The type of system doesn't matter. VMS on a workstation does not differ from VMS on a server. It's not Unix nor is it like Windows. It has it's own ways of logging all kinds of events, and audit is no different.
You can set audit for logging, which is logged in SYS$MANAGER:SECURITY.AUDIT$JOURNAL, or for alarm, which is logged there as well, and on OPERATOR.LOG.
However, audit on VMS is (by design?) something node-local.
If your workstation boots from a common system disk, it will have it's own SYS$SYSTEM and, quite likely, it's own SYS$MANAGER, so it's own security and (if enabled) operator.log. Be sure to have this closed for unauthorized access. (which is a general recommendation).
If the system has it's own systemdisk, these files will normally reside on it as well. OPEARTOR.LOG may be disabled, but OPCOM will try to send it;s messages to other clusternodes as well. Have big systems set to handle all messages (from itself and all incoming ones) and the small ones (that have no OPERATOR.LOG locally) to disallow incoming messages, but allow sending them.
By that, the bigger hosts will function as loghost - not the Unix way since messages will be sent by the cluster communication protocol (which is (AFAIK) secure).
If your workstation is stand-alone, it will audit on it's own system disk - or, if you define so, to a security mailbox. AYou have to create a listener that reads this mailbox, and handles the message - but you will be able to specify what it will do: sending it to another host, for example, for further processing.
Bear in mind however, that is that case you have to add the nodename to the message, before storing. Since Audit is local, there is no nodename mentioned in the audit message.
Willem
Willem Grooters
OpenVMS Developer & System Manager
