Secure Global Desktop Administration Guide > Arrays, servers and load balancing > Using log filters for auditing
Sun Secure Global Desktop Software allows you to set log filters to provide an audit of the following system events:
To audit these events, you must set a */*/*auditinfo log filter. You can use any of the standard destinations as a destination for the output, but you must direct
the output to a .jsl file if you want to view the audit information from the command line.
Note Log output is only created while a Secure Global Desktop server is actually running. If a Secure Global Desktop server is stopped, only the UNIX root user can perform any of the auditable events.
For each of the events, the log filter records:
You can use any of the standard methods for viewing the log output. However, the most useful command to view the log output is:
tarantella query audit --format text|csv|xml --filter "filter"
If you select the text format, Secure Global Desktop formats the log output so that it is easy to read on screen but it does not show every detail logged. Using the csv format shows every detail logged but it is only suitable for outputting to a file.
The filter is an RFC2254-compliant LDAP search filter. The command searches the log fields in the log files for matching entries to display. For auditing purposes, the most useful log fields are:
For auditing purposes, the log-category is always *auditinfo, but this can be any of the standard log
filter component/sub-component/severity settings.
The log-tfn-name is the Tarantella Federated Naming (TFN) names associated with the event, for example the TFN name of the application started or the TFN name of the Administrator who changed the configuration of a Secure Global Desktop server.
The log-keyword is an identifier for the auditable events and log-event is the name of the event. The table below shows all the log-keywords along with their corresponding log-event, together with a description of the event.
| Log-keyword | Log-event | Description |
|---|---|---|
| createFailure | createFailure | A user tried to create an ENS object but failed. |
| createSuccess | createSuccess | A user created an ENS object. |
| deleteFailure | deleteFailure | A user tried to delete an ENS object but failed. |
| deleteSuccess | deleteSuccess | A user deleted an ENS object. |
| loginFailure | loginResultReconnect | The Secure Global Desktop server requested the client to reconnect on a different port. |
| loginFailure | loginResultFailed | None of the enabled login authorities authenticated the user. |
| loginFailure | loginResultRejected | User was denied a login by a login filter. For example, this may be because logins are currently not allowed for that particular server, or because the user is currently not allowed to log in. |
| loginFailure | loginResultDisabled | The Secure Global Desktop server is not currently accepting connections. |
| loginFailure | loginResultInvalidWebToken | An invalid web authentication token was presented. |
| loginFailure | loginResultNoAmbig | An ambiguous login failed because the Secure Global Desktop server does not support ambiguous logins. |
| loginFailure | loginResultAmbiguous | An ambiguous login failed because the user did give enough disambiguation information. |
| loginFailure | loginResultAnonymous | An anonymous login failed because the Secure Global Desktop server does not support anonymous logins. |
| loginFailure | loginResultNoSecurity | Login failed because the user requires a secure connection, but the connection was made to the standard port. |
| loginFailure | loginResultUnresolveable | Login failed because the Secure Global Desktop server was unable to resolve which user the login was for. |
| loginFailure | loginResultUnknown | Login failed because the Secure Global Desktop server was unable to process an unexpected login result. |
| loginSuccess | webtopSessionStartedDetails | Started a webtop session for a user. |
| logout | webtopSessionEndedDetails | Stopped a webtop session for a user. |
| modifyFailure | modifyFailure | A user tried to change an ENS object or the Secure Global Desktop server configuration but failed. |
| modifySuccess | modifySuccess | A user changed an ENS object or the Secure Global Desktop server configuration. |
| renameFailure | renameFailure | A user tried to rename an ENS object but failed. |
| renameSuccess | renameSuccess | A user renamed an ENS object. |
| serverStart | serverStart | The Secure Global Desktop server was started. |
| serverStop | serverStop | The Secure Global Desktop server was stopped. |
| sessionEnded | sessionEndedDetails | Stopped an emulator session for a user. |
| sessionStarted | sessionStartedDetails | Started emulator session for a user. |
| sslStart | securitySSLStart | Started Secure Global Desktop security (SSL) services. |
| sslStop | securitySSLStop | Stopped Secure Global Desktop security (SSL) services. |
There are a large number of other log fields which you can use in a filter. For a list
of the commonly used ones, see the tarantella query
audit command.
To search for failed log in attempts:
--filter "(&(log-category=*auditinfo)(log-keyword=loginFailure))"
To search for changes to made to the Secure Global Desktop server configuration by the Administrator Bill Orange:
--filter "(&(log-category=*auditinfo)(log-keyword=modifySuccess)(log-tfn-name=.../ens/o=Indigo Insurance/ou=IT/cn=Bill Orange))"
Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.