Configure the Policy Server Log (smps.log) and Audit Log (smaccess.log)

This topic contains the following information about configuring Policy Server and audit logs:
sm1252sp1
This topic contains the following information about configuring Policy Server and audit logs:
Configure the Policy Server log and Policy Server audit log from the Logs tab of the Policy Server Management Console. The
Policy Server Log
section controls the settings for the Policy Server log, smps.log. The Policy Server log file records information about the status of the Policy Server. The
Policy Server Audit Log
section controls configurable levels of auditing information that can be written to the audit log, smaccess.log. This information includes authentication, authorization, and other events. Specify the location of the audit log and its rollover settings on the Data tab by selecting Database > Audit Logs. The configurable audit levels are not written to the policy server log. 
If the Policy Server is configured as a RADIUS Server, RADIUS activity is logged in the RADIUS log file.
Follow these steps:
  1. Start the Policy Server Management Console.
    sm1252sp1
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    CA Single Sign-On
    component.
  2. Click the Logs tab.
  3. To configure the location, rollover characteristics, and required level of audit logging for the Policy Server log,adjust the settings in the Policy Server Log and Policy Server Audit Log group boxes.
  4. If the Policy Server is configured as a RADIUS server, adjust the settings presented in the RADIUS Log group box.
  5. Click Apply to save your changes.
Record Administrator Changes to Policy Store Objects
By default, administrator changes to policy store objects are written to a set of XPS text files that in the directory 
siteminder_home
\audit.
The audit logs are stored as text files, as shown in the following example:
policy_server_home
/audit/xps-
process_id
-
start_time
-
audit_sequence
.
file_type
The name of each audit log file contains the following information:
  • process_id
    Indicates the number of the process associated with the audited event.
  • start_time
    Indicates the time that the transaction 
    started 
    in the following format:
    YYYYMMDDHHMMSS
    A four-digit year and the 24-hour clock are used.
    Example:
     20061204133000
  • audit_sequence
    Provides a sequence number for the audited event.
  • file_type
    Indicates one of the following event types:
    • access
      Indicates an audit log file that contains the following access events:
      • an Administrative UI or a reports server is registered
      • an Administrative UI or a reports server acts as a proxy on behalf of another user
      • an administrator is denied access for a requested action
    • audit
      Indicates an audit log file that contains the following events:
      • an object is modified (using an XPS Tool or Administrative UI)
      • administrator records are created, modified, or deleted
    • txn
      Indicates an audit log file that contains the following transaction events:
      • An XPS tool begins, commits, or rejects a change to an object.
     
sm1252sp1
If you do
not
have write access to the
CA Single Sign-On
binary files (XPS.dll, libXPS.so, libXPS.sl), an Administrator must grant you permission to use the related XPS command line tools using the Administrative UI or the XPSSecurity tool.
To change the default setting
  1. Access the Policy Server host system.
  2. Open a command line and enter the following command:
    xpsconfig
    The tool starts and displays the name of the log file for this session, and a menu of choices opens.
  3. Enter the following command:
    xps
    A list of options appears.
  4. Enter the following value:
    1
    The current policy store audit settings appear.
  5. Enter C.
    sm1252sp1
    This parameter uses a value of TRUE or FALSE. Changing its value toggles between the two states.
    The updated policy store audit settings appear. The new value is shown at the bottom of the list as "pending value."
  6. Complete the following steps
    1. Enter Q twice.
    2. Enter Q to end your XPS session.
    Your changes are saved and the command prompt appears.
Process Old Log Files Automatically
The Policy Server can automatically process old log files by customizing one of the following scripts:
  • Harvest.bat (Windows)
  • Harvest.sh (UNIX or Linux)
The script runs when one of the following events occurs:
  • When the XPSAudit process starts using the CLEANUP option. The CLEANUP option processes all the log files in the directory at once.
  • Whenever the log files are rolled over.
  • When the XPSAudit process exits. During a rollover or an exit, the files are processed one at a time by file name.
You can customize the script to process the files any way you want, such as delete the files, move them to a database or archive them to another location.
sm1252sp1
This script is provided only as an example. It is not supported by CA.
To automatically process old log files, follow these steps:
  1. Open the following directory on your Policy Server:
    policy_server_home
    /audit/samples
  2. Open the appropriate script for your operating system with a text editor, and save a copy to the following directory:
    Windows: 
    policy_server_home
    /audit/Harvest.bat
    UNIX/Linux:
    policy_server_home
    /audit/Harvest.sh
    Do 
    not 
    rename the file or save it to a location different from the one specified.
