HPE Community
Operating System - OpenVMS
1751959 Members
4545 Online
108783 Solutions
New Discussion юеВ

Log Files for login procedure

 
odwillia
Frequent Advisor

тАО08-12-2008 04:46 AM

тАО08-12-2008 04:46 AM

Log Files for login procedure

Can a log file be generated that will report what processes and system files are being processed as a user logs into a system? Does a log like this already exist?

Thanks in advance.

0 Kudos
Reply
13 REPLIES 13
Wim Van den Wyngaert
Honored Contributor

тАО08-12-2008 04:53 AM

тАО08-12-2008 04:53 AM

Re: Log Files for login procedure

1. In the beginning of login.com :
$ set watch file/class=all
--> very cryptic, all file accesses

2. Image accouting
$ set acc/ena=image
--> all images executed, not all file used

3. Audit
$ set audit/aud/enable=access=all
--> all file accesses of ALL processes, lots of lines and dangerous for performance. Good if directly disable after a few seconds.

Wim
Wim
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО08-12-2008 04:55 AM

тАО08-12-2008 04:55 AM

Re: Log Files for login procedure

Forgot :
1. log is in sys$output
2. log via accouting/fu [acc filename]
3. log via anal/aud/fu [aud file name]

Wim
Wim
0 Kudos
Reply
labadie_1
Honored Contributor

тАО08-12-2008 05:45 AM

тАО08-12-2008 05:45 AM

Re: Log Files for login procedure

Have a look at the sylogin logical (usually points to sys$manager:sylogin.com) and the login file of the user (see with mc authorize sh user, the lgicmd).

0 Kudos
Reply
odwillia
Frequent Advisor

тАО08-12-2008 05:45 AM

тАО08-12-2008 05:45 AM

Re: Log Files for login procedure

Thanks for the reply. In the beginning is it set "watch"?
0 Kudos
Reply
odwillia
Frequent Advisor

тАО08-12-2008 05:47 AM

тАО08-12-2008 05:47 AM

Re: Log Files for login procedure

No logical for sylogin? Bad?

$ sh log sylogin
%SHOW-S-NOTRAN, no translation for logical name SYLOGIN
$
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО08-12-2008 05:50 AM

тАО08-12-2008 05:50 AM

Re: Log Files for login procedure

I would go for my 3. Then use anal/aud with /select=proc=id=xxx. The format will be easiest to read.

But reset audit back to its original values asap after the test.

Wim
Wim
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО08-12-2008 06:07 AM

тАО08-12-2008 06:07 AM

Re: Log Files for login procedure

The logical sys$login must be used to find the sylogin. The default is sys$manager:sylogin.com. That is for implementing 1. I would take 3.

Post show audit/all if you don't know how to do it in detail.

Wim
Wim
0 Kudos
Reply
odwillia
Frequent Advisor

тАО08-12-2008 06:37 AM

тАО08-12-2008 06:37 AM

Re: Log Files for login procedure

$ show audit/all
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

Security auditing server characteristics:
Database version: 4.4
Backlog (total): 100, 200, 300
Backlog (process): 5, 2
Server processing intervals:
Archive flush: 0 00:01:00.00
Journal flush: 0 00:05:00.00
Resource scan: 0 00:05:00.00
Final resource action: purge oldest audit events

Security archiving information:
Archiving events: none
Archive destination:

System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached,server
Login: batch,dialup
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Logout: batch,dialup

System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached,server
Login: batch,dialup
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Logout: batch,dialup
$
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО08-12-2008 06:47 AM

тАО08-12-2008 06:47 AM

Re: Log Files for login procedure

1) set aud/aud/ena=access=all
2) do your test (create the process)
3) set aud/aud/disa=access=all
4) wait 5 minutes to flush the audit buffers
5) anal/aud/fu/select=proc=id=xxx/out=x.lis -
SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL

(untested !)

xxx is the pid ofyour process. Alternative is /sel=proc=nam=yyy where yyy is the process name.

Wim
Wim
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.