The SiteMinder Policy Server can be configured to record user audit data to either a text file (smaccess.log) locally on the Policy Server, to an ODBC Audit Store database.
Using the 'smauditimport' tool, the 'smaccess.log' files can be imported into an ODBC Audit Store manually, or configured to be imported via a custom script.
The "smauditimport" tool can be used to import the SiteMinder Policy Server audit logs from text file into the ODBC Audit Store.
Windows (Default): C:\{home_policy_server}\bin\smauditimport.exe
Linux (Default): /{home_policy_server}/bin/smauditimport
Usage: smauditimport <filename> <DSN> <username> <password> -a<1|2|3>-vfb <bulkloadsize> -s5|6
filename : Full path to the log file you want to import.
DSN : Data Source Name.
username : DB user name.
password : DB password.
-a<n> : audit mode schema to use for upload. -a<1|2|3|4>. (This value is
synchronized with "Enable Enhance Tracing" registry on the Policy Server.)
1 – Enables enhanced auditing
2 – Logs assertion attributes
3 – Logs assertion attributes and the authentication method that authenticates a user accessing a resource.
4 – Logs assertion attributes, the authentication method, and Enhanced Session Assurance with DeviceDNA™ information
-v : (optional) verify
-f : (optional) force
-s : (optional) schema version, Please type '-s5' Or '-s6'.
-b <bulkloadsize> : (optional) number of records to bulk insert at a time.
Default is 100
To illustrate:
c:\> smauditimport c:\smaccess.log -a1 "SM SQL Server Wire DS" dbuser dbpassword -a3 -v -s6
Pre-Requisites:
The characters '[', ']', or '\' appearing in a field in the Policy or User Store require a preceding escaping character '\' (backslash).
These characters appear because they have been used in fields like username, realm name, and so on.
Set the following registry key, to escape these characters automatically:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LogConfig
Value Type: DWORD VALUE
Value Name: EscapeAuditFields
Value Data: 1
Note:
By default SiteMinder Policy Server only writes a limited sub-set of the fields which are written to when Auditing directly to the ODBC Data Store.
To increase the amount of fields is written to the audit logs when writing to Txt (smaccess.log) to match the fields in the ODBC audit store, enable enhanced audit tracing on the Policy Server where the audit text files are being written (1)(2).
The <username> and <password> attributes are considered Mandatory and must be passed in the command.