Configure the Policy Server Log (smps.log) and Audit Log (smaccess.log)

This topic contains the following information about configuring Policy Server and audit logs:
casso1283
This topic contains the following information about configuring Policy Server and audit logs:
Configure the Policy Server log and Policy Server audit log from the Logs tab of the Policy Server Management Console. The
Policy Server Log
section controls the settings for the Policy Server log, smps.log. The Policy Server log file records information about the status of the Policy Server. The
Policy Server Audit Log
section controls configurable levels of auditing information that can be written to the audit log, smaccess.log. This information includes authentication, authorization, and other events. Specify the location of the audit log and its rollover settings on the Data tab by selecting Database > Audit Logs. The configurable audit levels are not written to the policy server log.
When you configure ODBC as a Policy Store, if there is no data for a particular query then SQL_NO_DATA statements are logged into the smtrace logs. If you need the SQL_NO_DATA statements to be logged into the smps log as well, then set the value of the registry variable
SQLNODATATOSMPS
to 1.
If the Policy Server is configured as a RADIUS Server, RADIUS activity is logged in the RADIUS log file.
Follow these steps:
  1. Start the Policy Server Management Console.
    On Windows Server, if User Account Control (UAC) is enabled open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your
    SiteMinder
    component.
  2. Click the Logs tab.
  3. To configure the location, rollover characteristics, and required level of audit logging for the Policy Server log,adjust the settings in the Policy Server Log and Policy Server Audit Log group boxes.
  4. If the Policy Server is configured as a RADIUS server, adjust the settings presented in the RADIUS Log group box.
  5. Click Apply to save your changes.
Record Administrator Changes to Policy Store Objects
By default, administrator changes to policy store objects are written to a set of XPS text files that in the directory
siteminder_home
\audit.
The audit logs are stored as text files, as shown in the following example:
policy_server_home
/audit/xps-
process_id
-
start_time
-
audit_sequence
.
file_type
The name of each audit log file contains the following information:
  • process_id
    Indicates the number of the process associated with the audited event.
  • start_time
    Indicates the time that the transaction
    started
    in the following format:
    YYYYMMDDHHMMSS
    A four-digit year and the 24-hour clock are used.
    Example:
    20061204133000
  • audit_sequence
    Provides a sequence number for the audited event.
  • file_type
    Indicates one of the following event types:
    • access
      Indicates an audit log file that contains the following access events:
      • an Administrative UI is registered
      • an Administrative UI acts as a proxy on behalf of another user
      • an administrator is denied access for a requested action
    • audit
      Indicates an audit log file that contains the following events:
      • an object is modified (using an XPS Tool or Administrative UI)
      • administrator records are created, modified, or deleted
    • txn
      Indicates an audit log file that contains the following transaction events:
      • An XPS tool begins, commits, or rejects a change to an object.
    • diff
      Indicates an audit log file that contains the following transaction events:
      • an object is modified (using an XPS Tool or Administrative UI)
      • who performed the modification
      • administrator records are created, modified, or deleted
      • object name
      • number of attributes that are modified in the object in a single activity
      • the old and new values of each modified attribute
    If you do
    not
    have write access to the
    SiteMinder
    binary files (XPS.dll, libXPS.so, libXPS.sl), an Administrator must grant you permission to use the related XPS command line tools using the Administrative UI or the XPSSecurity tool.
To change the default setting
  1. Access the Policy Server host system.
  2. Open a command line and enter the following command:
    xpsconfig
    The tool starts and displays the name of the log file for this session, and a menu of choices opens.
  3. Enter the following command:
    xps
    A list of options appears.
  4. Enter the following value:
    1
    The current policy store audit settings appear.
  5. Enter C.
    This parameter uses a value of TRUE or FALSE. Changing its value toggles between the two states.
    The updated policy store audit settings appear. The new value is shown at the bottom of the list as "pending value."
  6. Complete the following steps
    1. Enter Q twice.
    2. Enter Q to end your XPS session.
    Your changes are saved and the command prompt appears.
Record Detailed Logs of Administrator Actions
From Release 12.8.05, the diff audit file is available along with the existing audit file types. The logs in the file are logged in the following format:
"Record ID","Date-Time stamp","Policy Server","Admin Name","XID","Object Name","Change Type","Attribute Diff Count","Change Set"
  • Record ID
    Defines a unique ID of the log message.
