COSmanager/User Guide/Audit Trails

From Documentation

COSmanager provides comprehensive facilities to manage audit trails and log files produced by COSmanager applications. COSmanager audit trails show:

• what operations were performed through COSmanager, and by whom
• what configuration changes were made to COSmanager applications, and by whom.

You can also use COSmanager to manage log files produced by other applications or the operating system.

Auditing COSmanager Duties, Menus and Jobs

Audit trails provide a historical log of activity in COSmanager applications. For example, attempts to perform a task from the Duty Schedule are logged in the duty_log audit trail, along with:

• the user ID of the person initiating the duty
• the exit status (whether or not the duty succeeded)
• a time-stamp.

Many COSmanager options are logged, in particular those involving adding users, changing privileges, and killing processes. This is done by the audit keyword in the menu description file.

There is also an audit command, which writes a time-stamped message to an audit trail. You can use audit in your own shell scripts to audit various activities outside COSmanager.

Audit Methods

The management of an audit trail is based on an audit method. An audit method describes the commands used to display, archive, compress and expire a family of audit trails. For example, when you view an archived audit trail, COSmanager looks up the archive method for that audit trail to find the Display compress command to use.

Audit methods are generally based on the format of the log file. COSmanager comes with several predefined audit methods, for manipulating text files, Oracle logs, Functional Database files, etc. You can add new audit methods for new formats if necessary.

The audcycle command uses information in the audit method table to determine how to archive each audit trail, and what action to take to expire an archive copy.

Audit Trail Life-cycle

Audit trails are basically files that grow in size, some of them quickly. To help you manage these files COSmanager has facilities to display, archive, compress and remove audit trails. Here is a description of the life cycle of a typical audit trail.

1. At the start of each cycle, the audit trail is empty of records. Over time, new records are appended to the file.
2. Each day, usually overnight, the audcycle command is run from the duty schedule. audcycle scans the table of audit trails to find files that are due to be cycled. Cycling involves copying the file to an archive directory and emptying or resetting the current file.
3. audcycle also checks for archive copies of audit trails that have expired. Archives expire either after a set time period, or when a certain number of copies exist.
4. From time to time an auditor or administrator displays the contents of an audit trail, either the current version or an archived copy. Compressed archives use a different display method than current audit trails. COSmanager looks up the correct display method for the chosen audit trail in the audit method table.
5. New records are written to the current log file as the cycle begins again.

How to Manage Audit Trails

Audit trails are a cumulative record of system activity. COSmanager has facilities to display, archive, compress and expire audit trails.

Audit trails should be set up automatically when you install COSmanager applications. However you can change the details of existing audit trails, or add new ones to manage log files produced by the operating system or applications.

The routine management of audit trails can be done by running the audcycle command each day, either through duty3g or from cron. audcycle detects audit trails that are due to be cycled, copies them to an archive directory and resets the original, then searches for expired archive copies. If there is an expiry action defined in the audit method for these audit trails, audcycle runs the expiry command.

To display the contents of an audit trail

1. Select View audit trails from the COSmanager configuration menu.
2. Choose an audit trail.
3. COSmanager lists all the versions of the audit trail, including the current file and any archive copies. Choose a version.

COSmanager displays the contents of this version of the audit trail, using one of the display commands defined in the audit method.

To define a new audit trail

1. Select Maintain tables from the COSmanager configuration menu.
2. Select the ‘Audit Trail Details’ table.
3. Select Maintain > Add.
4. Enter a name and a description, then fill in the following fields:

File

Enter the name of the file that contains the active audit trail.

In some cases there is no single file containing the current audit trail. For example, each backup3g job writes a separate log file. If this so then leave File blank and specify the location of the log files in Archive directory.

Archive frequency

Choose a schedule for when the file should be archived. ‘Daily’ is suitable for most audit trails, especially those that grow quickly.

Archive directory

Enter the name of the directory where archive copies of this audit trail will be stored. The default is to use the same directory as the original file.

Archive file; Enter a template that will generate unique file names for the archive copies. One common method is to generate a time-stamp via the date command. For example

file.`date %y%m%d` generates file names in the form file.YYMMDD

If File is blank, then it’s not necessary to specify Archive file, as the original logs themselves will be stored in the archive

directory until they expire.

Archive pattern

Enter a pattern that will match all the archive copies in the archive directory and no other files. If the archive directory contains only archive copies, use * as the pattern.

Retention period/No. of archive copies

When audcycle detects that either the retention period has passed or the maximum number of archive copies already exists, it runs the Expire command defined in the audit method for this audit trail.

Note that Retention period and No. of archive copies are mutually exclusive. To enter a value in either field you must first clear the contents of the other.

If File is blank you must specify a retention period.

Compress archives?

Compression is usually a good idea as it saves disk space. If you select yes, make sure that there is a Display compress command in the audit method, otherwise you won’t be able to view archived copies of this audit trail.

Audit method

If none of the existing methods is suitable you will need to define a new audit method for this file format.

Press Accept to save the new audit trail.