How to log AdminUI activity to the Policy Server smaccess.log
search cancel

How to log AdminUI activity to the Policy Server smaccess.log

book

Article ID: 98031

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

The AdminUI by default logs events to the /audit/ folder as txn, audit, and access XPS txt files.

However, there is no easy way to correlate the username to the OID/XID change.

Putting this data into an audit database and using a Report Server to generate reports of these events is an option. But the Report Server is no longer available.

With a few modifications, the same data can be written out to the smaccess.log for easier parsing.

 

Resolution

 

Step 1 - Enable Enhanced Tracing registry

Edit the SiteMinder registry at this location:

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports

   Create this REG_DWORD entry:
   Enable Enhance Tracing= 1

Step 2 - Enable Audit Logging for SM Objects

  Open XPSConfig
    Enter "SM"
       Enter # for LogObj
         Enter "C" to change value
           Enter "Q" until you exit XPSConfig

Step 3 - Enable SM Logging for Administrators

  Open the SmConsole (click OK for warning message)
    Go to the Logs tab
       Under Policy Server Audit Log section
         Select "Log All Events" for Administrator Access Events


Step 4 - Restart the Policy Server to pick up changes

Results - Example Agent creation, modification and deletion by Siteminder user

[Agent][Create][][servername][28/Jun/2018:17:09:38 -0500][][][siteminder][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][agent2][01-aa1526e0-a780-4898-8fec-de3e6be6dbc5][]

[Agent][Update][][servername][28/Jun/2018:17:10:28 -0500][][][siteminder][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][agent1][01-728c847d-5046-4c79-93ad-5fc76606a598][]

[Agent][Delete][][servername][28/Jun/2018:17:10:45 -0500][][][siteminder][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][agent1][01-728c847d-5046-4c79-93ad-5fc76606a598][]

 

Additional Information

 

Important Information

  • Step 2 modification will trigger a warning message:

    Logging of admin change to Policy Store should not be enabled. XPSAudit would log it. Please check the Logs tab.

  • Steps 2 and 3 will cause duplication as events are logged into the smaccess.log and /audit/ files.

  • The granularity of this auditing is limited. It will show objects Creation, Updates, and Deletions of the specific Object ID. However, it will not tell you what specifically the change made was. For instance, if the Description was changed, or what setting was changed. Only that a change was made to the object.

Powered by Wolken Software