topic Re: Advanced Server V7.3A audit log files in Operating System - OpenVMS

Advanced Server V7.3A audit log files

L.P. de Lange — Fri, 23 Jun 2006 07:55:36 GMT

Hello All,

Since our PC user community is transferring form Windows NT to Windows XP and in the course of this transfer having their domains and usernames changed (we systems managers have to keep ourselves busy), the access to some Advanced server shares fails.
Now I have changed the permission for the user but he still cannot gain access. I have given myself full control and can access the share.
In order to do trouble shooting, I have enabled auditing (set audit policy /success=access /failure=access), done some successful and not successful access, but
show events /type=security /server=... gives "Security event log has no records".

Am I looking in the right place for the audit logs? Have I enabled the right audit trail?

With kind regards,
Leo de Lange

Re: Advanced Server V7.3A audit log files

John Abbott_2 — Fri, 23 Jun 2006 08:17:13 GMT

Hi Leo, firstly welcome to the OpenVMS forum!

> domains and usernames changed

Are the WNT and WXP in different domains ? What about AS, another domain ? Have you a trust relationship set-up between these domains ? (ADMIN SHOW TRUST)

What AS 7.3 ECO kit are you running ? ($ PROD SHO PROD)

Do you get any events at all ? e.g. AMIN SHOW EVENT/SINCE=start_of_pathworks

Kind Regards
John.

Re: Advanced Server V7.3A audit log files

Karl Rohwedder — Fri, 23 Jun 2006 08:18:26 GMT

Leo,

did you also set a spec. file or directory for auditing (set file /audit)?

What version are you using (actual is V7.3A-Eco4)?

Are some shares working or are only spec. shares/users encounter problems?

regards Kalle

Re: Advanced Server V7.3A audit log files

L.P. de Lange — Fri, 23 Jun 2006 08:27:06 GMT

Hello,

Thanks for all the quick replies and I will try to give you some answers, marked with LL:

Are the WNT and WXP in different domains ? What about AS, another domain ? Have you a trust relationship set-up between these domains ?
LL: WNT and WXP are in different domains. However, I changed the permission to the new domain and username.

What version are you using (actual is V7.3A-Eco4)?
LL: We are running this version.

Are some shares working or are only spec. shares/users encounter problems?
LL: I have given myself (with my WXP username) permission for this specific share and can access it. So the user is entountering problems.

Do you get any events at all ?
LL: Yes, I do see some events, the last from june 6th. (system events that is)

With kind regards,
Leo de Lange

Re: Advanced Server V7.3A audit log files

John Abbott_2 — Sat, 24 Jun 2006 07:20:50 GMT

Hi Leo,

You need to also enable audit monitoring on the directories and files in question by using;

ADMIN SET FILE \dir\foo.bar AUDIT=(SUCCESS=ALL, FAILURE=ALL)

For more information, see section 2.2.2 & 6.1.3.6 in the AS admin guide, link below;

http://h71000.www7.hp.com/doc/73final/6556/6556pro.pdf

Kind Regards
John.

Re: Advanced Server V7.3A audit log files

Paul Nunez — Sat, 24 Jun 2006 07:20:52 GMT

Hi Leo,

This one always gets folks - you need to _enable_ auditing as well. If you do $ ADMIN SHOW AUDIT POLICY the 2nd line output will indicate if auditing is enabled or disabled.

You simply forgot the /ENABLE qualifier when you did the ADMIN SET AUDIT POLICY ... command; so now just do:

$ ADMIN SET AUDIT POLICY/ENABLE

Regards,

Paul

Re: Advanced Server V7.3A audit log files

L.P. de Lange — Mon, 26 Jun 2006 02:36:51 GMT

Hello All,

I did have to give the command
set file "sharename" "username" /audit=...
to enable auditing, but have come no further. To give you the current status, I have included some commands and their output:

\\DHCLX3\\DHAX25> show file CKMKA122 /audit

Files in: \\DHAX25\CKMKA122

.
Audit Events: Success Failure
MOD\u00b816 RWXDPO RWXDPO
MOD\u00l0p8 RWXDPO RWXDPO

Total of 1 file

\\DHCLX3\\DHAX25> show audit policy

Audit Policy for domain "\\DHCLX3":

Auditing is currently Enabled.

Audit Event states:

Audit Event Success Failure
------------------ -------- --------
ACCESS Enabled Enabled
ACCOUNT_MANAGEMENT Disabled Disabled
LOGONOFF Disabled Disabled
POLICY_CHANGE Disabled Disabled
PROCESS Disabled Disabled
SYSTEM Disabled Disabled
USER_RIGHTS Disabled Disabled

\\DHCLX3\\DHAX25> show events /type=security
%PWRK-I-EVTNOREC, Security Event Log on server "DHAX25" has no records

\\DHCLX3\\DHAX25> show events /type=security /server=dhax22
%PWRK-I-EVTNOREC, Security Event Log on server "DHAX22" has no records

---------------------
dhclx3 is our cluster alias, dhax22 & dhax25 the nodes. ckmka122 the sharename, mod\u00l0p8 is my account.
I have accessed the share, before giving the show events commands.

With kind regards,
Leo de Lange

Re: Advanced Server V7.3A audit log files

Petr Spisek — Mon, 26 Jun 2006 05:27:45 GMT

Hi,
does your Advanced server configured as PDC? If not, try to find security log on PDC in this domain.
Petr

Re: Advanced Server V7.3A audit log files

John Abbott_2 — Mon, 26 Jun 2006 05:52:50 GMT

Hi Leo, tested this out here, without any problems using... from AS admin

set file path\file everyone /AUDIT=(SUC=ALL,FAIL=ALL)

accessed and updated the 'file' from my PC (PC on another domaim, with a trust relationship)

show event/full/since=nn:nn/type=sec

I can see in the security event log for the AS domain the event for the file I updated from my PC, it shows the trusted domain, my username, file updated etc.

Can you change/view the audit setting from the file | properties | security | advanced | audit pain from windows file explorer ? do they look right ?

Are you accessing the right event log.. Have you tied the 'eventvwr' from windows ? Right Click on Event viewer (local) and click on 'connect to another computer' - enter the PDC of the pathworks as domain.

J.
PS. My PDC is a Windows box.