Configure the Policy Server Log (smps.log) and Audit Log (smaccess.log)

This topic contains the following information about configuring Policy Server and audit logs:
This topic contains the following information about configuring Policy Server and audit logs:
Configure the Policy Server log and Policy Server audit log from the Logs tab of the Policy Server Management Console. The
Policy Server Log
section controls the settings for the Policy Server log, smps.log. The Policy Server log file records information about the status of the Policy Server. The
Policy Server Audit Log
section controls configurable levels of auditing information that can be written to the audit log, smaccess.log. This information includes authentication, authorization, and other events. Specify the location of the audit log and its rollover settings on the Data tab by selecting Database > Audit Logs. The configurable audit levels are not written to the policy server log. 
If the Policy Server is configured as a RADIUS Server, RADIUS activity is logged in the RADIUS log file.
Follow these steps:
  1. Start the Policy Server Management Console.
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    CA Single Sign-On
  2. Click the Logs tab.
  3. To configure the location, rollover characteristics, and required level of audit logging for the Policy Server log,adjust the settings in the Policy Server Log and Policy Server Audit Log group boxes.
  4. If the Policy Server is configured as a RADIUS server, adjust the settings presented in the RADIUS Log group box.
  5. Click Apply to save your changes.
Record Administrator Changes to Policy Store Objects
By default, administrator changes to policy store objects are written to a set of XPS text files that in the directory 
The audit logs are stored as text files, as shown in the following example:
The name of each audit log file contains the following information:
  • process_id
    Indicates the number of the process associated with the audited event.
  • start_time
    Indicates the time that the transaction 
    in the following format:
    A four-digit year and the 24-hour clock are used.
  • audit_sequence
    Provides a sequence number for the audited event.
Indicates one of the following event types:
  • access
    Indicates an audit log file that contains the following access events:
    • an Administrative UI or a reports server is registered
    • an Administrative UI or a reports server acts as a proxy on behalf of another user
    • an administrator is denied access for a requested action
  • audit
    Indicates an audit log file that contains the following events:
    • an object is modified (using an XPS Tool or Administrative UI)
    • administrator records are created, modified, or deleted
  • txn
    Indicates an audit log file that contains the following transaction events:
    • An XPS tool begins, commits, or rejects a change to an object.
If you do
have write access to the
CA Single Sign-On
binary files (XPS.dll,,, an Administrator must grant you permission to use the related XPS command line tools using the Administrative UI or the XPSSecurity tool.
To change the default setting
  1. Access the Policy Server host system.
  2. Open a command line and enter the following command:
    The tool starts and displays the name of the log file for this session, and a menu of choices opens.
  3. Enter the following command:
    A list of options appears.
  4. Enter the following value:
    The current policy store audit settings appear.
  5. Enter C.
    This parameter uses a value of TRUE or FALSE. Changing its value toggles between the two states.
    The updated policy store audit settings appear. The new value is shown at the bottom of the list as "pending value."
  6. Complete the following steps
    1. Enter Q twice.
    2. Enter Q to end your XPS session.
    Your changes are saved and the command prompt appears.
Process Old Log Files Automatically
The Policy Server can automatically process old log files by customizing one of the following scripts:
  • Harvest.bat (Windows)
  • (UNIX or Linux)
The script runs when one of the following events occurs:
  • When the XPSAudit process starts using the CLEANUP option. The CLEANUP option processes all the log files in the directory at once.
  • Whenever the log files are rolled over.
  • When the XPSAudit process exits. During a rollover or an exit, the files are processed one at a time by file name.
You can customize the script to process the files any way you want, such as delete the files, move them to a database or archive them to another location.
This script is provided only as an example. It is not supported by CA.
To automatically process old log files, follow these steps:
  1. Open the following directory on your Policy Server:
  2. Open the appropriate script for your operating system with a text editor, and save a copy to the following directory:
    rename the file or save it to a location different from the one specified.
  3. Use the remarks in the script as a guide to customize the script according to your needs.
  4. Save your customized script and close the text editor.
Include Administrative Audit Events in Reports
If you have a report server and an audit database, you can configure the Policy Server to collect administrative audit events. You import this data in to the audit database, so you can include it in any reports you generate.
A sample Perl script is installed with the Policy Server that you can customize to meet your needs.
To include administrative audit events in your reports, use the following process:
  1. Copy the sample scripts on the Policy Server by doing the following:
    1. Open the following directory:
      The following directories are the default locations for the
      • Windows: C:\Program Files\ca\siteminder
      • UNIX/Linux: /opt/ca/siteminder (UNIX, Linux)
    2. Locate the following files:
      • Harvest.bat (for Windows)
      • (for UNIX, Linux)
      • Categories.txt
    3. Copy the previous files to the following directory:
  2. (Optional) Customize the script.
  3. After the next scheduled run of the XPSAudit command, copies of the audit logs are created using the comma-separated value (CSV) format. The files are stored as .TMP files in the following directory:
    If you have events you want to generate manually to a .tmp file, run the following command in the
    \audit directory:
    The smobjlog4 database table lists the following 11 attributes and values. Only the first 8 are generated in the .TMP file:
    sm_timestamp DATE DEFAULT SYSDATE NOT NULL, sm_categoryid INTEGER DEFAULT 0 NOT NULL, sm_eventid INTEGER DEFAULT 0 NOT NULL, sm_hostname VARCHAR2(255) NULL, sm_sessionid VARCHAR2(255) NULL, sm_username VARCHAR2(512) NULL, sm_objname VARCHAR2(512) NULL, sm_objoid VARCHAR2(64) NULL, sm_fielddesc VARCHAR2(1024) NULL, sm_domainoid VARCHAR2(64) NULL, sm_status VARCHAR2(1024) NULL
  4. Copy the .TMP files from the previous directory on the Policy Server to the server that hosts your audit database.
  5. Create one of the following files to map the CSV-formatted contents of the .TMP files to your database schema:
    • control_file_name
      .ctl (control file for Oracle databases)
    • format_file_name
      .fmt (format file for SQL Server databases)
    For more information, see the documentation or online help provided by your database vendor.
  6. On the server that hosts your audit database, run whichever of the following commands is appropriate for your type of database:
    • sqlldr (for Oracle databases)
    • bcp (for SQL Server databases)
      For more information, see the documentation or online help provided by your database vendor.
  7. After the command finishes, use the reports server to generate a report of administrative events.
    The administrative audit events appear in the report.
Mirror ODBC Audit Log Content in Text-based Audit Logs on Windows
When the 
CA Single Sign-On
 audit logs are stored as text files, they include a partial list of the available fields by default. If you want the text files that contain your audit logs to include all of the available fields, like an ODBC Audit database does, you can add a registry key to your Policy Server.
To mirror ODBC Audit log content in text-based audit logs
  1. Open the registry editor.
  2. Expand the following location:
  3. Create a new DWORD value with the following name:
    Enable Enhance Tracing
  4. Set the Value to 1. If you want to disable this setting in the future, change the value back to 0.
  5. Restart your Policy Server.
    The ODBC Audit log content will appear in your text-based audit logs.