Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Log Files for login procedure

 
Highlighted
Frequent Advisor

Log Files for login procedure

Can a log file be generated that will report what processes and system files are being processed as a user logs into a system? Does a log like this already exist?

Thanks in advance.

13 REPLIES 13
Highlighted
Honored Contributor

Re: Log Files for login procedure

1. In the beginning of login.com :
$ set watch file/class=all
--> very cryptic, all file accesses

2. Image accouting
$ set acc/ena=image
--> all images executed, not all file used

3. Audit
$ set audit/aud/enable=access=all
--> all file accesses of ALL processes, lots of lines and dangerous for performance. Good if directly disable after a few seconds.

Wim
Wim
Highlighted
Honored Contributor

Re: Log Files for login procedure

Forgot :
1. log is in sys$output
2. log via accouting/fu [acc filename]
3. log via anal/aud/fu [aud file name]

Wim
Wim
Highlighted
Honored Contributor

Re: Log Files for login procedure

Have a look at the sylogin logical (usually points to sys$manager:sylogin.com) and the login file of the user (see with mc authorize sh user, the lgicmd).

Highlighted
Frequent Advisor

Re: Log Files for login procedure

Thanks for the reply. In the beginning is it set "watch"?
Highlighted
Frequent Advisor

Re: Log Files for login procedure

No logical for sylogin? Bad?

$ sh log sylogin
%SHOW-S-NOTRAN, no translation for logical name SYLOGIN
$
Highlighted
Honored Contributor

Re: Log Files for login procedure

I would go for my 3. Then use anal/aud with /select=proc=id=xxx. The format will be easiest to read.

But reset audit back to its original values asap after the test.

Wim
Wim
Highlighted
Honored Contributor

Re: Log Files for login procedure

The logical sys$login must be used to find the sylogin. The default is sys$manager:sylogin.com. That is for implementing 1. I would take 3.

Post show audit/all if you don't know how to do it in detail.

Wim
Wim
Highlighted
Frequent Advisor

Re: Log Files for login procedure

$ show audit/all
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

Security auditing server characteristics:
Database version: 4.4
Backlog (total): 100, 200, 300
Backlog (process): 5, 2
Server processing intervals:
Archive flush: 0 00:01:00.00
Journal flush: 0 00:05:00.00
Resource scan: 0 00:05:00.00
Final resource action: purge oldest audit events

Security archiving information:
Archiving events: none
Archive destination:

System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached,server
Login: batch,dialup
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Logout: batch,dialup

System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached,server
Login: batch,dialup
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Logout: batch,dialup
$
Highlighted
Honored Contributor

Re: Log Files for login procedure

1) set aud/aud/ena=access=all
2) do your test (create the process)
3) set aud/aud/disa=access=all
4) wait 5 minutes to flush the audit buffers
5) anal/aud/fu/select=proc=id=xxx/out=x.lis -
SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL

(untested !)

xxx is the pid ofyour process. Alternative is /sel=proc=nam=yyy where yyy is the process name.

Wim
Wim