Generating Container Audit Reports

AUDITCON allows you to process online and offline audit files to extract and review the information the server has collected for you. Processing consists of displaying audit information on the AUDITCON screen (viewing) and generating printable reports (printing).

This section describes how to process online audit files, that is, either the current audit file or old audit files that have been archived (that is, rolled over) by the server but are still maintained as audit files by the server. See Generating Reports from Offline Audit Files for information on how to process offline audit files.

One significant difference between volume and container auditing is that container audit records are replicated to each server that contains a replica of the audited container. That is, if container SALES is replicated on three servers (A, B, and C), then users can access an object in the container, for example, BART.SALES, on any of the three servers. If a user accesses the replica of BART.SALES on server C, then server C generates an audit record in its local audit file and attempts to replicate the audit record to the audit files on servers A and B.

NOTE:  The container audit files exist on the servers where the container is replicated. These might or might not be the same servers where the container Audit File object is replicated.

The replication of audit records is similar to, but is not as reliable as, the replication of NDS objects. DS.NLM provides a high degree of confidence that changes to an NDS object (for example, BART.SALES) are replicated to all partitions holding the object. However, there are circumstances where audit records might not be replicated by one server to another.

The following figure shows that each of the three servers (A, B, and C) record a high percentage (for example, 99%) of all of the audit records, however, each of the servers might have audit records that were not successfully replicated to the other two servers.

In particular, any data that isn't replicated when a server archives (rolls over) a container audit file will never be replicated. For example, assume server C audits the access attempt to BART.SALES to its local SALES audit file, attempts to replicate the audit event to servers A and B, and then, subsequently, rolls over the audit file. If servers A and B are offline, disconnected, or do not have sufficient disk space when server C tries to replicate the audit record, then the audit record will not be copied to the audit files on those servers.

WARNING:  Because all container audit events are not necessarily replicated to all servers, some records might be missing from each copy. You must look at all of the audit trails to see the full history for the container. Thus, you should examine the audit trail on server A, then select a different replica (menu 1150) and review the audit trail for the container on server B, and repeat the process for server C.

Audit Report Prerequisites

• See General Prerequisites.
• To process online audit files, you must either have the Read right to the Audit File object Audit Contents property or have logged in to the audit trail. To log in to an audit trail, you must enable audit passwords at the server console.
• You must have the ability to create new (temporary) files in the directory you were in when you started AUDITCON, and sufficient disk space on that volume. These temporary files are used to hold the audit data as it is extracted from the audit trail.
• Remember that you can only view or report audit events that have been recorded by the server. For example, if you do not configure the server to record Change ACL events, then you cannot display any Change ACL events. Consequently, to generate meaningful audit reports, you must first preselect those events for auditing. (See Audit Options Configuration for more information on preselecting container audit events.)

  WARNING:  Because AUDITCON places temporary files in the directory you were in when you started AUDITCON, and these temporary files contain audit data, you must not generate any reports unless your current directory is protected from access by users who are not authorized to see audit data.

Procedures

1. Choose Auditing reports from the Available audit options menu (1101).

   AUDITCON displays menu 1500.

   Figure 81
   Menu 1500: Auditing Reports
   

2. Choose the desired auditing report option, and press Enter.

   You have several options available for creating and viewing reports from the records in audit files.

   • You can create filters to extract specific information (for example, events or times) from the audit file, or you can view all the records in an audit file. Unless you are just browsing the audit trail, you would normally want to define one or more report filters before you generate an audit report or view an audit file.
   • Process the current audit file (for example, Report audit file) or process an old audit file (for example, Report old audit file). References to old audit files explicitly indicate operations on one of the server's old audit files, while the other operations are implicitly on the current audit file.
   • You can direct output to your AUDITCON screen (for example, View audit file) or send the output to a file on your workstation or a directory on the server (for example, Report audit file).
   • You can extract information about client user events (for example, View audit file) or extract information about auditor events (for example, View audit history). The audit file contains user events, while the audit history file contains a record of actions by the auditor in managing the audit trail.

     The audit history is actually included in the audit file, and is not a separate file. It is described as the audit history file for compatibility reasons.

