How to remove audit journal files in audit settings

Wim Van den Wyngaert · ‎08-08-2006

I get 2 journal names when I do show audit/all.
1 security and 1 audit$journal.

How do I remove the audit$journal ?

BTW : the destination is the same file for both.

Wim

Wim

Jan van den Ende · ‎08-08-2006

Wim,

I can not now look up how to disable all messages to eigther destination, but if you are just trying to get rid of the file ( but WHY ?? ) I think you might just define (/EXEC/SYSTEM) the file to NL: .

fwiw,

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Wim Van den Wyngaert · ‎08-08-2006

Jan,

Not the file is the problem.
I need to remove the second journal from the show audit output. Simply for cleaning up purposes.

Seems VMS only allows to add files ?

Wim

Wim

Kris Clippeleyr · ‎08-08-2006

Wim,
I don't know about a standard/documented solution, but couldn't you just replace the VMS$AUDIT_SERVER.DAT file with a "virgin" copy (after safeguarding your alarm/audit settings)?
Regards,
Kris (aka Qkcl)

I'm gonna hit the highway like a battering ram on a silver-black phantom bike...

Wim Van den Wyngaert · ‎08-08-2006

Kris,

Yes but I hoped there was a "command" way.

Wim

Wim

John Gillings · ‎08-08-2006

Wim,
So what's it worth? 1 Point again?

It's not clear from your description what the problem is. Please post the output you're worried about.

A crucible of informative mistakes

Wim Van den Wyngaert · ‎08-08-2006

SALPV1/MGRWVW>show audit/all
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: DISK$SALP_CONF:[AUDIT]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

Journal name: AUDIT$JOURNAL
Journal owner: SYSMGR_DSV
Destination: disk$salp_conf:[AUDIT]SECURITY.AUDIT$JOURNAL
Monitoring: disabled

Wim

Wim Van den Wyngaert · ‎08-08-2006

Got worse. I added another destination. I also restarted audit_server. No impact. I found "/remove" in the command syntax, not in help.

SALPV1/MGRWVW>show audit/all
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: DISK$SALP_CONF:[AUDIT]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

Journal name: AUDIT$JOURNAL
Journal owner: SYSMGR_DSV
Destination: disk$salp_conf:[AUDIT]SECURITY.AUDIT$JOURNAL
Monitoring: disabled

Journal name: WIM
Journal owner: SYSMGR_WVW
Destination: DISK$SALP_CONF:[AUDIT]SECURITY.AUDIT$JOURNAL
Monitoring: disabled

SALPV1/MGRWVW>set aud /jou=wim/remove
%SET-E-VERIFYFAIL, specified operation was not performed due to the following error:
-RMS-W-RNL, record not locked
SALPV1/MGRWVW>set aud /jou=audit$journal/remo
%SET-E-VERIFYFAIL, specified operation was not performed due to the following error:
-RMS-E-RNF, record not found

Wim

Volker Halle · ‎08-08-2006

Wim,

according to HELP SET AUDIT/JOURNAL, there is only one journal: SECURITY

The facts that SET AUDIT/JOURN=xxx/DEST=file lets you create another one and does not allow you to later delete it, may be related.

This seems to have been a 'user error' in the first place, but then VMS shouldn't have allowed you to specify another journal, if there wasn't meant to be another one.

Volker.

John Abbott_2 · ‎08-08-2006

The subsequent journal names have monitoring disabled, I suspect the destination files do not actually exist ? (also suspect you've not been able to enable monitoring).

If you try a $ set aud /jou=wim/thr=actio=50 it complains with
%SET-E-VERIFYFAIL, specified operation was not performed due to the following er
ror:
-AUDSRV-W-JNLNOTACTIVE, cannot modify journal ; journal not active

There's nothing much in the manuals that I can see except for examples with /journal=SECURITY and what Volker also mentions.

Our test lab box matches your set-up now :-)
An unexpected feature ?

J.

Don't do what Donny Dont does

Wim Van den Wyngaert · ‎08-08-2006

John A.,

The destination file does exist. Because of the first entry that is enabled.

Also noted that set audit/listener is lost when you restart audit server. Good to know because we have a little process pumping it to our monitoring system.

I guess I will have to follow the hint of Kris.

Wim

Wim

John Abbott_2 · ‎08-08-2006

Yes, I was just pointing out that I suspect the _subsequent_ ones don't (as that's whay I see on my test lab box).

re:
> Also noted that set audit/listener is lost when you restart audit server. Good to know because we have a little process pumping it to our monitoring system

Can't check at the mo, but I'm sure we have an ACE on SETAUDIT.EXE to audit EXE+SUCCESS which triggers an event when listening is disabled, we then automatically re-enable it.

J.

Don't do what Donny Dont does

Wim Van den Wyngaert · ‎08-08-2006

Wizard John,

How do you trigger the re-listening ?

Wim

Wim

John Abbott_2 · ‎08-08-2006

Hi Wim :-)

We use a product called Auditor Plus to listen for various security events in real-time and take appropriate action.

I thought we had some call out code which re-enabled it, but it would appear to be a feature within A+. Maybe I can find out how they do it, if you like ? (code wise)

In order for it to work we have to

1) Place at least the following ACL on sys$system:setaudit.exe
(AUDIT=SECURITY,ACCESS=EXECUTE+SUCCESS) or
(ALARM=SECURITY,ACCESS=EXECUTE+SUCCESS)
2) Ensure that ACL auditing and/or alarming is enabled and that ACL is selected
when starting the Audit Monitor.

