Getting Started with Auditing (deprecated)

Note: Audit Manager is deprecated and provided for backward compatibility only. We recommend that you use syslog events instead. See Enterprise Server Auditing for more information.
Restriction: This topic applies only when the Enterprise Server feature is enabled.

The sections in this topic provide an example of how to configure secure file auditing in a Windows environment. You can use a similar process to configure auditing in a UNIX environment.

Note: In the Windows environment, auditing runs as a Windows service. You can also run auditing from a command line, as a separate process. To do this, you use the mfauditmgr command.

1. Create a configuration file

In this section, you create the configuration file that the audit process is to use. The configuration file controls the audit process: sets up the location, number, and maximum size of the files that the Audit Manager creates.

The lines beginning with the # character are comments only.

  1. Create a folder to hold your configuration file and auditing logs, for example: C:\MFAudit
  2. In the directory you created, use a text editor to create the audit.cfg file, and add the following content. The lines starting with # are comments only:
    mfaudit.dest=AUDITFILE
    # Sets the output type to secure file.
    mfaudit.emitter.auditfile#collectionsize=3
    # Sets that the audit process uses three files only.
    mfaudit.emitter.auditfile#location=C:\MFAudit\logs
    # Sets the location where the files are to be created.
    mfaudit.emitter.auditfile#file= audit.aud_$(GEN)
    # Sets the auditing file names. The $(GEN) parameter 
    # sets that the filenames are numbered sequentially.
    mfaudit.emitter.auditfile#maxfilesize=200
    # Sets that audit files are closed when they reach
    # a size of 200 KB

2. Start the auditing service

In this section, you re-start the auditing service so that it uses the configuration file.

  1. In Windows Services, locate the Micro Focus Audit Manager service, and if it is started, stop it.
  2. Right-click the service, and select Properties.
  3. Select the General tab, and in the Start parameters field at the bottom of the dialog box, enter the following:
    -c C:\MFAudit\audit.cfg

    GUID-6D554432-B5FF-4730-A62C-BC58735E36D6-low.bmp
  4. On the dialog box, click Start and check that the service starts without errors.
  5. In Windows Explorer, check that the log files have been created ready for use.

    GUID-9DEC0319-A643-4017-8988-EC023F763075-low.bmp

3. Configure an External Security Manager (ESM)

In this section, you configure the Operating System ESM so that it is available for use.

  1. Start an Enterprise Server Administration session, and in the left hand pane under Configure, select Security.

    The Security Options screen appears.

  2. Select the Security Managers tab, and click Add to display the Add Security Manager screen.
  3. In the Name field, enter a name, for example Windows ESM, and in the Module field, enter osesm to specify the security manager. Ensure that the Enabled checkbox is checked, and click Add to add the security manager.


    GUID-80BD8E49-2BDD-4434-B2DD-0891C1EA81C5-low.bmp

4. Generate MFDS auditing events

In this section, you configure the Operating System External Security Manager (ESM) to generate auditing events for Micro Focus Directory Server.

  1. In the left hand pane, select Security.
  2. Select the MF Directory Server tab and at the bottom of the screen, and click the Change button.
  3. Select the radio button next to the Windows ESM item you created, and click Add. You are prompted for a login with MF directory server administration permissions.
  4. Enter a valid Enterprise Server Administration user ID, for example the default SYSAD, password SYSAD, and click OK. You are prompted for a user ID and password with Administer Users permissions. Enter your system login and click OK.
  5. Under the MF Directory Server tab, in the Security Facility Configuration area, select the Create audit events checkbox, and at the bottom of the screen, click Apply.


    GUID-E6E679F6-9A57-460B-90E6-3F6AC79D3EF9-low.bmp

MFDS operations that are performed are now logged to the audit files.

5. Generate Enterprise Server audit events

In this stage, you configure the Audit Manager to collect records of events generated by Enterprise Servers that are running.

  1. In the left hand pane, select Security.
  2. Select the Default ES Security tab and under Default ES Security Manager List, click Add.
  3. Select the radio button next to the Windows ESM entry, and click Add.

6. Perform secure operations

In this section, you generate audit events to be logged.

  1. Log off the directory server and log back on again.
  2. Perform some enterprise server processes, for example starting and stopping regions.
  3. Repeat the process to generate some audit events that you can check.

7. View the audit logs

In this section, you make the audit records accessible for viewing, and generate a report.

  1. In Windows Explorer, check the audit files and verify by the file size and datestamp that the first audit file has logged the audit data.


    GUID-53E682D4-DF51-428E-BBD3-0F85088A441A-low.bmp

  2. Open a command prompt, and navigate to the C:\MFAudit\logs folder.
  3. Use the following command to make the first audit file available for dumping:
    mfauditadm -p -f audit.aud_1
  4. Use the following command to generate an audit report from the dumped file:
    mfauditadm -r -o audreport.txt -f audit.aud_1
    The above command creates a file named audreport.txt, that contains the audit information.