- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes
Operating System - OpenVMS
1753532
Members
6338
Online
108795
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2009 12:02 AM
тАО08-27-2009 12:02 AM
Hi!
I would like to run a report that only shows me those users that have used AUTHORIZE to change the privileges (default or authorised) of other users.
ANAL/AUDIT/EVENT and ANAL/AUDIT/SELECT doesn't *appear* to be able to offer this.
I'm aware that I could generate a generic AUTHORIZE changes report and then parse it for what I need:
$SEARCH -
"Privileges","New" /MATCH=AND /WIND=(x,y)
but that approach is messy if multiple changes to an accout have occured.
I was just wondering if I was missing something blindingly obvious.
Many thanks
Craig A
I would like to run a report that only shows me those users that have used AUTHORIZE to change the privileges (default or authorised) of other users.
ANAL/AUDIT/EVENT and ANAL/AUDIT/SELECT doesn't *appear* to be able to offer this.
I'm aware that I could generate a generic AUTHORIZE changes report and then parse it for what I need:
$SEARCH
"Privileges","New" /MATCH=AND /WIND=(x,y)
but that approach is messy if multiple changes to an accout have occured.
I was just wondering if I was missing something blindingly obvious.
Many thanks
Craig A
Solved! Go to Solution.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2009 01:40 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2009 02:36 PM
тАО08-27-2009 02:36 PM
Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes
Craig,
The selection qualifiers for ANALYZE/AUDIT and ACCOUNTING are somewhat useful, but, as you've found, it's not always easy to work out the exact combination that gets the information you want, or even work out if it exists. Often it's easier to just dump the whole time window you're interested in and SEARCH the text.
If you have a longer, or regular task, it's fairly simple to build a DCL parser that can discriminate the start and end of audit records, outputting whole records which match your search strings.
PIPE comes in handy here:
$ PIPE ANALYZE/AUDIT/OUT=SYS$OUTPUT ... | @yourparser string string...
If the records aren't too big, you can glue them together into a single string and output as CSV, or something sortable. Parsing the text can be very simple, just split the lines on the first ":", collapse the left hand side to form a symbol name, and replace the : with =" to turn each record into a symbol assignment which you can then execute (though you'll need some continuation line logic). So, for example, convert:
Event time: 28-AUG-2009 00:00:38.16
into:
Eventtime="28-AUG-2009 00:00:38.16"
This makes it easy to throw away fields you're not interested in, even if you don't know their names. Just run the event through the symbolizer then output what you're interested in:
$ WRITE SYS$OUTPUT Auditableevent,",",Eventtime,",",Username
The selection qualifiers for ANALYZE/AUDIT and ACCOUNTING are somewhat useful, but, as you've found, it's not always easy to work out the exact combination that gets the information you want, or even work out if it exists. Often it's easier to just dump the whole time window you're interested in and SEARCH the text.
If you have a longer, or regular task, it's fairly simple to build a DCL parser that can discriminate the start and end of audit records, outputting whole records which match your search strings.
PIPE comes in handy here:
$ PIPE ANALYZE/AUDIT/OUT=SYS$OUTPUT ... | @yourparser string string...
If the records aren't too big, you can glue them together into a single string and output as CSV, or something sortable. Parsing the text can be very simple, just split the lines on the first ":", collapse the left hand side to form a symbol name, and replace the : with =" to turn each record into a symbol assignment which you can then execute (though you'll need some continuation line logic). So, for example, convert:
Event time: 28-AUG-2009 00:00:38.16
into:
Eventtime="28-AUG-2009 00:00:38.16"
This makes it easy to throw away fields you're not interested in, even if you don't know their names. Just run the event through the symbolizer then output what you're interested in:
$ WRITE SYS$OUTPUT Auditableevent,",",Eventtime,",",Username
A crucible of informative mistakes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-28-2009 04:04 AM
тАО08-28-2009 04:04 AM
Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes
Richard: Thanks - Perfect!
John: Very useful. Many thanks.
Craig A
John: Very useful. Many thanks.
Craig A
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP