Generating External Audit Trail Reports

AUDITCON allows you to process online and offline audit files to extract and review the information the server has collected for you. Processing consists of displaying audit information on the AUDITCON screen (viewing) and generating printable reports (printing).

This section describes how to process online audit files, that is, the current audit file or old audit files that have been archived (rolled over) by the server but are still maintained as audit files by the server. See Generating Reports from Offline Audit Files for information on how to process offline audit files.

For external audit, textual audit reports are provided only for audit history (management) records. For this reason, there is no post-selection filtering capability provided. To see the externally generated audit records, you must store them into a file (using the Report audit file or Report old audit file options) and then post-process them with a client-specific audit utility.

Audit Report Prerequisites

• See the General Prerequisites.
• To process online audit files, you must have the Read right to the Audit File object Audit Contents property.
• You must have the ability to create new (temporary) files in the directory you were in when you started AUDITCON, and there must be sufficient disk space on that volume. These temporary files hold the audit data as it is extracted from the audit trail.

  WARNING:  Because AUDITCON places temporary files in the directory you were in when you started AUDITCON, and these temporary files contain audit data, you must not generate any reports unless your current directory is protected from access by users who are not authorized to see audit data.

Procedure

1. Choose Auditing reports from the Available audit options menu (2101).

   AUDITCON displays menu 2500.

   Figure 116
   Menu 2500: Auditing Reports
   

2. Choose the desired auditing report option, and press Enter.

   You have several options available for creating and viewing reports from the records in audit files:

   • You can process audit history records from the current audit file (for example, Report audit history) or an old audit file (for example, Report old audit history). References to old audit files explicitly indicate operations on one of the server's old audit files, while the other operations are implicit on the current audit file.
   • You can direct output to your AUDITCON screen (for example, View audit history) or send the output to a file on your workstation or a directory on the server (for example, Report audit history file). For external auditing, only history records can be viewed.
   • You can see the audit history records (for example, Report audit history) or cause storage of the externally generated audit records (for example, Dump external binary to file).
   • You can cause reports to be generated as text (for example, Report audit history) or in a form suitable for loading into a database (for example, Database report audit history). For external auditing, only history records can be written in a database-loadable format.

   These options are addressed in the following sections.

Report Audit History

This section describes how to generate a formatted text version of the auditor events in the current audit file.

NOTE:  The procedures described in this section allow you to generate audit history report files on your local workstation. See your client documentation for details on how to use your workstation's security mechanisms to protect these files.

Prerequisites

• See the General Prerequisites and the Audit Report Prerequisites.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedure

1. Choose Report audit history from the Auditing reports menu (2500).

   AUDITCON prompts you for the name of the output file.

2. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you do not specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 2500.

3. To review the contents of your report, exit to DOS and either print or use an editor.

Dump External Binary to File

This section describes how to generate a binary version of the externally generated events in the current audit file. You cannot directly print the server's audit files because

• The server's audit files are not directly accessible to network clients
• The server's audit files are stored in a compressed format

Once you have the stored binary version of the audit data, you should use a client-specific tool to generate textual versions of the audit data.

In addition, post-selection of the audit records is done with the client-specific tool. See your client documentation for instructions on how to manipulate the binary data.

WARNING:  The audit file report contains audit records that must be protected. You must use appropriate workstation or server protections to protect against access to the file by unauthorized individuals.

The current audit file is a work in progress. As such, a report that is generated on the current audit file might not be the same as a subsequent report generated on the same file.

Note that storing external audit data (described here) is not the same as making a complete copy of an audit file (as described in Copy Old Audit File). They differ in two ways:

• Copies of audit files have null compression, but stored external audit files have nulls expanded.
• Copies of audit files include both audit history records and externally generated audit records, but stored external audit files only contain externally generated audit records.

Each record in the stored external audit file consists of an external audit record header and client-specific audit data (as described in Audit File Formats).

Prerequisites

• See the General Prerequisites and the Audit Report Prerequisites.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedure

1. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

2. Choose Dump External Binary to File from the Auditing reports menu (2500).

   AUDITCON prompts you for the name of the output file.

   NOTE:  If you do not specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file and writes unformatted records to your output file. Depending on the size of the audit file, this can be a time consuming process. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 2500.

3. To review the contents of your report, exit to DOS and use a client-specific tool to examine the audit data.

Report Old Audit History

This section describes how to generate a formatted text version of the auditor events in an old online audit file.

Prerequisites

• See the General Prerequisites and Audit Report Prerequisites.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedure

1. Choose Report old audit history from the Auditing reports menu (2500).

   AUDITCON displays menu 2550, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 117
   Menu 2550: Select Old Audit File
   

2. Move the cursor to choose the desired audit file, then press Enter.

   AUDITCON prompts you for the name of the output file.

3. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you do not specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 2500.