   • You can cause reports to be generated as text (for example, Report audit file) or in a form suitable for loading into a database (for example, Database report audit file).

   These options are addressed in the following sections.

Edit Report Filters

NOTE:  The procedures described in this section allow you to generate filter files and report files on your local workstation. See your client documentation for details on how to use your workstation's security mechanisms to protect these files.

AUDITCON lets you create filters so you can extract the specific information that you want from an audit file. If you view a report without applying a filter, AUDITCON displays the entire contents of the file.

You can create as many filters as you want to screen information in the audit file. Then, any time you want to generate a report, you can select and apply the filter.

WARNING:  An audit filter is a DOS file that contains the filter information. By default, AUDITCON saves the filter file in your current working directory, which can be on a local drive on your workstation or on a network drive. The name of the file is typically the filter name, with a file extension of .ARF (for Audit Report Filter). While this allows you to create audit filters in a variety of different directories, AUDITCON does not provide a means for you to access filters in a different directory. Consequently, if you want to use a filter that you have previously defined, you must run AUDITCON from the directory where the filter is located, or copy the filter to your current directory before you run AUDITCON. Audit report filters must be protected from modification by storing them only in locations where they will be protected by NetWare or by client workstation access controls.

Prerequisites

• See General Prerequisites and Audit Report Prerequisites.

Procedure

1. Choose Edit report filters from the Auditing reports menu (1500).

   AUDITCON displays menu 1501, which lists the filters you have previously defined. If you have not defined any filters in the current directory, AUDITCON displays a null entry _no_filter_.

   Figure 82
   Menu 1501: Edit Filter
   

2. At menu 1501, you can highlight an entry and press either F10 or Enter to select that filter for editing. Alternately, press Insert to create a new audit filter.

   AUDITCON displays menu 1502, which shows the available filter criteria. The steps for creating a new filter and editing an existing filter are essentially the same.

   The primary difference is that if no audit filters exist, you can press Enter to create a new audit filter, but you cannot press F10 to edit.

   Figure 83
   Menu 1502: Edit Report Filter
   

3. Choose the option (the criteria for printing an audit record) and press Enter to define the filter rules.

   These include:

   • Report by date/time. Allows you to specify one or more time periods to include in a report. All audit records that match one of the time periods are candidates for reporting. If the date/time filter is empty (that is, no times are specified), all audit records are candidates for reporting.

   • Report by event. This filter allows you to specify the types of audited events to include in a report. All audit events that match the specified events are a candidate for reporting. For example, if you specify create directory and file open events in a filter, your report will include only create directory and file open events.

   • Report exclude users. This filter allows you to specify one or more users that you want to exclude from audit reports. All other users are potentially included.

   • Report include users. This filter allows you to specify one or more users that you want to be included in the report. The default is an asterisk (*), which indicates that all users can be reported.

   When you create an audit report, AUDITCON applies these filters to records that it reads from the audit file. AUDITCON reports only those events that match all the filter criteria. That is, the audit record time stamp must match the date/time filter and the audit record event type must match the event type filter, and so on. If a filter contains conflicts between include and exclude options, the exclude option takes priority.

Report by Date/Time

Procedure

1. Choose Report by date/time from the Edit report filter menu.

   AUDITCON displays menu 1503, which lists the existing date/time ranges defined for the filter. If you are inserting a new filter, this menu will initially be empty.

   Figure 84
   Menu 1503: Report by Date/Time
   

2. Highlight an entry and press Enter to edit an existing date/time range, or press Insert to define a new range, or highlight an entry and press Delete to remove a time range from the filter.

   If you press Insert or Enter, AUDITCON displays menu 1504, which allows you to do more editing of the date/time profile selected in menu 1503.

   Figure 85
   Menu 1504: Report by Date/Time
   

3. To edit the date/time profile, use the arrow keys to move the cursor to the desired field and type in the new value.

   AUDITCON makes reasonable attempts to convert alternate forms (for example, 3/15/95, mar 15, 15 Mar 95, 8am, or 8a) into the standard format.

4. When you are finished and have reviewed the date/time range, press Esc to return to menu 1503.

   If AUDITCON finds an error (for example, the start date/time is later than the end date/time), it displays an error message and goes back to menu 1504.

Report by Event

Procedure

1. Choose Report by event from the Edit report filter menu.

   AUDITCON displays menu 1505, which provides a high-level selection of the types of DS audit events defined in the current filter. This menu has three columns: a DS event type (left column); an indication of whether the event is preselected for auditing in the current audit file (middle column); and flags for toggling the event ON or OFF in the current audit filter (right column).

   The preselection indication is with respect to the current audit file, and might bear no significance to the events that are actually recorded in the audit files to which the filter is applied.

   Figure 86
   Menu 1401: Report by DS Events
   

   The following additional events can be displayed by scrolling the Audit by DS events screen.

   Change security equivalence

   Change station restriction

   Clear NDS statistics

   Compare attribute value

   Create backlink

   Create bindery property

   Disable user account

   Enable user account

   End replica update

   End schema update

   Inspect entry

   Intruder lockout change

   Join partitions

   List containable classes

   List partitions

   List subordinates

   Log in user

   Log out user

   Merge entries

   Merge trees

   Modify class definition

   Modify entry

   Move entry

   Mutate entry

   Open stream

   Read entry

   Read references

   Receive replica update

   Reload NDS software

   Remove attribute from schema

   Remove backlink

   Remove bindery property

   Remove class from schema

   Remove entry

   Remove entry directory

   Remove member from group property

   Remove partition

   Remove replica

   Rename object

   Rename tree

   Repair time stamps

   Resend entry

   Send replica update

   Send/receive NDS fragmented request/reply

   Split partition

   Start partition join

   Start replica update

   Start schema update

   Synchronize partitions

   Synchronize schema

   Update replica

   Update schema

   User locked

   Verify console operator

   Verify password

2. To change the DS events in the current filter, choose the event and press F10 to toggle the setting for that event in the right column. When you are finished, press Esc to return to menu 1502.

Report Exclude Users

Procedure

1. Choose Report exclude users from the Edit report filter menu.

   AUDITCON displays menu 1512, which lists the audit filter's users to be excluded from audit reports.

   Figure 87
   Menu 1515: Report Exclude Users
   

2. Press Enter to enter a new user name or press Delete to remove an existing entry.

   To return to menu 1502, press Esc.

3. If you pressed either Enter or Delete you can enter or edit a user name. Press Enter to add the user name to the exclude list.

   If you want help with the list of users, press Insert and AUDITCON will display menu 1514 which shows containers that can hold User objects.

   Figure 88
   Menu 1514: Audit Directory Tree Users
   

4. Choose the container that holds the User object and press Enter.

   AUDITCON expands the menu to list the objects in the container.

   NOTE:  AUDITCON does not verify that the usernames entered are valid. If they are not valid, they are simply ignored.

5. Choose the user you want to include or exclude from the audit report and press Enter to add the name to the list.

   If the user's name does not appear in this list, return to menu 1514 and browse the Directory tree by listing other containers until the user's name appears.

Report Include Users

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.

Procedure

1. Choose Report include users from the Edit report filter menu.

   AUDITCON displays a list of the audit filter's users to be included in audit reports. Initially, this menu contains only an asterisk to indicate that all users are included, but you can edit the menu (as described for Report exclude users) to specify a few users.

2. When you have finished defining all the filter criteria, return to the Edit report filter menu (1502) and press Esc.

   AUDITCON gives you the option of choosing Yes to save the changes or No to leave the filters unchanged.

   If you choose Yes to save the changes, AUDITCON prompts you to enter the name of the filter file.

3. Enter a filename for the filter you want to save.

   The filter name can be up to eight characters long and must not contain a period.

   AUDITCON appends a .ARF extension to the filter name (for example, FILTER_3.ARF), and writes the filter file in the auditor's current directory.

Deleting an Audit Filter

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.

Procedure

1. To delete a selected audit filter, press Delete at menu 1501.

   You can choose Yes to delete the .ARF file that contains the specified audit filter or choose No to leave the filter in place.

2. Choose Yes to delete the filter.

   AUDITCON displays menu 1501 and lists the remaining filters (.ARF files) in the current directory. If you have deleted the last remaining audit filter in the current directory, AUDITCON shows _no_filter_ in menu 1501.

Report Audit File

This section describes how to generate a formatted text version of the user events in the current audit file. You cannot directly print the server's audit files, because the server's audit files are not directly accessible to network clients and the server's audit files are stored in a compressed format.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedures

1. Choose Report audit file from the Auditing reports menu (1500).

   AUDITCON prompts you for the name of the output file.

2. Enter the pathname for the file and press Enter.

   AUDITCON tries to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON displays menu 1521 to display the available filters. These include the files with .ARF extensions in your current directory and a null filter (_no_filter_) that will pass all records in the audit file.

   Figure 89
   Menu 1521: Select Filter
   

3. To use one of the available filters, choose that filter and press Enter.

   AUDITCON also allows you to create a temporary filter, or modify an existing filter, for use in this report. Choose the desired filter (or _no_filter_) and press F10. Edit the filter as described in Generating Container Audit Reports, then press Esc.

   You are given the options of discarding the changes, saving the changes to a filter file, or applying the filter to the current report without saving the changes.

   AUDITCON retrieves records from the current audit file, applies the specified filter to those records, formats the filtered records, and writes formatted records to your output file.

   Depending on the size of the audit file and the complexity of your filter, this can be a time consuming process.

   AUDITCON displays a Reading file message in the header area of your screen and a Please wait notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

4. To review the contents of your report, exit to DOS and either print or use an editor.

Report Audit History

This section describes how to generate a formatted text version of the auditor events in the current audit file.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedures

1. Choose Report audit history: from the Auditing reports menu (1500).

   AUDITCON prompts you for the name of the output file.

2. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

3. To review the contents of your report, exit to DOS and either print or use an editor.

Report Old Audit File

This section describes how to generate a formatted text version of the user events in an old online audit file.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedures

1. Choose Report old audit file from the Auditing reports menu (1500).

   AUDITCON displays menu 1540, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 90
   Menu 1540: Select Old Audit File
   

2. Move the cursor to choose the desired audit file, then press Enter.

   AUDITCON prompts you for the name of the output file.

3. Enter the pathname for the output file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON displays menu 1542 to display the available filters.

   Figure 91
   Menu 1542: Select Filter
   

4. Choose the desired filter and press Enter, or press F10 to edit a filter.

   AUDITCON retrieves records from the current audit file, applies the specified filter to those records, formats the filtered records, and writes formatted records to your output file. Depending on the size of the audit file and the complexity of your filter, this can be a time consuming process. AUDITCON displays a Reading file message in the header area of your screen and a Please wait notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

5. To review the contents of your report, exit to DOS and either print or use an editor.

Report Old Audit History

This section describes how to generate a formatted text version of the auditor events in an old online audit file.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedures

1. Choose Report old audit history from the Auditing reports menu (1500).

   AUDITCON displays menu 1550, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 92
   Menu 1550: Select Old Audit File
   

2. Move the cursor to choose the desired audit file, then press Enter.

   AUDITCON prompts you for the name of the output file.

3. Enter the pathname for the output file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

4. To review the contents of your report, exit to DOS and either print or use an editor.

View Audit File

This section describes how to display a listing of the user events in the current audit file on the screen of your workstation.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.

Procedures

1. Choose View audit file from the Auditing reports menu (1500).

   AUDITCON displays menu 1560 to display the available filters. These include the files with .ARF extensions in your current directory and a null filter (_no_filter_) that will pass all records in the audit file.

   If AUDITCON does not display the desired filter, return to DOS, change to the directory where the filter is located, and try again.

   Figure 93
   Menu 1560: Select Filter
   

2. Choose the desired filter and press Enter, or press F10 to edit a filter.

   If you choose a filter and press Enter, AUDITCON retrieves records from the current audit file, applies the specified filter to those records, formats the filtered records, and displays the formatted records to your screen a page at a time.

   The second line of the header area is modified to show your location in the audit file and when AUDITCON is waiting for information from the server. - HOME - indicates the beginning of the file and - END - indicates the end of the audit file.

   At any time you can press Home to return to the beginning of the file, or End to go to the end of the file. Press Page Down or Page Up to display a new page of formatted audit records, or use the down- or up-arrow keys to change the display one record at a time.