I guess that... This way an alarm is generated and I assume shortly afterwards the mbx dies. A+ reads the mbx and detects no more mbx on next read, so it re-establishes it.

Sorry, not the complete picture, but hope it helps...

Kind Regards
John.

Don't do what Donny Dont does

John Gillings · ‎08-09-2006

Wim,
I know what's wrong and I know how to fix it, but for a measly one point, it's not worth my time... sorry.

A crucible of informative mistakes

Wim Van den Wyngaert · ‎08-13-2006

John A.,

Decided to monitor the refcnt of the audit mailbox. If not 2, alarm.
Manual investigation needed then but is more fool proof than monitoring the startup of audit_server or the audit alarm when the command /nolist is given. Thanks anyway.

Wim

Wim

Hein van den Heuvel · ‎08-14-2006

The data for the audit journal settings is maintained in a simple indexed file:
sys$manager:VMS$AUDIT_SERVER.DAT;1

If those extra records really bother you then just remove tham with simple RMS commands??

The primary key is a simple string with "Journal name". The string length count is the byte preceding it.
The Journal file names is a counted string at offset 85 it seems.

First, create a backup:
$CONVERT/STAT/SHARE sys$manager:VMS$AUDIT_SERVER.DAT VMS$AUDIT_SERVER.BACKUP

Now open

$open/read/write/share=write x
sys$manager:VMS$AUDIT_SERVER.DAT

And test:

$read/key="SECUR" x record
$show symb recordwrite sys$output "->",f$extr(7,f$cvui(6*8,8,record),record),"<-"
->SECURITY<-
HEIN>write sys$output "->",f$extr(85,f$cvui(84*8,8,record),record),"<-"
->SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL<-

And play:

HEIN>record[7,8]:=nonsense
HEIN>record[85,41]:="Als ik kon toveren, kwam alles voor elkaar
HEIN>write/symb x record
HEIN>show audit /all
List of audit journals:
Journal name: NONSENSE
Journal owner: (system audit journal)
Destination: Als ik kon toveren, kwam alles voor elkaa
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
:

And cleanup:

$read/dele/key=NONSENSE x deleted_record
$close x

In summary, for Wim to cleanup I think the commands would be:

$convert/share/stat sys$manager:VMS$AUDIT_SERVER.DAT sys$manager:VMS$AUDIT_SERVER.backup
$open/read/write/share=write audit sys$manager:VMS$AUDIT_SERVER.DAT
$read/delete/key=AUDIT$JOURNAL audit audit_record
$read/delete/key=WIM wim_record
$close audit
$show audit/all

If anything went wrong, then you can used the backup, or you can re-write the deleted records from the dcl symbols the data was saved into.

Enjoy,
Hein.

Hein van den Heuvel · ‎08-14-2006

Hi there Wim!

You assigned 3 points to my reply. The suggested meaning for this is "1-3: The answer didn't really help answer my question, but thanks for your assistance! "
I can not help but read this as...
"Bzzzzz, all wrong, thanks for playing"

And here I naively thought it perfectly answerred your immediate question:
"How do I remove the audit$journal ?"

I would appreciate a small explanation as to why you thought my suggestion did not solve the problem, and possibly is the only current solution to the problem.
Is there something I overlooked, or am I reading too much in those points?

Btw... obviously my solution is a workaround / hack / magic.
There appears to be a weakness / incomplete solution in the implementation here.
If this is a real problem, and it is important to your customer, just escalate through a support call to HP. No one in this forum of friends can actualy fix/change the code. You'll need to excercise your support contract for that. That's why folks buy support.

Met vriendelijke groetjes,
Hein.

John Abbott_2 · ‎08-14-2006

Thanks for your post Hein, your summary example worked fine on my test lab system, junk entry gone... but then you already know it works :-)
Never thought to look & play, quite simple really.
Thank again
J.

Don't do what Donny Dont does

Wim Van den Wyngaert · ‎08-14-2006

Hein,

No hard feelings but your solution has the same result as that of Kris but the one of Kris is simplier. And the question is to solve the problem with "set audit" commands.
So yes, didn't really solve the question.

It's strange that nobody complaints when they get overpaid (the 10 on all answers).

I'm curious if it is bad documentation or simply missing functionality (strange that nobody noticed it before).

Wim

Wim

Wim Van den Wyngaert · ‎08-14-2006

BTW Hein : I only have 1 client (ING). I just noticed that someone had an acident when doing show aud/all. No problem, just curious.

Wim

Wim

Hein van den Heuvel · ‎08-14-2006

Wim, I don't need no stinking points.
I need to know whether my solution worked for you or not. If it did not work, then I'd like to understand why not.
Future readers deserve to know which replies worked which did not.

Well meaning folks which give out easy 10 points for any answer do not help me understand what is a good answer either, but at least they will briefly make someone happy... for free!

'nuff said.
Cheers,
Hein.

Terry Yeomans · ‎08-20-2006

Wim,
in reply to your original question, this is how you renew your new audit journal file:
SET AUDIT /SERVER=EXIT
SET AUDIT /SERVER=START
SET AUDIT /SERVER=CREATE_SYSTEM_LOG
This should create a new file so that you can purge out the (I expect) very large old one.
Regards Terry.

Wim Van den Wyngaert · ‎08-20-2006

Terry,

Same reply as for Jan. The problem is not the file itself but removing the files from audit settings.

Wim

Wim

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

How to remove audit journal files in audit settings

How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings

Re: How to remove audit journal files in audit settings