4. To review the contents of your report, exit to DOS and either print or use an editor.

Dump Old External Binary to File

This section describes how to generate a binary version of the externally generated events in an old audit file. You cannot directly print the server's audit files, because the server's audit files are not directly accessible to network clients and the server's audit files are stored in a compressed format.

Once you have the stored binary version of the audit data, you should use a client-specific tool to generate textual versions of the audit data. In addition, post-selection of the audit records is done with the client-specific tool. See your client documentation for instructions on how to manipulate the binary data.

WARNING:  The audit file report contains audit records that must be protected. You must use appropriate workstation or server protections to protect against access to the file by unauthorized individuals.

Note that storing external audit data (described here) is not the same as making a complete copy of an audit file (as described in Copy Old Audit File). The two differ in two ways:

• Copies of audit files include both audit history records and externally generated audit records, but stored external audit files only contain externally generated audit records.
• Copies of audit files have null compression, but stored external audit files have nulls expanded.

Each record in the stored external audit file consists of an external audit record header and client-specific audit data (as described in Audit File Formats).

Prerequisites

• See the General Prerequisites and Audit Report Prerequisites.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least Create rights on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedure

1. Choose Dump Old External Binary to File from the Auditing reports menu (2500).

   AUDITCON displays menu 2560, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events)

   Figure 118
   Menu 2560: Select Old Audit File
   

2. Move the cursor to choose the desired audit file and press Enter.

   AUDITCON prompts you for the name of the output file.

3. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you do not specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the selected old audit file and writes unformatted records to your output file. Depending on the size of the audit file, this can be a time consuming process. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 2500.

4. To review the contents of your report, exit to DOS and use a client-specific tool to examine the audit data.

View Audit History

This section describes how to display a listing of the auditor events on the screen of your workstation.

Prerequisites

• See the General Prerequisites and Audit Report Prerequisites.

Procedure

1. Choose View audit history from the Auditing reports menu (2500).

   AUDITCON reads the current audit file and displays screen 2570, the first screen of audit history events.

   Figure 119
   Menu 2570: Audit History Events
   

2. Press the Home, End, Page Up, Page Down, and arrow keys to move through the display. When you are finished, press Esc and answer Yes to return to menu 2500.

   NOTE:  The Auditor login event means that an auditor began accessing the audit file, while the Auditor logout event means that an auditor ceased accessing the access file. These events do not indicate user logins or logouts.

View Old Audit History

This section describes how to display a listing of the auditor events from an old online audit file to the screen of your workstation.

Prerequisites

• See the General Prerequisites and Auditing Configuration Prerequisites.

Procedure

1. Choose View old audit history from the Auditing reports menu (2500).

   AUDITCON displays menu 2590, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 120
   Menu 2590: Select Old Audit File
   

2. Move the cursor to choose the desired audit file, then press Enter.

   AUDITCON retrieves records from the current audit file, formats the records, and displays them to your screen (menu 2570).

3. Press the Home, End, Page Up, Page Down, and arrow keys to move through the display. When you are finished, press Esc and answer Yes to return to menu 2500.

Database Report Audit History

This section describes how to generate a formatted text version of the auditor events in the current audit file in a format suitable for loading into a database.

Prerequisites

• See the General Prerequisites and Audit Report Prerequisites.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedure

1. Choose Database report audit history from the Auditing reports menu (2500).

   AUDITCON prompts you for the name of the output file.

2. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you do not specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 2500.

3. Exit to DOS and use an appropriate database loading program to insert the audit history records into a database for review.

   See Format of the Database Output File for a description of the format of the database file.

Database Report Old Audit History

This section describes how to generate a file containing the auditor events in an old online audit file in a form suitable for loading into a database.

Prerequisites

• See the General Prerequisites and Auditing Configuration Prerequisites.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedure

1. Choose Database report old audit history from the Auditing reports menu (2500).

   AUDITCON displays menu 2830, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 121
   Menu 2830: Select Old Audit File
   

2. Move the cursor to choose the desired audit file, then press Enter.

   AUDITCON prompts you for the name of the output file.

3. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you do not specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 2500.

4. Exit to DOS and use an appropriate database loading program to insert the audit history records into a database for review.

   See Format of the Database Output File and Audit File Formats for a description of the format of the database file.

Format of the Database Output File

Each line in the output file represents a single audit record. Each line consists of a series of comma-separated fields in the following order:

• Time, as hh:mm:ss
• Date, as mm-dd-yyyy
• An E to indicate the record came from an external audit trail
• The name of the external audit trail where the audit record was generated
• Container object class
• A textual description of the event (for example, Write audit config hdr)
• The word event followed by the numerical event number
• The word status followed by the status from the event
• The name of the user for whom the event was generated
• The replica number
• Zero or more pieces of event specific information

This format is suitable to be imported into most databases by specifying that the input is a comma separated text file.