   Figure 94
   Sample audit file
   

   When AUDITCON is waiting for data from the server, it displays a - Reading file - notification; otherwise, it displays - PAUSE -.

   AUDITCON displays the time (for example, 17:38:28) for each audit record, but only displays the date (- 3-14-1995 -) at the beginning of an audit file or when the date rolls over from one day to the next. The first record defines the start time of the audit file and the container context being audited.

   Subsequent events define the name of the event (for example, Change ACL), a numeric event number (107), the change ACL arguments (object grp1, add trustee [Root], attribute Member, rights [ R ]), the status for the event (in this case, 0 indicates success), the name of the user making the change, and the replica where the audit event is being audited. Remember that if the audited container is replicated, the audit event can be synchronized to other replicas. See Audit File Formats for more information on the format of individual events.

   If an audit event was generated as a result of an action by a user who was not logged in (typically, by a user looking for their NDS object using the CX or LOGIN utilities), then the user name will be _NOT_LOGGED_IN in place of the actual username.

   If you have preselected login events, then you might see pairs of events for the same user, where the first entry in the pair indicates a failure, and the second indicates a success. This occurs because the LOGIN program first tries to log a user in without a password (thus generating an audit record for the failed attempt), and if that fails it prompts the user for a password, and uses that password for a second attempt. Thus, a failed login followed by a successful login probably does not indicate that the user has incorrectly typed his or her password.

3. Press Esc when you are finished. AUDITCON requests confirmation that you are done. Choose Yes and press Enter to return to menu 1500.

View Audit History

This section describes how to display a listing of the auditor events on the screen of your workstation.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.

Procedures

1. Choose View audit history from the Auditing reports menu (1500).

   AUDITCON reads the current audit file and displays the first screen of audit history events.

   Figure 95
   Sample audit history
   

2. Use the Home, End, Page Up, Page Down, and arrow keys to move through the display. When you are finished, press Esc and answer Yes to return to menu 1500.

   NOTE:  The Auditor login event means that an auditor began accessing the audit file, while the Auditor logout event means that an auditor ceased accessing the access file. These events do not indicate user logins or logouts.

View Old Audit File

This section describes how to display a listing of the user events from an old online audit file to the screen of your workstation.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.

Procedures

1. Choose View old audit file from the Auditing reports menu (1500).

   AUDITCON displays menu 1580, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 96
   Menu 1580: Select Old Audit File
   

2. Move the cursor to select the desired audit file, then press Enter.

   AUDITCON displays menu 1581 to display the available filters.

   Figure 97
   Menu 1581: Select Filter
   

3. Choose the desired filter and press Enter, or press F10 to edit a filter.

   AUDITCON retrieves records from the current audit file, applies the specified filter to those records, formats the filtered records, and displays the formatted records to your screen. The screen format is as described in Generating Container Audit Reports (menu 1561).

4. Use the Home, End, Page Up, Page Down, and arrow keys to move through the display. When you are finished, press Esc and answer Yes to return to menu 1500.

View Old Audit History

This section describes how to display a listing of the auditor events from an old online audit file to the screen of your workstation.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.

Procedures

1. Choose View old audit history from the Auditing reports menu (1500).

   AUDITCON displays menu 1590, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 98
   Menu 1590: Select Old Audit File
   

2. Move the cursor to select the desired audit file, then press Enter.

   AUDITCON retrieves records from the current audit file, formats the records, and displays them to your screen. The screen format is as described in Generating Container Audit Reports.

3. Use the Home, End, Page Up, Page Down, and arrow keys to move through the display. When you are finished, press Esc and answer Yes to return to menu 1500.

Database Report Audit File

This section describes how to generate a file containing the user events in the current audit file in a form suitable for loading into a database.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the database file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedure

1. Choose Database report audit file from the Auditing reports menu (1500).

   AUDITCON prompts you for the name of the output file.

2. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON displays menu 1801 to display the available filters. This includes the files with .ARF extensions in your current directory and a null filter (_no_filter_) that will pass all records in the audit file.

   Figure 99
   Menu 1801:Select Filter
   

3. To use one of the available filters, choose that filter and press Enter.

   AUDITCON also allows you to create a temporary filter, or modify an existing filter, for use in this report. Choose the desired filter, or _no_filter_, and press F10. Edit the filter as described in Generating Reports from Offline Audit Files.

