HPE Community
Operating System - OpenVMS
1753865 Members
7672 Online
108809 Solutions
New Discussion юеВ

Re: Advanced Server V7.3A audit log files

 
L.P. de Lange
New Member

тАО06-23-2006 12:55 AM

тАО06-23-2006 12:55 AM

Advanced Server V7.3A audit log files

Hello All,

Since our PC user community is transferring form Windows NT to Windows XP and in the course of this transfer having their domains and usernames changed (we systems managers have to keep ourselves busy), the access to some Advanced server shares fails.
Now I have changed the permission for the user but he still cannot gain access. I have given myself full control and can access the share.
In order to do trouble shooting, I have enabled auditing (set audit policy /success=access /failure=access), done some successful and not successful access, but
show events /type=security /server=... gives "Security event log has no records".

Am I looking in the right place for the audit logs? Have I enabled the right audit trail?

With kind regards,
Leo de Lange
0 Kudos
Reply
8 REPLIES 8
John Abbott_2
Esteemed Contributor

тАО06-23-2006 01:17 AM

тАО06-23-2006 01:17 AM

Re: Advanced Server V7.3A audit log files

Hi Leo, firstly welcome to the OpenVMS forum!

> domains and usernames changed

Are the WNT and WXP in different domains ? What about AS, another domain ? Have you a trust relationship set-up between these domains ? (ADMIN SHOW TRUST)

What AS 7.3 ECO kit are you running ? ($ PROD SHO PROD)

Do you get any events at all ? e.g. AMIN SHOW EVENT/SINCE=start_of_pathworks

Kind Regards
John.
Don't do what Donny Dont does
0 Kudos
Reply
Karl Rohwedder
Honored Contributor

тАО06-23-2006 01:18 AM

тАО06-23-2006 01:18 AM

Re: Advanced Server V7.3A audit log files

Leo,

did you also set a spec. file or directory for auditing (set file /audit)?

What version are you using (actual is V7.3A-Eco4)?

Are some shares working or are only spec. shares/users encounter problems?

regards Kalle
0 Kudos
Reply
L.P. de Lange
New Member

тАО06-23-2006 01:27 AM

тАО06-23-2006 01:27 AM

Re: Advanced Server V7.3A audit log files

Hello,

Thanks for all the quick replies and I will try to give you some answers, marked with LL:

Are the WNT and WXP in different domains ? What about AS, another domain ? Have you a trust relationship set-up between these domains ?
LL: WNT and WXP are in different domains. However, I changed the permission to the new domain and username.

What version are you using (actual is V7.3A-Eco4)?
LL: We are running this version.

Are some shares working or are only spec. shares/users encounter problems?
LL: I have given myself (with my WXP username) permission for this specific share and can access it. So the user is entountering problems.


Do you get any events at all ?
LL: Yes, I do see some events, the last from june 6th. (system events that is)

With kind regards,
Leo de Lange
0 Kudos
Reply
John Abbott_2
Esteemed Contributor

тАО06-24-2006 12:20 AM

тАО06-24-2006 12:20 AM

Re: Advanced Server V7.3A audit log files

Hi Leo,

You need to also enable audit monitoring on the directories and files in question by using;

ADMIN SET FILE \dir\foo.bar AUDIT=(SUCCESS=ALL, FAILURE=ALL)

For more information, see section 2.2.2 & 6.1.3.6 in the AS admin guide, link below;

http://h71000.www7.hp.com/doc/73final/6556/6556pro.pdf

Kind Regards
John.
Don't do what Donny Dont does
0 Kudos
Reply
Paul Nunez
Respected Contributor

тАО06-24-2006 12:20 AM

тАО06-24-2006 12:20 AM

Re: Advanced Server V7.3A audit log files

Hi Leo,

This one always gets folks - you need to _enable_ auditing as well. If you do $ ADMIN SHOW AUDIT POLICY the 2nd line output will indicate if auditing is enabled or disabled.

You simply forgot the /ENABLE qualifier when you did the ADMIN SET AUDIT POLICY ... command; so now just do:

$ ADMIN SET AUDIT POLICY/ENABLE

Regards,

Paul
0 Kudos
Reply
L.P. de Lange
New Member

тАО06-25-2006 07:36 PM

тАО06-25-2006 07:36 PM

Re: Advanced Server V7.3A audit log files

Hello All,

I did have to give the command
set file "sharename" "username" /audit=...
to enable auditing, but have come no further. To give you the current status, I have included some commands and their output:

\\DHCLX3\\DHAX25> show file CKMKA122 /audit

Files in: \\DHAX25\CKMKA122

.
Audit Events: Success Failure
MOD\u00b816 RWXDPO RWXDPO
MOD\u00l0p8 RWXDPO RWXDPO

Total of 1 file


\\DHCLX3\\DHAX25> show audit policy

Audit Policy for domain "\\DHCLX3":

Auditing is currently Enabled.

Audit Event states:

Audit Event Success Failure
------------------ -------- --------
ACCESS Enabled Enabled
ACCOUNT_MANAGEMENT Disabled Disabled
LOGONOFF Disabled Disabled
POLICY_CHANGE Disabled Disabled
PROCESS Disabled Disabled
SYSTEM Disabled Disabled
USER_RIGHTS Disabled Disabled

\\DHCLX3\\DHAX25> show events /type=security
%PWRK-I-EVTNOREC, Security Event Log on server "DHAX25" has no records

\\DHCLX3\\DHAX25> show events /type=security /server=dhax22
%PWRK-I-EVTNOREC, Security Event Log on server "DHAX22" has no records

---------------------
dhclx3 is our cluster alias, dhax22 & dhax25 the nodes. ckmka122 the sharename, mod\u00l0p8 is my account.
I have accessed the share, before giving the show events commands.

With kind regards,
Leo de Lange
0 Kudos
Reply
Petr Spisek
Regular Advisor

тАО06-25-2006 10:27 PM

тАО06-25-2006 10:27 PM

Re: Advanced Server V7.3A audit log files

Hi,
does your Advanced server configured as PDC? If not, try to find security log on PDC in this domain.
Petr
0 Kudos
Reply
John Abbott_2
Esteemed Contributor

тАО06-25-2006 10:52 PM

тАО06-25-2006 10:52 PM

Re: Advanced Server V7.3A audit log files

Hi Leo, tested this out here, without any problems using... from AS admin

set file path\file everyone /AUDIT=(SUC=ALL,FAIL=ALL)

accessed and updated the 'file' from my PC (PC on another domaim, with a trust relationship)

show event/full/since=nn:nn/type=sec

I can see in the security event log for the AS domain the event for the file I updated from my PC, it shows the trusted domain, my username, file updated etc.

Can you change/view the audit setting from the file | properties | security | advanced | audit pain from windows file explorer ? do they look right ?

Are you accessing the right event log.. Have you tied the 'eventvwr' from windows ? Right Click on Event viewer (local) and click on 'connect to another computer' - enter the PDC of the pathworks as domain.

J.
PS. My PDC is a Windows box.
Don't do what Donny Dont does
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.