Previous Topic: Shared Secret for a Trusted HostNext Topic: Configuring the Policy Server Profiler


Configuring Policy Server Logging

This section contains the following topics:

Policy Server Logging Overview

Configure the Policy Server Logs

Report Logging Problems to the System Log

Policy Server Logging Overview

The Policy Server log file records information about the status of the Policy Server and, optionally, configurable levels of auditing information about authentication, authorization, and other events in the Policy Server log file. If the Policy Server is configured as a RADIUS Server, RADIUS activity is logged in the RADIUS log file.

You configure these logs from the Management Console Logs tab.

Configure the Policy Server Logs

To configure the Policy Server logs

  1. Start the Policy Server Management Console.

    Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your SiteMinder component.

  2. Click the Logs tab.

    Note: For more information about the settings and controls on this tab, click Help, Management Console Help.

  3. Adjust the settings presented in the Policy Server Log and Policy Server Audit Log group boxes to configure the location, rollover characteristics and required level of audit logging for the Policy Server log.
  4. If the Policy Server is configured as a RADIUS server, adjust the settings presented in the RADIUS Log group box.
  5. Click Apply to save your changes.
Record Administrator Changes to Policy Store Objects

By default, SiteMinder administrator changes to policy store objects are written to a set of XPS text files that are located at siteminder_home\audit.

The audit logs are stored as text files, as shown in the following example:

policy_server_home/audit/xps-process_id-start_time-audit_sequence.file_type

The name of each audit log file contains the following information:

process_id

Indicates the number of the process associated with the audited event.

start_time

Indicates the time the transaction started in the following format:

YYYYMMDDHHMMSS

A four-digit year and the 24-hour clock are used.

Example: 20061204133000

audit_sequence

Provides a sequence number for the audited event.

file_type

Indicates one of the following event types:

access

Indicates an audit log file that contains the following access events:

  • a Administrative UI or a reports server is registered
  • a Administrative UI or a reports server acts as a proxy on behalf of another user
  • an administrator is denied access for a requested action
audit

Indicates an audit log file that contains the following events:

  • an object is modified (using an XPS Tool or Administrative UI)
  • administrator records are created, modified, or deleted
txn

Indicates an audit log file that contains the following transaction events:

  • An XPS tool begins, commits, or rejects a change to an object.

Note: If you do not have write access to the SiteMinder binary files (XPS.dll, libXPS.so, libXPS.sl), an Administrator must grant you permission to use the related XPS command line tools using the Administrative UI or the XPSSecurity tool.

To change the default setting

  1. Access the Policy Server host system.
  2. Open a command line and enter the following command:
    xpsconfig
    

    The tool starts and displays the name of the log file for this session, and a menu of choices opens.

  3. Enter the following:
    xps
    

    A list of options appears.

  4. Enter the following:
    1
    

    The current policy store audit settings appear.

  5. Enter C.

    Note: This parameter uses a value of TRUE or FALSE. Changing its value toggles between the two states.

    The updated policy store audit settings appear. The new value is shown at the bottom of the list as "pending value."

  6. Do the following:
    1. Enter Q twice.
    2. Enter Q to end your XPS session.

    Your changes are saved and the command prompt appears.

How to Process Old Log Files Automatically

You can configure SiteMinder Policy Server to automatically process old log files by customizing one of the following scripts:

The script runs when one of the following events occurs:

You can customize the script to process the files any way you want. For example, you could modify the script to delete them, move them to a database or archive them to another location.

Note: This script is provided only as an example. It is not supported by CA.

To automatically process old log files, do the following:

  1. Open the following directory on your Policy Server:
    policy_server_home/audit/samples
    
  2. Open the appropriate script for your operating system with a text editor, and then save a copy to the following directory:
    policy_server_home/audit/Harvest.extension
    

    Note: Do not rename the file or save it to a location different from the one specified.

  3. Use the remarks in the script as a guide to customize the script according to your needs.
  4. Save your customized script and close the text editor.
How to Include SiteMinder Administrative Audit Events in Reports

If you have a SiteMinder report server and an audit database, you can configure the Policy Server to collect administrative audit events. You import this data in to the audit database, so you can include it in any reports you generate.

A sample Perl script is installed with the SiteMinder Policy Server that you can customize to meet your needs.