  • Date-Time stamp
    Indicates the timestamp of the activity.
  • Policy Server
    Defines the hostname of the Policy Server machine on which the activity took place.
  • Admin Name
    Defines the name of the administrator who has performed the activity.
  • XID
    Defines the XID of the object that has been updated.
  • Object Name
    Defines the name of the object that has been updated.
  • Change Type
    Specifies the type of action performed on the object. For example, Update, Delete.
  • Attribute Diff Count
    Defines the number of attributes that have been updated in the object. This value is a count of total number of changes (including backend attribute changes) to an object. For example, if an administrator updates Description, Agent Link, and Resource Filter attributes of a realm, a change is required to another related internal attribute. So, this field displays 4 in the log message.
  • Change Set
    Defines the actual change that has been performed on an object. This field displays the old value and the new value of the object. The following format of this field:
    { "Class"="
    classname_value
    ", "
    attr1_name
    ":"(-)
    old_value
    (+)
    new_value
    ", "
    attr2_name
    ":"(-)
    old_value
    (+)
    new_value
    ", "
    attrN_name
    ":"(-)
    old_value
    (+)
    new_value
    ",}
    Example 1
    : Consider the following changes to a realm:
    Object Attribute
    Existing Value
    New Value
    Description
    This realm is used as an example
    -
    Resource Filter
    /loginpage/
    /logoutpage/
    Authentication Scheme
    login_html
    Basic
    The log message of these changes to the realm is in the following format:
    "4628-1601959639-36_1","07/Oct/2020::17:27:00 0530","pstestmachine24","siteminder","CA.SM::[email protected]","testrealm","Update","4","{ "Class"="CA.SM::Realm","Desc":"(-)use for login","ResourceFilter":"(-)/loginpage/ (+)/logoutpage/","FullResourceFilter":"(-)/loginpage/ (+)/logoutpage/","AuthSchemeLink":"(-)login_html (+)Basic" }"
    Example 2
    : If a password has been changed, the log message of such a change is in the following format:
    "4628-1601959639-37_1","07/Oct/2020::17:33:54 0530","pstestmachine24","siteminder","CA.SM::[email protected]","testagent","Update","1","{ "ExtClass"="CA.SM::Agent4x","Secret":"(-)*** (+)***" }"
Process Old Log Files Automatically
The Policy Server can automatically process old log files by customizing one of the following scripts:
  • Harvest.bat (Windows)
  • Harvest.sh (UNIX or Linux)
The script runs when one of the following events occurs:
  • When the XPSAudit process starts using the CLEANUP option. The CLEANUP option processes all the log files in the directory at once.
  • Whenever the log files are rolled over.
  • When the XPSAudit process exits. During a rollover or an exit, the files are processed one at a time by file name.
You can customize the script to process the files any way you want, such as delete the files, move them to a database or archive them to another location.
This script is provided only as an example. It is not supported by CA.
To automatically process old log files, follow these steps:
  1. Open the following directory on your Policy Server:
    policy_server_home
    /audit/samples
  2. Open the appropriate script for your operating system with a text editor, and save a copy to the following directory:
    Windows:
    policy_server_home
    /audit/Harvest.bat
    UNIX/Linux:
    policy_server_home
    /audit/Harvest.sh
    Do
    not
    rename the file or save it to a location different from the one specified.
  3. Use the remarks in the script as a guide to customize the script according to your needs.
  4. Save your customized script and close the text editor.
Mirror ODBC Audit Log Content in Text-based Audit Logs on Windows
When the
SiteMinder
audit logs are stored as text files, they include a partial list of the available fields by default. If you want the text files that contain your audit logs to include all of the available fields, like an ODBC Audit database does, you can add a registry key to your Policy Server.
To mirror ODBC Audit log content in text-based audit logs
  1. Open the registry editor.
  2. Expand the following location:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports\
  3. Create a new DWORD value with the following name:
    Enable Enhance Tracing
  4. Set the Value to 1. If you want to disable this setting in the future, change the value back to 0.
  5. Restart your Policy Server.
    The ODBC Audit log content will appear in your text-based audit logs.