OpenVMS Audit logs

jpd252 · ‎04-06-2022

how does everyone open a new Security audit journal ? do you have a batch job do it? I'd like to close out on a weekly basis. also has anyone had any luck moving the old audit journals to a splunk server?

support_s · ‎04-06-2022

System recommended content:

1. HPE SSMC 3.8.x User Guide | File access audit logs

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

Thank you for being a HPE valuable community member.

Steven Schweda · ‎04-06-2022

> how does everyone open a new Security audit journal ? [...]

I can't speak for everyone. I have a DCL script which I try to
remember to use annually.

> [...] do you have a batch job do it? [...]

I do it manually, in case my (not-well-tested) procedure does
something unexpected.

Use/examine at your own risk:

$!                                              2014-01-02  SMS.
$!
$! Annual security audit file management.
$!
$!    Note:
$!    If you omit the file-spec parameter, the Audit Analysis utility
$!    (ANALYZE /AUDIT) searches for the default audit log file
$!    SECURITY.AUDIT$JOURNAL. 
$!
$!    The default audit log file is created in the SYS$COMMON:[SYSMGR]
$!    directory. To use the file, specify SYS$MANAGER on the ANALYZE
$!    /AUDIT command line. If you do not specify a directory, the
$!    utility searches for the file in the current directory.
$!
$ year = f$cvtime( f$time(), , "year")          ! This year.
$ pyear = year- 1                               ! Previous year.
$!
$! Disable auditing.
$!
$ SET AUDIT /SERVER = EXIT
$!
$! Save previous year's audit journal data in SECURITY_pyear.AUDIT$JOURNAL.
$!
$ ANALYZE /AUDIT /BINARY /SINCE = 1-JAN-'pyear' /BEFORE = 1-JAN-'year' -
   /OUTPUT = SYS$COMMON:[SYSMGR]SECURITY_'pyear'.AUDIT$JOURNAL -
   SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$!
$! Extract current year's SECURITY.AUDIT$JOURNAL data into new
$! SECURITY.AUDIT$JOURNAL.
$!
$ ANALYZE /AUDIT /BINARY /SINCE = 1-JAN-'year' -
   /OUTPUT = SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL_new -
   SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$!
$ RENAME SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL_new -
  SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL;
$!
$! Restart audit server.
$!
$ @ SYS$SYSTEM:STARTUP.COM AUDIT_SERVER
$!
$ write sys$output "   Delete SYS$MANAGER:SECURITY.AUDIT$JOURNAL;-1 ?"
$ write sys$output "   Compress SYS$MANAGER:SECURITY_''pyear'.AUDIT$JOURNAL ?"
$!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

OpenVMS Audit logs

OpenVMS Audit logs

Query: OpenVMS Audit logs

Re: OpenVMS Audit logs