To include administrative audit events in your SiteMinder reports, use the following process:

  1. Copy the sample scripts on the Policy Server by doing the following:
    1. Open the following directory:
      policy_server_home\audit\samples
      

      Note: The following directories are the default locations for the policy_server_home variable:

      • C:\Program Files\ca\siteminder (Windows)
      • /opt/ca/siteminder (UNIX, Linux)
    2. Locate the following files:
      • Harvest.bat (for Windows)
      • Harvest.sh (for UNIX, Linux)
      • ProcessAudit.pl
      • Categories.txt
    3. Copy the previous files to the following directory:
      policy_server_home\audit
      
  2. (Optional) Customize the ProcessAudit.pl script.
  3. After the next scheduled run of the XPSAudit command, copies of the audit logs are created using the comma-separated value (CSV) format, and stored as .TMP files in the following directory:
    policy_server_home\audit_R6tmp
    

    Note: If you have events you want to generate manually to a .tmp file, run the following command in the policy_server_home\audit directory:

    ProcessAudit.pl <Transaction id>  
    

    The smobjlog4 database table lists the following 11 attributes and values. Only the first 8 are generated in the .TMP file:

           sm_timestamp         DATE DEFAULT SYSDATE NOT NULL,
           sm_categoryid        INTEGER DEFAULT 0 NOT NULL,
           sm_eventid           INTEGER DEFAULT 0 NOT NULL,
           sm_hostname          VARCHAR2(255) NULL,
           sm_sessionid         VARCHAR2(255) NULL,
           sm_username          VARCHAR2(512) NULL,
           sm_objname           VARCHAR2(512) NULL,
           sm_objoid            VARCHAR2(64) NULL,
           sm_fielddesc         VARCHAR2(1024) NULL,
           sm_domainoid         VARCHAR2(64) NULL,
           sm_status            VARCHAR2(1024) NULL
    
  4. Copy the .TMP files from the previous directory on the Policy Server to the server that hosts your audit database.
  5. Create one of the following files to map the CSV-formatted contents of the .TMP files to your database schema:

    Note: For more information, see the documentation or online help provided by your database vendor.

  6. On the server that hosts your audit database, run whichever of the following commands is appropriate for your type of database:

    Note: For more information, see the documentation or online help provided by your database vendor.

  7. After the command finishes, use the reports server to generate a report of administrative events.

    The administrative audit events appear in the report.

Mirror ODBC Audit Log Content in Text-based Audit Logs on Windows

When the SiteMinder audit logs are stored as text files, they include a partial list of the available fields by default. If you want the text files that contain your audit logs to include all of the available fields, like an ODBC Audit database does, you can add a registry key to your Policy Server.

To mirror ODBC Audit log content in text-based audit logs

  1. Open the registry editor.
  2. Expand the following location:
    HKEY_LOCAL_MACHINE\Netegrity\SiteMinder\CurrentVersion\Reports\
    
  3. Create a new DWORD value with the following name:
    Enable Enhance Tracing
    
  4. Set the Value to 1. If you want to disable this setting in the future, change the value back to 0.
  5. Restart your Policy Server.

    The ODBC Audit log content will appear in your text-based audit logs.

Mirror ODBC Audit Log Content in Text-based Audit Logs on Solaris

When the SiteMinder audit logs are stored as text files, they include a partial list of the available fields by default. If you want the text files that contain your audit logs to include all of the available fields, like an ODBC Audit database does, you can add a registry key to your Policy Server.

To mirror ODBC Audit log content in text-based audit logs

  1. Open the following file:
    sm.registry
    
  2. Locate the following line:
    - HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports=25089
    
  3. Add a new line beneath the previous one with the following text:
    - Enable Enhance Tracing= 0x1; REG_DWORD
    

    Note: If you want to disable this feature in the future, change the 0x1 to 0x0.

  4. Restart your Policy Server.

    The ODBC Audit log content will appear in your text-based audit logs.

Report Logging Problems to the System Log

You can configure the Policy Server to log information about exceptions that can occur while preparing or executing audit logs to the Windows event log viewer. This configuration can prevent you from missing this information in a production environment where debug logs are disabled. To configure this feature, set the value of the CategoryCount registry key to 7.

The CategoryCount registry key is found in the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
\SiteMinder

These events are logged under the event log categories ObjAuditLog and AccessAuditLog.

SiteMinder calls object events when objects are created, updated, or deleted. Any exceptions that occur while preparing/executing SiteMinder obj audit logs are logged to Windows event viewer under the 'ObjAuditLog' category.

Access events result from user-related activities and are called in the context of authentication, authorization, administration, and affiliate activity. Any exceptions that occur while preparing/executing SiteMinder access audit logs are logged to Windows event viewer under the 'AccessAuditLog' category.