OpenVMS Audit logs

jpd252 — Wed, 06 Apr 2022 19:31:29 GMT

how does everyone open a new Security audit journal ? do you have a batch job do it? I'd like to close out on a weekly basis. also has anyone had any luck moving the old audit journals to a splunk server?

Query: OpenVMS Audit logs

support_s — Wed, 06 Apr 2022 20:32:06 GMT

System recommended content:

1. HPE SSMC 3.8.x User Guide | File access audit logs

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

Thank you for being a HPE valuable community member.

Re: OpenVMS Audit logs

Steven Schweda — Wed, 06 Apr 2022 21:40:00 GMT

> how does everyone open a new Security audit journal ? [...]

I can't speak for everyone. I have a DCL script which I try to
remember to use annually.

> [...] do you have a batch job do it? [...]

I do it manually, in case my (not-well-tested) procedure does
something unexpected.

Use/examine at your own risk:

$! 2014-01-02 SMS. $! $! Annual security audit file management. $! $! Note: $! If you omit the file-spec parameter, the Audit Analysis utility $! (ANALYZE /AUDIT) searches for the default audit log file $! SECURITY.AUDIT$JOURNAL. $! $! The default audit log file is created in the SYS$COMMON:[SYSMGR] $! directory. To use the file, specify SYS$MANAGER on the ANALYZE $! /AUDIT command line. If you do not specify a directory, the $! utility searches for the file in the current directory. $! $ year = f$cvtime( f$time(), , "year") ! This year. $ pyear = year- 1 ! Previous year. $! $! Disable auditing. $! $ SET AUDIT /SERVER = EXIT $! $! Save previous year's audit journal data in SECURITY_pyear.AUDIT$JOURNAL. $! $ ANALYZE /AUDIT /BINARY /SINCE = 1-JAN-'pyear' /BEFORE = 1-JAN-'year' - /OUTPUT = SYS$COMMON:[SYSMGR]SECURITY_'pyear'.AUDIT$JOURNAL - SYS$MANAGER:SECURITY.AUDIT$JOURNAL $! $! Extract current year's SECURITY.AUDIT$JOURNAL data into new $! SECURITY.AUDIT$JOURNAL. $! $ ANALYZE /AUDIT /BINARY /SINCE = 1-JAN-'year' - /OUTPUT = SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL_new - SYS$MANAGER:SECURITY.AUDIT$JOURNAL $! $ RENAME SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL_new - SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL; $! $! Restart audit server. $! $ @ SYS$SYSTEM:STARTUP.COM AUDIT_SERVER $! $ write sys$output " Delete SYS$MANAGER:SECURITY.AUDIT$JOURNAL;-1 ?" $ write sys$output " Compress SYS$MANAGER:SECURITY_''pyear'.AUDIT$JOURNAL ?" $!

topic OpenVMS Audit logs in Operating System - OpenVMS

OpenVMS Audit logs

Query: OpenVMS Audit logs

Re: OpenVMS Audit logs