- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: How to remove audit journal files in audit set...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 09:07 PM
тАО08-08-2006 09:07 PM
Re: How to remove audit journal files in audit settings
The destination file does exist. Because of the first entry that is enabled.
Also noted that set audit/listener is lost when you restart audit server. Good to know because we have a little process pumping it to our monitoring system.
I guess I will have to follow the hint of Kris.
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 09:18 PM
тАО08-08-2006 09:18 PM
Re: How to remove audit journal files in audit settings
re:
> Also noted that set audit/listener is lost when you restart audit server. Good to know because we have a little process pumping it to our monitoring system
Can't check at the mo, but I'm sure we have an ACE on SETAUDIT.EXE to audit EXE+SUCCESS which triggers an event when listening is disabled, we then automatically re-enable it.
J.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 09:28 PM
тАО08-08-2006 09:28 PM
Re: How to remove audit journal files in audit settings
How do you trigger the re-listening ?
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 10:21 PM
тАО08-08-2006 10:21 PM
Re: How to remove audit journal files in audit settings
We use a product called Auditor Plus to listen for various security events in real-time and take appropriate action.
I thought we had some call out code which re-enabled it, but it would appear to be a feature within A+. Maybe I can find out how they do it, if you like ? (code wise)
In order for it to work we have to
1) Place at least the following ACL on sys$system:setaudit.exe
(AUDIT=SECURITY,ACCESS=EXECUTE+SUCCESS) or
(ALARM=SECURITY,ACCESS=EXECUTE+SUCCESS)
2) Ensure that ACL auditing and/or alarming is enabled and that ACL is selected
when starting the Audit Monitor.
I guess that... This way an alarm is generated and I assume shortly afterwards the mbx dies. A+ reads the mbx and detects no more mbx on next read, so it re-establishes it.
Sorry, not the complete picture, but hope it helps...
Kind Regards
John.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-09-2006 09:10 AM
тАО08-09-2006 09:10 AM
Re: How to remove audit journal files in audit settings
I know what's wrong and I know how to fix it, but for a measly one point, it's not worth my time... sorry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2006 11:41 PM
тАО08-13-2006 11:41 PM
Re: How to remove audit journal files in audit settings
Decided to monitor the refcnt of the audit mailbox. If not 2, alarm.
Manual investigation needed then but is more fool proof than monitoring the startup of audit_server or the audit alarm when the command /nolist is given. Thanks anyway.
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-14-2006 01:44 AM
тАО08-14-2006 01:44 AM
Re: How to remove audit journal files in audit settings
sys$manager:VMS$AUDIT_SERVER.DAT;1
If those extra records really bother you then just remove tham with simple RMS commands??
The primary key is a simple string with "Journal name". The string length count is the byte preceding it.
The Journal file names is a counted string at offset 85 it seems.
First, create a backup:
$CONVERT/STAT/SHARE sys$manager:VMS$AUDIT_SERVER.DAT VMS$AUDIT_SERVER.BACKUP
Now open
$open/read/write/share=write x
sys$manager:VMS$AUDIT_SERVER.DAT
And test:
$read/key="SECUR" x record
$show symb recordwrite sys$output "->",f$extr(7,f$cvui(6*8,8,record),record),"<-"
->SECURITY<-
HEIN>write sys$output "->",f$extr(85,f$cvui(84*8,8,record),record),"<-"
->SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL<-
And play:
HEIN>record[7,8]:=nonsense
HEIN>record[85,41]:="Als ik kon toveren, kwam alles voor elkaar
HEIN>write/symb x record
HEIN>show audit /all
List of audit journals:
Journal name: NONSENSE
Journal owner: (system audit journal)
Destination: Als ik kon toveren, kwam alles voor elkaa
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
:
And cleanup:
$read/dele/key=NONSENSE x deleted_record
$close x
In summary, for Wim to cleanup I think the commands would be:
$convert/share/stat sys$manager:VMS$AUDIT_SERVER.DAT sys$manager:VMS$AUDIT_SERVER.backup
$open/read/write/share=write audit sys$manager:VMS$AUDIT_SERVER.DAT
$read/delete/key=AUDIT$JOURNAL audit audit_record
$read/delete/key=WIM wim_record
$close audit
$show audit/all
If anything went wrong, then you can used the backup, or you can re-write the deleted records from the dcl symbols the data was saved into.
Enjoy,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-14-2006 04:23 PM
тАО08-14-2006 04:23 PM
Re: How to remove audit journal files in audit settings
You assigned 3 points to my reply. The suggested meaning for this is "1-3: The answer didn't really help answer my question, but thanks for your assistance! "
I can not help but read this as...
"Bzzzzz, all wrong, thanks for playing"
And here I naively thought it perfectly answerred your immediate question:
"How do I remove the audit$journal ?"
I would appreciate a small explanation as to why you thought my suggestion did not solve the problem, and possibly is the only current solution to the problem.
Is there something I overlooked, or am I reading too much in those points?
Btw... obviously my solution is a workaround / hack / magic.
There appears to be a weakness / incomplete solution in the implementation here.
If this is a real problem, and it is important to your customer, just escalate through a support call to HP. No one in this forum of friends can actualy fix/change the code. You'll need to excercise your support contract for that. That's why folks buy support.
Met vriendelijke groetjes,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-14-2006 06:38 PM
тАО08-14-2006 06:38 PM
Re: How to remove audit journal files in audit settings
Never thought to look & play, quite simple really.
Thank again
J.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-14-2006 07:49 PM
тАО08-14-2006 07:49 PM
Re: How to remove audit journal files in audit settings
No hard feelings but your solution has the same result as that of Kris but the one of Kris is simplier. And the question is to solve the problem with "set audit" commands.
So yes, didn't really solve the question.
It's strange that nobody complaints when they get overpaid (the 10 on all answers).
I'm curious if it is bad documentation or simply missing functionality (strange that nobody noticed it before).
Wim