HPE Community
Operating System - OpenVMS
1752591 Members
2733 Online
108788 Solutions
New Discussion юеВ

Re: Ignore some Audit log

 
SOLVED
Go to solution
Kitti Thanapuasuwan
Occasional Advisor

тАО10-15-2004 06:32 AM

тАО10-15-2004 06:32 AM

Ignore some Audit log

I have schedule job from other system to FTP files from AlphaServer every 10 minutes. There is a Security log appear on Console

Security alarm (SECURITY) and security audit (SECURITY) on ALPHA1,
system
id: 1
Auditable event: Network login
Event time: 27-SEP-2004 06:01:35.02
PID: 2142AC6C
Process name: TCPIP$FTPC03E74
Username: TPZKXT
Process owner: [TPOPS]
Image name: DSA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Remote node id: 3237938662 (1.486)
Remote node fullname: 192.255.5.230
Remote username: FTP_C0FF05E6

I would like to un-log this kind of security because it create a lot of message in the log file. Is there any way to skip this security log?

Thanks
0 Kudos
Reply
6 REPLIES 6
Volker Halle
Honored Contributor

тАО10-15-2004 07:46 PM

тАО10-15-2004 07:46 PM

Solution

Re: Ignore some Audit log

Kitti,

$ SET AUDIT/ALARM/DISABLE=LOGIN=NETWORK

You can find help for enabling/disabling the various audit alarms with:

$ HELP SET AUDIT/ENABLE

Volker.
Reply
Bojan Nemec
Honored Contributor

тАО10-15-2004 08:27 PM

тАО10-15-2004 08:27 PM

Re: Ignore some Audit log

Kitti,

The only thing that comes me in mind now is to disable network alarms and audits. This will disable all network alarms and audits (telnet,rsh,rcp and so on)! So you must look if this is a security issue for you!

You disable the alarms with the command:

$ SET AUDIT/DISABLE=LOGIN=NETWORK/ALARM

and audit with

$ SET AUDIT/DISABLE=LOGIN=NETWORK/AUDIT

But once more: Check if this is not a security issue for yours system.

Bojan
Reply
Jan van den Ende
Honored Contributor

тАО10-15-2004 09:29 PM

тАО10-15-2004 09:29 PM

Re: Ignore some Audit log

Kitti,

to take Bojans answer one step further: you can also disable ONLY succesful logins, (and I guess and sure hope THAT will be the bulk!), and so still get the failures reported.
If you are (have to be) REALLY security aware, well, the failures can do little damage.
But, since the amount of successful login messages is your problem, I assume you are not tracking the validity of those anyway.

My guess: disabling Successfull Login Alarms will take away > 90% of your network login messages, and that IS a big win for starting!.

Success,

Cheers.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Ian Miller.
Honored Contributor

тАО10-16-2004 10:23 PM

тАО10-16-2004 10:23 PM

Re: Ignore some Audit log

note that login failures and logins are seperately specified to auditing. So the commands given will disable audit of net login.

SET AUDIT/AUDIT/ENA=LOGFAILURE=NET

will enable login failure audit of network jobs.

Note also accounting will have records for the network jobs created by the ftp transfers.

____________________
Purely Personal Opinion
Reply
Jan van den Ende
Honored Contributor

тАО10-17-2004 05:35 PM

тАО10-17-2004 05:35 PM

Re: Ignore some Audit log

Kitti,

from your profile:

I have assigned points to 23 of 67 responses to my questions.

... maybe deserves some attention?

If you forgot what questions, just select your own name, that gets you to your profile, from which you can choose "questions with unassigned points"
... and if you consider a thread satidfied, then you can Close it.


Cheers

Have one on me

Jan

Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Mobeen_1
Esteemed Contributor

тАО10-17-2004 06:26 PM

тАО10-17-2004 06:26 PM

Re: Ignore some Audit log

Kitti,
As others before me have mentioned i am not sure if this is wisest thing to do, but the following command could be used to disable

SET AUDIT/AUDIT/ENA=LOGFAILURE=NET

details as follows

SET

AUDIT

/AUDIT

Makes the command apply to audits,
which are messages recorded in
the system security audit log file.
(As suggested by Ian)

If you want to disable the NETWORK class all together, follow the suggestions posted before Ian

regards
Mobeen
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.