- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: %SHOW-W-NOAUDITING, security auditing disabled...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2008 07:13 AM
тАО09-18-2008 07:13 AM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2008 07:36 AM
тАО09-18-2008 07:36 AM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
>>>
there are two nodes, two separate system disk, logical VMS$AUDIT_SERVER defined on both nodes,
<<<
Did you perhaps fall for the trap of having those defined as somehow derived from SYS$SYSDEVICE or SYS$SYSROOT?
(I once made that mistake also, and it puzzled me much, until the famous "Oh no, not THAT simple" experience.)
Those ARE the default definitions, but, in a multi-systemdisk cluster, they point to DIFFERENT devices! Be sure to use LNMs derived from the SAME device, and have that device MOUNTed (for EACH node) by SYLOGICALS.COM
hth
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2008 09:09 AM
тАО09-18-2008 09:09 AM
SolutionHere is what the security manual says, which is different than what sylogicals suggests.
HP OpenVMS Guide to System Security
OpenVMS Version 7.3-2
http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/AA-Q2HLG-TE.pdf
Chapter 9 Security Auditing pg 204
-------------------------------------------------------------------------------------------------------
Moving the File from the System Disk
To relocate the file from the SYS$COMMON:[SYSMGR] directory, edit the command procedure
SYSECURITY.COM. This procedure executes each time the system is rebooted, before the audit server is
started.
To relocate the file, perform the following steps:
1. Change the startup sequence by adding a line to SYSECURITY.COM that directs the operating system to
mount the designated auditing disk before the audit server process is started rather than after. For
example:
$ IF .NOT. F$GETDVI("$1$DUA2","MNT") -
_$ THEN MOUNT/SYSTEM $1$DUA2 AUDIT AUDIT$ /NOREBUILD
The command in this example mounts a volume labeled AUDIT on $1$DUA2 and makes it available
systemwide. MOUNT also assigns the logical name AUDIT$.
2. Move the audit server database to the auditing disk, if you choose. The database remains small and fairly
stable so this step is not essential.
To move the database, add a second line to SYSECURITY.COM to define the system logical name
VMS$AUDIT_SERVER. (The line follows the one that mounts the auditing disk.) In the command, define
a system logical name and assign it to the VMS$AUDIT_SERVER data file on the disk with the logical
name AUDIT$. For example:
$ DEFINE/SYSTEM/EXEC VMS$AUDIT_SERVER AUDIT$:[AUDIT]VMS$AUDIT_SERVER.DAT
This command redirects the audit server database to the volume on $1$DUA2, which was mounted in
step 1.
3. From the DCL level, redirect the security audit log file to the volume mounted in SYSECURITY.COM (see
step 1). Use the SET AUDIT command to update the audit server database with the new location of the
security audit log file, and instruct the audit server process on each node in the cluster to begin using the
file. For example:
$ SET AUDIT/JOURNAL=SECURITY -
_$ /DESTINATION=AUDIT$:[AUDIT]SECURITY
Do not repeat this command on each system restart.
If you use a logical name in the specification of the security audit log file, it must be defined as a
/SYSTEM logical name in SYSECURITY.COM.
-------------------------------------------------------------------------------------------------------
Also see section "Managing the Auditing Subsystem" starting on page 212.
You currently have multiple audit journal files, since each system disk has its own sys$common. Accourding to the manual, that will work, but is not recommended: (from page 203)
-------------------------------------------------------------------------------------------------------
Ordinarily, all cluster events are written to a single audit log file. The use of one security audit log file in a
cluster results in a single record of all security-relevant events on the system. For this reason, one clusterwide
log file is preferable to node-specific audit logs, which lose the interrelationship of events across the cluster,
thus producing an incomplete analysis of security events. You can, if you wish, create node-specific audit logs
(see Maintaining the File), but this is not the recommended procedure.
-------------------------------------------------------------------------------------------------------
One more thing, set audit/start does not do everything needed to start auditing. You must do that, wait for the AUDSRV$CONTROL_MAILBOX to be created, then issue set audit/initiate. Or do what is recommended and use
$ @SYS$SYSTEM:STARTUP AUDIT_SERVER
(See help set audit/server)
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2008 09:27 AM
тАО09-18-2008 09:27 AM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
There are no messages in operator.log that relate to audit server.
Audit server processes run on both nodes as shown:
ALPHAZ> PIPE SHO DEVICE/FILE DSA10: | SEA SYS$INPUT 218455CE
AUDIT_SERVER 218455CE [VMS$COMMON.SYSEXE]AUDIT_SERVER.EXE;1
ALPHAZ> PIPE SHO DEVICE/FILE DSA200: | SEA SYS$INPUT 218455CE
AUDIT_SERVER 218455CE [VMCOMMON]VMS$AUDIT_SERVER.DAT;1
AUDIT_SERVER 218455CE [VMCOMMON]SECURITY.AUDIT$JOURNAL;5
AUDIT_SERVER 218455CE [VMCOMMON]VMS$OBJECTS.DAT;1
After reading the last comments I decided that maybe the journal HAD to be shared so I used a definition that would equate to the same location for BOTH nodes. This only changed the journal entry in SHOW AUDIT/JOURNAL
ALPHAZ> sho audit/jou
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYSDISK2:[VMCOMMON]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0
%SHOW-W-NOAUDITING, security auditing disabled; no events will be logged
My guess is that the VMS$AUDIT_SERVER.DAT might be corrupted and require being recreated. (But, I don't know if the audit server would automatically do this if those files were missing....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2008 11:27 AM
тАО09-18-2008 11:27 AM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
Just to confirm: you did
$ set audit/initialize
or
$ @SYS$SYSTEM:STARTUP AUDIT_SERVER
after making your changes?
If your VMS$AUDIT_SERVER.DAT was corrupt, why is one node's audit server working correctly?
The data in this file is normally static, so you should be able to copy the working version to the shared directory using convert/share. My guess is that it is not the file, but that the /initialize needs to be done.
Reference: http://h71000.www7.hp.com/wizard/wiz_8897.html
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2008 12:03 PM
тАО09-18-2008 12:03 PM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
Having SECURITY.AUDIT$JOURNAL in different locations for each node didn't work. I had to execute this command:
Set audit/DESTINATION=SYSDISK2:[VMCOMMON]SECURITY.AUDIT$JOURNAL/JOUR=SECURITY
and then I HAD to restart using
@SYS$SYSTEM:STARTUP AUDIT_SERVER
not
SET AUDIT/SERVER=START
collecting audit data now...
thanks everyone, the forum is working better than some of the HP support I've been getting lately.
Clark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2008 08:19 PM
тАО09-18-2008 08:19 PM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
As Clark posted, the correct set audit syntax is
$ set audit /SERVER=[start|initialize]
I left out the "/SERVER=" part in my recommendation.
zero points for this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-19-2008 12:46 AM
тАО09-19-2008 12:46 AM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-19-2008 01:37 AM
тАО09-19-2008 01:37 AM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
If the journal file is set to Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL and you have two different system disks, or if is is set to Destination: SYS$SPECIFIC:[SYSMGR]SECURITY.AUDIT$JOURNAL and you have a shared system disk. Those are two ways I can think of. Although the logical specifications are the same, they will be distinct files.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-19-2008 02:39 AM
тАО09-19-2008 02:39 AM
Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge
Sorry I was incomplete but I saw the file on dsa200 not being the system disk. So, that should be shared.
I just did a test with 1 vms$audit_server.dat file common for both nodes. No problem at all for getting destination to 2 different disk (destination a:[000000]wim.lis where a is the local page file of both systems, not mounted by each other).
Wrong conclusion ?
Wim