  3. Use the remarks in the script as a guide to customize the script according to your needs.
  4. Save your customized script and close the text editor.
Include Administrative Audit Events in Reports
If you have a report server and an audit database, you can configure the Policy Server to collect administrative audit events. You import this data in to the audit database, so you can include it in any reports you generate.
A sample Perl script is installed with the Policy Server that you can customize to meet your needs.
To include administrative audit events in your reports, use the following process:
  1. Copy the sample scripts on the Policy Server by doing the following:
    1. Open the following directory:
      policy_server_home
      \audit\samples
      The following directories are the default locations for the
      policy_server_home
      variable:
      • Windows: C:\Program Files\ca\siteminder
      • UNIX/Linux: /opt/ca/siteminder
    2. Locate the following files:
      • Harvest.bat (for Windows)
      • Harvest.sh (for UNIX, Linux)
      • ProcessAudit.pl
      • Categories.txt
    3. Copy the previous files to the following directory:
      policy_server_home
      \audit
  2. (Optional) Customize the ProcessAudit.pl script.
  3. After the next scheduled run of the XPSAudit command, copies of the audit logs are created using the comma-separated value (CSV) format. The files are stored as .TMP files in the following directory:
    policy_server_home
    \audit_R6tmp
    If you have events you want to generate manually to a .tmp file, run the following command in the
    policy_server_home
    \audit directory:
    ProcessAudit.pl
    transaction_id
    The smobjlog4 database table lists the following 11 attributes and values. Only the first 8 are generated in the .TMP file:
    sm_timestamp DATE DEFAULT SYSDATE NOT NULL, sm_categoryid INTEGER DEFAULT 0 NOT NULL, sm_eventid INTEGER DEFAULT 0 NOT NULL, sm_hostname VARCHAR2(255) NULL, sm_sessionid VARCHAR2(255) NULL, sm_username VARCHAR2(512) NULL, sm_objname VARCHAR2(512) NULL, sm_objoid VARCHAR2(64) NULL, sm_fielddesc VARCHAR2(1024) NULL, sm_domainoid VARCHAR2(64) NULL, sm_status VARCHAR2(1024) NULL
  4. Copy the .TMP files from the previous directory on the Policy Server to the server that hosts your audit database.
  5. Create one of the following files to map the CSV-formatted contents of the .TMP files to your database schema:
    • control_file_name
      .ctl (control file for Oracle databases)
    • format_file_name
      .fmt (format file for SQL Server databases)
    sm1252sp1
    For more information, see the documentation or online help provided by your database vendor.
  6. On the server that hosts your audit database, run whichever of the following commands is appropriate for your type of database:
    • sqlldr (for Oracle databases)
    • bcp (for SQL Server databases)
    sm1252sp1
    For more information, see the documentation or online help provided by your database vendor.
  7. After the command finishes, use the reports server to generate a report of administrative events.
    The administrative audit events appear in the report.
Mirror ODBC Audit Log Content in Text-based Audit Logs on Windows
sm1252sp1
When the
CA Single Sign-On
audit logs are stored as text files, they include a partial list of the available fields by default. If you want the text files that contain your audit logs to include all of the available fields, like an ODBC Audit database does, you can add a registry key to your Policy Server.
To mirror ODBC Audit log content in text-based audit logs
  1. Open the registry editor.
  2. Expand the following location:
    HKEY_LOCAL_MACHINE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Reports\
  3. Create a new DWORD value with the following name:
    Enable Enhance Tracing
  4. Set the Value to 1. If you want to disable this setting in the future, change the value back to 0.
  5. Restart your Policy Server.
    The ODBC Audit log content will appear in your text-based audit logs.
Mirror ODBC Audit Log Content in Text-based Audit Logs on Solaris
sm1252sp1
When the
CA Single Sign-On
audit logs are stored as text files, they include a partial list of the available fields by default. If you want the text files that contain your audit logs to include all of the available fields, like an ODBC Audit database does, you can add a registry key to your Policy Server.
To mirror ODBC Audit log content in text-based audit logs
  1. Open the following file:
    sm.registry
  2. Locate the following line:
    - HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Reports=25089
  3. Add a new line beneath the previous one with the following text:
    - Enable Enhance Tracing= 0x1; REG_DWORD
    If you want to disable this feature in the future, change the 0x1 to 0x0.
  4. Restart your Policy Server.
    The ODBC Audit log content will appear in your text-based audit logs.