Secure Global Desktop 4.40 Administration Guide
> SGD Servers, Arrays, and Load Balancing
> Using Log Filters for AuditingSecure Global Desktop 4.40 Administration Guide
> SGD Servers, Arrays, and Load Balancing
> Using Log Filters for Auditing
SGD allows you to set log filters to provide an audit of the following system events:
To audit these events, you must set a */*/*auditinfo log filter. You can use any of the standard destinations as a destination for the output, but you must direct
the output to a .jsl file if you want to view the audit information from the command line.
Note Log output is only created while an SGD server is actually running. If an SGD server is stopped, only the UNIX system root user can perform any of the auditable events.
For each of the events, the log filter records following:
You can use any of the standard methods for viewing the log output. However, the following command is the most useful:
# tarantella query audit --format text|csv|xml --filter "filter"
If you select the text format, SGD formats the log output so that it is easy to read on screen but it does not show every detail logged. Using the csv format shows every detail logged but it is only suitable for outputting to a file.
The "filter" is an RFC2254-compliant LDAP search filter. The command searches the log fields in the log files for matching entries to display. For auditing purposes, the most useful log fields are shown in the following table.
| Log Field | Description |
|---|---|
| log-category | For auditing purposes, the log-category is always *auditinfo, but this can be any of the standard log
filter component/sub-component/severity settings. |
| log-date | The system date and time when the event took place. The format is yyyy/MM/dd HH:mm:ss.SSS. |
| log-event | The name of the event. |
| log-ip-address | The IP address of a client or server associated with an event. |
| log-keyword | The keyword identifier for the auditable event. |
| log-localhost | The peer DNS name of the SGD server where the event took place. |
| log-pid | The process ID of the event. |
| log-security-type | The type of security used on a connection, std or ssl. |
| log-systime | The system time in milliseconds (UTC time) when the event took place. |
| log-tfn-name | The Federated Naming (TFN) name of an object associated with an event. For example starting an application session may record the name of the user, the application, and the application server. |
Note A complete list of all the log fields is available in the /opt/tarantella/var/serverresources/schema/log.at.conf schema file.
The following table below shows all the log-keywords along with their corresponding log-events, together with a description of the event.
| Log-keyword | Log-event | Description |
|---|---|---|
| createFailure | createFailure | A user tried to create an object in the local repository but failed. |
| createSuccess | createSuccess | A user created an object in the local repository. |
| deleteFailure | deleteFailure | A user tried to delete an object in the local repository but failed. |
| deleteSuccess | deleteSuccess | A user deleted an object in the local repository. |
| loginFailure | loginResultReconnect | The SGD server requested the client to reconnect on a different port. |
| loginFailure | loginResultFailed | None of the enabled authentication mechanisms authenticated the user. |
| loginFailure | loginResultRejected | User was denied a login by a login filter. For example, this might be because logins are currently not allowed for that particular server, or because the user is currently not allowed to log in. |
| loginFailure | loginResultDisabled | The SGD server is not currently accepting connections. |
| loginFailure | loginResultNoAmbig | An ambiguous login failed because the SGD server does not support ambiguous logins. |
| loginFailure | loginResultAmbiguous | An ambiguous login failed because the user did give enough disambiguation information. |
| loginFailure | loginResultAnonymous | An anonymous login failed because the SGD server does not support anonymous logins. |
| loginFailure | loginResultNoSecurity | Login failed because the user requires a secure connection, but the connection was made to the standard port. |
| loginFailure | loginResultUnresolveable | Login failed because the SGD server was unable to resolve which user had logged in. |
| loginFailure | loginResultUnknown | Login failed because the SGD server was unable to process an unexpected login result. |
| loginSuccess | webtopSessionStartedDetails | Started a user session for a user. |
| logout | webtopSessionEndedDetails | Stopped a user session for a user. |
| modifyFailure | modifyFailure | A user tried to change an object in the local repository, to change global settings, or to change the configuration of an SGD server but failed. |
| modifySuccess | modifySuccess | A user changed an object in the local repository, changed global settings, or changed the configuration of an SGD server. |
| renameFailure | renameFailure | A user tried to rename an object in the local repository but failed. |
| renameSuccess | renameSuccess | A user renamed an object in the local repository. |
| serverStart | serverStart | The SGD server was started. |
| serverStop | serverStop | The SGD server was stopped. |
| sessionEnded | sessionEndedDetails | Stopped an application session for a user. |
| sessionStarted | sessionStartedDetails | Started application session for a user. |
| sslStart | securitySSLStart | Started SGD security (SSL) services. |
| sslStop | securitySSLStop | Stopped SGD security (SSL) services. |
To search for failed log in attempts, use the following filter:
--filter "(&(log-category=*auditinfo)(log-keyword=loginFailure))"
To search for changes to made to the SGD server configuration by the Administrator Bill Orange, use the following filter:
--filter "(&(log-category=*auditinfo)(log-keyword=modifySuccess)(log-tfn-name=.../ens/o=Indigo Insurance/ou=IT/cn=Bill Orange))"
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.