HPE Community
Operating System - OpenVMS
1752369 Members
5933 Online
108787 Solutions
New Discussion юеВ

Re: Ana/Audit Question

 
SOLVED
Go to solution
Jack Trachtman
Super Advisor

тАО09-23-2008 07:48 AM

тАО09-23-2008 07:48 AM

Ana/Audit Question

(I can't figure this out from the manual!)

An ANA/AUDIT/FULL/EVENT=LOGFAIL display contains lines labeled "Username:" and "User record:". I can select for "Username" via
/SEL=USERNAME=whatever.

How can I match on the "User record:" entry?

TIA
0 Kudos
5 REPLIES 5
Hoff
Honored Contributor

тАО09-23-2008 10:49 AM

тАО09-23-2008 10:49 AM

Re: Ana/Audit Question

Can you post up a copy of the record where you're seeing this field with your ANALYZE /AUDIT /EVENT=LOGFAIL command? (I don't have that field visible within the command output I've just looked at from an OpenVMS Alpha V8.3 system. Which means I'm probably not looking in the same spot as you are, or I don't have the same LOGFAIL entries in the local SECURITY.AUDIT$JOURNAL database.)
0 Kudos
Jack Trachtman
Super Advisor

тАО09-23-2008 12:07 PM

тАО09-23-2008 12:07 PM

Re: Ana/Audit Question

Attached is example Ana/Aud display
0 Kudos
Jess Goodman
Esteemed Contributor

тАО09-23-2008 01:06 PM

тАО09-23-2008 01:06 PM

Solution

Re: Ana/Audit Question

Ok, that output would not from an ANALYZE/AUDIT with /EVENT=LOGFAIL. You would get it with /EVENT=SYSUAF.

But to answer your question, back in the VMS 6.2 documention you will find these /SELECT keywords:

UAF_ADD
UAF_COPY
UAF_DELETE
UAF_MODIFY
UAF_RENAME
UAF_SOURCE

They are still accepted with ANAL/AUDIT /SELECT- but they are no longer documented. I believe the reason for this is they never worked the way they should. Instead of fixing the bugs in this feature they just hid the feature.

But see if this works for you:

$ ANALYZE/AUDIT /FULL/EVENT=SYSUAF -
/SELECT=UAF_SOURCE=REVKAH
I have one, but it's personal.
0 Kudos
Hoff
Honored Contributor

тАО09-23-2008 03:19 PM

тАО09-23-2008 03:19 PM

Re: Ana/Audit Question

The other obvious question is: what are you up to here, in general terms? There may well be an alternative solution. (There was an interesting approach toward repelling ssh dictionary attacks posted out in c.o.v. recently, for instance.)
0 Kudos
Jack Trachtman
Super Advisor

тАО09-23-2008 03:29 PM

тАО09-23-2008 03:29 PM

Re: Ana/Audit Question

My bad.

The ANA/AUDIT interactive display is just not intuitively obvious to me, so I was using it incorrectly.

Thanks for the help - it gave me the insight to see my error.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.