search cancel

Lots of Audit logs fields are empty

book

Article ID: 253938

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign-On

Issue/Introduction

What are the use of below fields ( highlighted in red) in audit logs? They are empty all the time.


sm_timestamp | sm_categoryid | sm_eventid | sm_hostname | sm_sessionid | sm_username | sm_agentname | sm_realmname | sm_realmoid | sm_clientip | sm_domainoid | sm_authdirname | sm_authdirserver | sm_authdirnamespace | sm_resource | sm_action | sm_status | sm_reason | sm_transactionid | sm_domainname | sm_impersonatorname | sm_impersonatordirname |  sm_assertion_id | sm_assertion_issuerid | sm_assertion_destinationurl | sm_assertion_statuscode | sm_assertion_notonbefore | sm_assertion_notonorafter | sm_assertion_sess_starttime | sm_assertion_sess_notonorafter | sm_assertion_authcontext | sm_assertion_versionid | sm_assertion_claims | sm_application_name | sm_tenant_name | sm_authentication_method | sm_devicehash | sm_deviceid | sm_userrefid | sm_transaction_response_time

 

Environment

Release : 12.8.07

Cause

This is by design.

The Audit Log DB schema has been extended for Enhanced Audit Tracing so you can find columns like "sm_deviceid".

But Enhanced Audit Tracing is not enabled by default so there is no entry for those columns.

Resolution

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/enhanced-auditing.html

This Enhanced Audit Tracing is optional and is disabled by default.
Please enable Enhanced Audit Tracing following the documentation above.
Note: Policy Server restart is required.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=GboRu0cjXehLVp03J7/KfQ==

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=DsI4qwFVW6itmBjbJV/UZw==

By default, when policy server is outputting audit log entries to smaccess.log file, it comes with reduced number of fields compared to ODBC.

Setting the registry to '1' tells Policy Server to log to smaccess.log with the same set of data(fields) as ODBC. If you are using ODBC, setting the registry to '1' would not make any difference.

 

Once "enable enhance tracing" is set to 2 or higher, you should see values being populated in those additional columns.

Some columns are related to DeviceDNA feature so you may not see them populated if you do not use DeviceDNA feature even if you set the value to 4.

Here is a sample for a SAML federation.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=tf1BkjmGjn7y3ZRi+v/QMQ==

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=MnR6tjWYRp5/46mXAIQ3OA==


Following are some description and samples.

Column Name Description Sample
sm_assertion_id Assertion "ID". You will find this in the SAMLResponse. _a3d854feec240500bef436cba34ef5b69704
sm_assertion_issuerid Issuer of the assertion demolab
sm_assertion_destinationurl Destination of where the assertion will be posted to. https://www.sm.lab/affwebservices/public/saml2assertionconsumer
sm_assertion_statuscode Status code in SAMLResponse urn:oasis:names:tc:SAML:2.0:status:Success
sm_assertion_NotOnBefore Validity of the assertion 1970-01-01 00:00:00.000
sm_assertion_notonorafter Validity of the assertion 1970-01-01 00:00:00.000
sm_assertion_sess_starttime Validity of Federated Session 1970-01-01 00:00:00.000
sm_assertion_sess_notonorafter Validity of Federated Session 1970-01-01 00:00:00.000
sm_assertion_authcontext Authentication Context for the Federation urn:oasis:names:tc:SAML:2.0:ac:classes:Password
sm_assertion_versionid Federation Protocol and Version SAML 2.0
sm_assertion_claims Federated user's attributes in Assertion separated by semi-colon uid=smuser1;[email protected];givenname=smuser1
sm_application_name Secure Cloud Application Name  
sm_tenant_name Secure Cloud Tenant Name  
sm_authentication_method Authentication Scheme Name Custom Federation Login Page
sm_device_hash DeviceDNA device hash value  
sm_device_id DeviceDNA device id  
sm_userrefid DeviceDNA user reference id