Operating System - OpenVMS

OpenVMS Audit logs

 
jpd252
Occasional Advisor

OpenVMS Audit logs

how does everyone open a new Security audit journal ?  do you have a batch job do it?  I'd like to close out on a weekly basis. also has anyone had any luck moving the old audit journals to a splunk server?

 

2 REPLIES 2
support_s
System Recommended

Query: OpenVMS Audit logs

System recommended content:

1. HPE SSMC 3.8.x User Guide | File access audit logs

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

Steven Schweda
Honored Contributor

Re: OpenVMS Audit logs

> how does everyone open a new Security audit journal ? [...]

   I can't speak for everyone.  I have a DCL script which I try to
remember to use annually.

> [...] do you have a batch job do it? [...]

   I do it manually, in case my (not-well-tested) procedure does
something unexpected.

   Use/examine at your own risk:

$!                                              2014-01-02  SMS.
$!
$! Annual security audit file management.
$!
$!    Note:
$!    If you omit the file-spec parameter, the Audit Analysis utility
$!    (ANALYZE /AUDIT) searches for the default audit log file
$!    SECURITY.AUDIT$JOURNAL. 
$!
$!    The default audit log file is created in the SYS$COMMON:[SYSMGR]
$!    directory. To use the file, specify SYS$MANAGER on the ANALYZE
$!    /AUDIT command line. If you do not specify a directory, the
$!    utility searches for the file in the current directory.
$!
$ year = f$cvtime( f$time(), , "year")          ! This year.
$ pyear = year- 1                               ! Previous year.
$!
$! Disable auditing.
$!
$ SET AUDIT /SERVER = EXIT
$!
$! Save previous year's audit journal data in SECURITY_pyear.AUDIT$JOURNAL.
$!
$ ANALYZE /AUDIT /BINARY /SINCE = 1-JAN-'pyear' /BEFORE = 1-JAN-'year' -
   /OUTPUT = SYS$COMMON:[SYSMGR]SECURITY_'pyear'.AUDIT$JOURNAL -
   SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$!
$! Extract current year's SECURITY.AUDIT$JOURNAL data into new
$! SECURITY.AUDIT$JOURNAL.
$!
$ ANALYZE /AUDIT /BINARY /SINCE = 1-JAN-'year' -
   /OUTPUT = SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL_new -
   SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$!
$ RENAME SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL_new -
  SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL;
$!
$! Restart audit server.
$!
$ @ SYS$SYSTEM:STARTUP.COM AUDIT_SERVER
$!
$ write sys$output "   Delete SYS$MANAGER:SECURITY.AUDIT$JOURNAL;-1 ?"
$ write sys$output "   Compress SYS$MANAGER:SECURITY_''pyear'.AUDIT$JOURNAL ?"
$!