an administrator, such as a user account registration or agent setup. |
|
|
ExternalService |
This event type indicates that this is an audit log related to the results of communication with external services such as Active Directory, mail sending, and the support service site. |
|
|
ContentAccess |
This event type indicates that this is an audit log related to operations such as changing the security policy, exporting device information, or collecting information from the support service. |
|
|
Maintenance |
This event type indicates that this is an audit log related to database operation. |
|
|
ManagementAction |
This event type indicates that this is an audit log related to the following: the results of judgment and of executing action items for security status, and the results of executing action items for smart devices. |
|
(2) Audit log output format
The items of an audit log are output in the following order: "CALFHM", which indicates the output is in the audit log format, the revision number of the audit logs, and related output items. The following table describes the values and details of items output to audit logs.
|
Output item |
Value |
Description |
|
|---|---|---|---|
|
Item name |
Output attribute name |
||
|
Common specification identifier |
-- |
CALFHM |
This identifier indicates that the output is in audit log format. |
|
Common specification revision number |
-- |
1.0 |
The revision number is used to manage audit logs. |
|
Sequence number |
seqnum |
Sequence number |
Sequence number for audit logs |
|
Message ID |
msgid |
An ID of a message that has been made public |
A message ID for each product |
|
Date and time |
date |
Log output date and time |
YYYY-MM-DDThh:mm:ss.sssTZD
|
|
Program name |
progid |
JP1/ITDM2 |
The name of the product in which an event occurred |
|
Component name |
compid |
One of the following is output:
|
The name of the component in which an event occurred |
|
Process ID |
pid |
An ID of a process |
The process ID that detected the occurrence of an event |
|
Location |
ocp:ipv4 or ocp:host |
The IP address or computer name of a management server |
An IP address or host computer name of the server on which an event occurred |
|
Audit event type |
ctgry |
One of the following is output:
|
This identifier classifies events to be output to audit logs. |
|
Audit event results |
result |
One of the following is output:
|
Results of events that occurred |
|
Subject identifier |
subj:uid or subj:euid |
A user account or Administrator |
Information about the user who caused an event to occur |
|
Object information |
obj |
One of the following is output:
|
Information about the object that caused an event to occur |
|
Action information |
op |
One of the following is output:
|
Action information about the user who caused an event to occur |
|
Permissions information |
auth |
Either of the following is output:
|
Permissions information is not output if permissions have not been obtained. |
|
Request source |
from:ipv4 |
An IP address of a computer that performs operations in an operation window |
The IP address of the server on which an event occurred |
|
Message text |
msg |
Any message |
A message that describes an event in detail |
Legend: --: Not applicable
(3) Audit log save format
This section describes the save format for audit logs. Audit logs are output to JDNAUDTn.LOG (where n is a number in the range from 1 through 9).
When the size of a given log file (JDNAUDTn.LOG) reaches a certain level, audit logs are output to a different output file. For example, when the size of JDNAUDT1.LOG reaches a certain level, audit logs are then output to JDNAUDT2.LOG. In this way, output files for audit logs change sequentially. When the size of JDNAUDT9.LOG reaches a certain level, the existing audit logs stored in JDNAUDT1.LOG are deleted, and new audit logs are output to JDNAUDT1.LOG, restarting the sequence.