- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- How to Create New Audit Archive files?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2007 01:09 AM
тАО02-14-2007 01:09 AM
As you probably already know one can have secondary destinations for security event messages. Not only retaining them in the Security.audit$journal file(s) (primary destination).
My secondary destination resides on another node, created by doing a
$ Set Audit/archive=All -
/Destin=OtherNode::Disk1:[audit_dir]audit.file on the primary node.
The file on the secondary destination is created and filled with the General audit records I expect.
But if I want to start a new Archive file on a daily basis I have only one solution from what I have found. And that is to rename the file on the secondary destination and RESTART the secondary, remote node. Or does anybody know of anther way of doing it?
regards
Johan
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2007 03:11 AM
тАО02-14-2007 03:11 AM
Re: How to Create New Audit Archive files?
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2007 03:30 AM
тАО02-14-2007 03:30 AM
Re: How to Create New Audit Archive files?
receive notice of the lost connection and the number of lost messages. Once the network is up, the audit server
reestablishes connection to the original archive file and continues writing event messages.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2007 03:46 AM
тАО02-14-2007 03:46 AM
SolutionIf you specify user name + pwd in the file spec it won't work. It needs a proxy (or double quotes ?).
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2007 06:35 AM
тАО02-14-2007 06:35 AM
Re: How to Create New Audit Archive files?
You can rename the remote archive file while underway. The file is then recreated when auditing is restarted. Or restart auditing with a new destination. (The auditing archive is intended to just keep recording stuff. The main file is the one that is intended for daily processing.)
Depending on local requirements, you could replicate the regular archive somewhere, or periodically copy its contents using ANALYZE commands.
Security audits in cleartext shipped over a DECnet connection to a remote node? (Ok, so I'm certainly a bit paranoid in general, and I don't know how far your DECnet network extends in this particular case.)
Stephen Hoffman
HoffmanLabs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2007 11:58 PM
тАО02-14-2007 11:58 PM
Re: How to Create New Audit Archive files?
I think the main reason for wanting an archive file is that the internal audit guys want's to "be sure" that nobody has touched, tempered with the local copy, the Sys$manager:Security.audit$journal.
I'm aware that there are a lot of "holes" just doing so. But I think we will start from here and later build a more secure and reliable solution. Perhaps using a listener mailbox.
/Johan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-15-2007 02:29 AM
тАО02-15-2007 02:29 AM
Re: How to Create New Audit Archive files?
When an auditor makes these sorts of (reasonable) requests, I ask them for a WORM-capable DLT or equivalent, possibly SAN based. Might as well ask to do it right, after all.
If the auditor happens to balk about this daily sequence, I then ask them if they want auditing data in cleartext DECnet over a LAN (and possibly WAN) link. That either leads to an um-err-no response, or an encrypted data link, or clearance to use the sequence. Or it might produce a DLT WORM. It might well also lead to an investigation of what is flying by on the datalink. Classic vanilla telnet or DECnet SET HOST, for instance, can be somewhat evil. Any of which can helps security, and usually leads to an explicit decision to deal with the exposure, or to ignore the particular risk.
If there's interest, I certainly know how to write audits, transactions or other data out to DVD+R media or to DLT WORM devices and can create a tool for same, and rather likely BD and HD media can be similarly gotten to work, too. Yeah. That would keep me entertained for a while. :-)
Stephen Hoffman
HoffmanLabs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-15-2007 02:57 AM
тАО02-15-2007 02:57 AM