Import the Audit Events from the Audit Log Files to a Database

Contents
caeem
Contents
CA EEM logs the following audit events in an XML format in the audit log files:
  • Authentication events
  • Authorization events
  • Admin events
You can use the Safe Audit Import tool (tool) to import the audit events from the audit log files to a database for persistence or to generate reports. Use the server.xml file to manage the size, location, and rollover of the audit log files. Use the config.xml file to configure the tool.
The following diagram describes how to import the audit events from the audit log files to a database:
Graphic illustrating the steps to import the audit events from the audit log files to a database
Follow these steps:
Verify the Prerequisite
Create a database to store the audit events from the audit log files.
Verify the Limitations
Before you execute the tool, review the following limitations:
  • The database administrator must manage the database.
  • CA EEM 12.51 and earlier releases do not identify audit events uniquely. To resolve the limitation, the tool processes the first event of an audit log file, generates an SHA1 digest for the audit log file, and appends each event in the SHA1 digest with a sequence number starting from 1. CA EEM uses the SHA1 digest and the sequence number as the GUID of an audit event to identity audit events uniquely.
  • The tool does not process any audit log file that is created when it is in execution.
Import or Create a Database Schema
By default, CA EEM provides the database schema for Microsoft SQL Server and Oracle in the following location:
Windows
: %EIAM_HOME%
\samples\auditttool\dbschema
UNIX
: $
EIAM_HOME/
samples/auditttool/dbschema
Import the eem_audittool_mssql_db_schema.sql database schema for Microsoft SQL Server or the eem_audittool_oracle_db_schema.sql database schema for Oracle into your database. If you are using any other JDBC-compliant database, use the default samples to create a database schema for the database.
Review the Logging Configuration of the server.xml Log File
CA EEM creates one or more audit log files depending on the logging configuration of the server.xml file that is stored in the following location:
Windows
: %
EIAM_HOME
%\config\logger
UNIX
: $
EIAM_HOME
/config/logger
CA EEM creates multiple log files if the RollingFileAppender or the DailyRollingFileAppender appender is configured in the server.xml log file. If the RollingFileAppender appender is configured, an audit log file is rolled over in the following format:
audit.log.n
  • n
    Defines the sequence of the audit log file that is rolled over. Before a rollover, CA EEM increments the sequence number of the oldest audit log file by 1 and names the latest audit log file as audit.log.1.
    If RollingFileAppender is configured, there may be a data loss if the audit log file rolls over when the Safe Audit Import tool is in execution.
If the DailyRollingFileAppender is configured, an audit log file is rolled over in the following format:
audit.log.timestamp
By default, CA EEM stores the audit log files in the following location:
Windows
: %
EIAM_HOME
%\logs
UNIX
: $
EIAM_HOME
/logs
The tool processes all the audit log files that are available in the logs directory.
Configure the config.xml File
Configure the config.xml file to perform the following tasks:
  • Define how the tool must import the audit events.
  • Define the database that must store the imported audit events.
Follow these steps:
  1. Log in to the CA EEM server and navigate to the following location:
    Windows
    : %
    EIAM_HOME
    %\samples\auditttool\config
    UNIX
    : $
    EIAM_HOME/
    samples/auditttool/config
  2. Open the config.xml file.
  3. Configure the following parameters:
    • size
      Defines the maximum number of audit events that the tool extracts from the audit files at a time and stores in cache before importing the events into a database.
    • eventdir
      Defines the location of the audit.log files.
    • classpath
      Defines the path to the JDBC driver jar.
    • deleteprocessed
      Specifies whether the tool deletes the audit log files after processing them. Set the value to true to delete processed audit log files. Set the value to false to retain processed audit log files.
    • driver
      Defines the JDBC driver.
    • url
      Defines the URL of the database.
    • user and password
      Defines the user credentials to access the database. If you want to munge the password, generate a munged password using the failover tool and enter the munged password.
    • batchsize
      Defines the maximum number of events that the tool imports to the database at a time.
Execute the Safe Audit Import Tool
Execute the audit import tool to import the audit events from the audit log files in to the database.
Follow these steps:
  1. Open the command prompt on the CA EEM server.
  2. Execute the following command:
    java - jar safeauditimport.jar <configuration_file>
    • <
      configuration_file
      >
      Defines the relative path to the config.xml file.
The audit events are imported into the database.