How to Enable Console Settings Audit Logging for Symantec Mail Security for Microsoft Exchange (SMSMSE)

book

Article ID: 178910

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

 

Resolution

Some organizations require audit logging to be enabled for all server applications to track settings changes made to these applications. SMSMSE does not have this functionality built in, but logging can be enabled to determine which user made what changes at what time.

This process involves several steps:

  • Monitoring the application event log for date/time of settings changes and which user made those changes.
  • Enabling output of xml files from the console to the filesystem. This will allow logging of what settings changes were made.

To monitor the application event log:

  1. Open the SMSMSE console.
  2. Navigate to Monitors -> Event log.
  3. In the "List" drop down, select "Settings".
  4. All events of settings changes will be displayed with timestamps. To view what user made changes at this time, select the event, and look at the "Message:" box at the bottom of the screen, the user name is logged in the DOMAIN\Username format.

To enable output of xml files from the console to the filesystem:

Warning: This settings change will cause the SMSMSE console to output all details of console to server communications, and if not deleted, these files may eventually fill the hard drive. It is recommended to periodically clear the contents of this folder.

  1. Open the registry editor and navigate to HKLM\Software\Wow6432Node\Symantec\CMaF\<version>
  2. In the right pane, right click and select New DWORD (32-bit) Value.
  3. Rename the new DWORD value to DumpCmafXml and set the value to 1.

To monitor what settings changes were made:

  1. ‚ÄčOpen Windows Explorer, and navigate to C:\Program Files(x86)\Symantec\CMaF\<version>\CMaF_XML.
  2. Locate the file X_Request_Push.xml which has a "Date modified" timestamp corresponding to the Settings Changed event being audited.
  3. Open the file with Internet explorer or Notepad. This file contains all settings changes pushed during this particular settings deploy.

By correlating the timestamp of the X_Request_Push.xml files and the timestamp of the Settings Changed events in the Event Log, an administrator can determine what settings were changed by which user at what time in SMSMSE.