Format of the smaccess.log in Policy Server
search cancel

Format of the smaccess.log in Policy Server

book

Article ID: 23644

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

When using the text format for the audit logs, a file called smaccess.log (by default) is generated in the Policy Server.

Can the content format be changed?

 

Resolution

 

The format is fixed and can not be changed, it depends on the Policy Server version. The Policy Server version 6SP5CR20 has the following:

[Event][Hostname][Date/Time][ClientIP][UserDN][Agentname][Action][Resource][TransactionID][Reason][Status Message][Impersonator Name][Impersonator Dir Name] 

The Policy Server version 12.8SP6 has the following with "Enable Enhance Tracing" configured in the registry (1).

[Category][Event][Reason][Hostname][Time][AgentName][SessionId][UserName][DomainOid][RealmName][RealmOid][ClientIp][Resource][Action][AuthDirName][AuthDirServer][AuthDirNamespace][TransactionId][StatusMsg][DomainName][ImpersonatorName][ImpersonatorDirName][ObjName][ObjOid][FieldDesc]

It depends on the Policy Server version. The 12.52SP1CR06 version shows the following without the "Enable Enhance Tracing" registry key:

[Event][Hostname][Date/Time][ClientIP][UserDN][Agentname][Action][Resource][TransactionID][Reason][Status Message][Impersonator Name][Impersonator Dir Name] 

Example:

AuthAccept myHost [<Date Time>] "10.0.0.1 uid=<User ID>,ou=Users,o=root" "myHost GET /ajax/ajax.html" [idletime=60;maxtime=120;authlevel=5;] [0] [] []

When not using impersonation functionalities, the last 2 fields will show no value.

Example on Policy Server 12.8SP6 with "Enable Enhance Tracing" configured in the registry:

[Category][Event][Reason][Hostname][Time][AgentName][SessionId][UserName][DomainOid][RealmName][RealmOid][ClientIp][Resource][Action][AuthDirName][AuthDirServer][AuthDirNamespace][TransactionId][StatusMsg][DomainName][ImpersonatorName][ImpersonatorDirName][ObjName][ObjOid][FieldDesc]

[Auth][AuthAccept][][<host name>.<Your domain>.com][26/Jan/2023:15:10:48 +0100][wa][###][cn=<UserID>,dc=<Your domain>,dc=com][####][myApp][######][10.0.0.2][/myApp/allheaders.php][GET][<UserID>][10.0.0.3:10392][LDAP:][idletime=3600;maxtime=7200;authlevel=5;][][myApp][][][][][]

[Auth][ValidateAccept][][<host name>.<Your domain>.com][26/Jan/2023:15:10:48 +0100][wa][###][cn=<UserID>,dc=<Your domain>,dc=com][####][myApp][######][10.0.0.2][/myApp/allheaders.php][GET][<UserID>][10.0.0.3:10392][LDAP:][idletime=3600;maxtime=7200;authlevel=5;][][myApp][][][][][]

[Az][AzAccept][][<host name>.<Your domain>.com][26/Jan/2023:15:10:48 +0100][wa][###][cn=<UserID>,dc=<Your domain>,dc=com][####][myApp][######][10.0.0.2][/myApp/allheaders.php][GET][][][][########][][myApp][][][][][]

ODBC Audit Log Content can be mirrored in Text-based Audit Logs, as per documentation (1) sm.registry key: Enable Enhance Tracing

 

Additional Information

 

(1)

    Configure the Policy Server Log (smps.log) and Audit Log (smaccess.log)
    

Powered by Wolken Software