   When you press Esc, you are prompted to discard the changes, save the changes to a filter file, or apply the filter to the current report without saving the changes.

   AUDITCON retrieves records from the current audit file, applies the specified filter to those records, formats the filtered records, and writes formatted records to your output file.

   Depending on the size of the audit file and the complexity of your filter, this can be a time consuming process.

   AUDITCON displays a Reading file message in the header area of your screen and a Please wait notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

4. Exit to DOS and use an appropriate database loading program to insert the audit records into a database for review.

   See Format of the Database Output File for a description of the format of the database file.

Database Report Audit History

This section describes how to generate a formatted text version of the auditor events in the current audit file in a format suitable for loading into a database.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedures

1. Choose Database report audit history from the Auditing reports menu (1500).

   AUDITCON prompts you for the name of the output file.

2. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

3. Exit to DOS and use an appropriate database loading program to insert the audit history records into a database for review.

   See Format of the Database Output File for a description of the format of the database file.

Database Report Old Audit File

This section describes how to generate a file containing the user events in an old online audit file in a form suitable for loading into a database.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedures

1. Choose Database report old audit file from the Auditing reports menu (1500).

   AUDITCON displays menu 1820, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 100
   Menu 1820: Select Old Audit File
   

2. Move the cursor to choose the desired audit file, then press Enter.

   AUDITCON prompts you for the name of the output file.

3. Enter the pathname for the file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON displays menu 1822 to display the available filters.

   Figure 101
   Menu 1822: Select Filter
   

4. Choose the desired filter and press Enter, or press F10 to edit a filter.

   AUDITCON retrieves records from the current audit file, applies the specified filter to those records, formats the filtered records, and writes formatted records to your output file.

   Depending on the size of the audit file and the complexity of your filter, this can be a time consuming process. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

5. Exit to DOS and use an appropriate database loading program to insert the audit records into a database for review.

   See Format of the Database Output File for a description of the format of the database file.

Database Report Old Audit History

This section describes how to generate a file containing the auditor events in an old online audit file in a form suitable for loading into a database.

Prerequisites

• See General Prerequisites and the Audit Report Prerequisites in Generating Container Audit Reports.
• You must have rights to the directory where you intend to create the output file. For a network directory on the server, you must have at least the Create right on the directory to create the file and [RWCEMF] rights to manage the file after you create it. If you are creating the report file on your local workstation, see your workstation documentation for information on using the workstation's access control mechanisms to protect your files.

Procedures

1. Choose Database report old audit history from the Auditing reports menu (1500).

   AUDITCON displays menu 1830, which lists up to 15 old audit files that are still maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).

   Figure 102
   Menu 1830: Select Old Audit File
   

2. Move the cursor to choose the desired audit file, then press Enter.

   AUDITCON prompts you for the name of the output file.

3. Enter the pathname for the output file and press Enter.

   AUDITCON attempts to create the file and displays an error screen if it cannot.

   NOTE:  If you don't specify a complete pathname, including the drive letter, AUDITCON leaves the report on your current drive. The safest approach is to specify the full pathname for your output file.

   AUDITCON retrieves records from the current audit file, formats the records, and writes them to your output file. AUDITCON displays a Reading file message in the header area of your screen and a Please wait ... notification in the menu area. When it is finished, AUDITCON returns to menu 1500.

4. Exit to DOS and use an appropriate database loading program to insert the audit history records into a database for review.

   See Format of the Database Output File for a description of the format of the database file.

Format of the Database Output File

Each line in the output file represents a single audit record. Each line consists of a series of comma-separated fields in the following order:

• Time, as hh:mm:ss
• Date, as mm-dd-yyyy
• A C to indicate the record came from a container audit trail
• Container object class
• The name of the container where the audit record was generated
• A textual description of the event (for example, File search)
• The word event followed by the numerical event number
• The word status followed by the status from the event
• The name of the user for whom the event was generated
• The replica number
• Zero or more pieces of event specific information

This format is suitable to be imported into most databases by specifying that the input is a comma-separated text file.