Administering AuditMaster
A Walk-through of Administrative Tasks
As an administrator, you will perform certain tasks to define how AuditMaster operates. As for adding audit configurations, the menu commands for these tasks are available only to users with administrative rights.
Adding and Removing Servers
In AuditMaster, a server is a PSQL server on which an AuditMaster event handler is running. The file amserver contains the server connection settings used by AuditMaster. This file is typically located on the server in the data folder of the AuditMaster installation directory.
This section provides instructions for the following topics:
Adding a Server
When you add an AuditMaster server, you enable the AuditMaster Viewer client to connect to an AuditMaster server either on the local system or elsewhere on the network. You can add any AuditMaster server to which you have network access and file permissions.
1
2
From AuditMaster Viewer, select Server > Add to open a Windows Explorer dialog to select an AuditMaster server.
3
Enter the path to the file amserver to read the settings for the AuditMaster server to which you want to make a client connection.
In a default installation this path is \\server\PVSWAUDIT$\DATA\amserver, where server is the name of the PSQL system with the database to be monitored. Note that a share name other than PVSWAUDIT$ may have been chosen.
4
Click Open.
The server you selected is added to the data tree.
Depending on your system and network, the name may be the machine name or it can be the the path to the amserver file. To change the name to suit your needs, see To edit a server description.
Note If your client cannot connect successfully to the AuditMaster server, you may receive a –108 error message. The cause may be a faulty network mapping or other network problem. It may also involve a license key with too low a user count. See Authorization License.
5
Right-click a server configuration to select Login. You may also double-click.
6
Note The built-in user ID admin has the default password MASTER. Passwords are case-sensitive, but user names are not. To change this password, see Changing Your User Password. For information on the relationship between AuditMaster logins and database and Windows logins, see Displaying Audit Records under PSQL Security.
The listed server is now ready for monitoring.
Editing the Server Description
When a server is added for monitoring, its default name in the data tree uses the path name to the Data folder in the AuditMaster home directory. If needed, you can assign a more meaningful name.
Note Data tree names have no effect on network names.
1
2
3
The server icon in the data tree has the new name.
Removing a Server
When you remove a server connection from an AuditMaster viewer client data tree, the client no longer has access to that server. However, auditing continues on the server, and existing audit records, users, and settings remain because the server is where they are stored. If you add the server connection again, everything that was present before is redisplayed in the data tree.
1
A dialog box prompts you to confirm the removal.
2
Select Yes to remove the server.
The server is removed from the data tree.
Replacing the Network Share with a Local Path
AuditMaster installs a hidden network share to enable remote client access for AuditMaster Viewer from other systems. If for security reasons you would like to disable the network share to block remote access, you can replace it with an explicit local path after AuditMaster installation. This replacement can be done only on the server where AuditMaster is installed, not from a remote client. No existing audit records are affected, but auditing must stop momentarily when you restart the event handler to complete the share removal process.
Note Removing the network share will prevent remote access by all AuditMaster Viewer clients to the AuditMaster system. Be sure that you want to remove it.
1
The AuditMaster window appears, listing servers available for monitoring.
2
Right-click a server configuration to select Login. You may also double-click the server name.
3
Note The built-in user ID admin has the default password MASTER. Passwords are case-sensitive; user names are not. To change this password, see Changing Your User Password. For information on the relation of AuditMaster logins to database and OS logins, read under Displaying Audit Records under PSQL Security.
4
Select Admin > Server Settings.
The Server Settings dialog box appears. On the left, the AMmon path settings are at the top of the list and are already highlighted.
5
\\server\PVSWAUDIT$
to
drive:\PSQL root directory\Audit
where server is the name of the system on which PSQL server and the AuditMaster event handler are installed and drive and PSQL root directory are, respectively, the local drive letter and path name to the AuditMaster directory selected at installation time.
In this example, the result would resemble the following:
6
The dialog box displays the values on the right.
7
drive:\PSQL root directory\Audit\data\amstatus.log
The result might resemble the following:
8
The system displays a prompt to restart the event handler.
9
Click OK.
Do not restart the event handler yet. You will do that later in this task. If needed, see Restarting the AuditMaster Event Handler.
10
Select Server > Add to open a dialog to browse to the amserver file.
11
Using the new path value you chose, enter drive:\PSQL root directory\Audit\DATA to navigate to the location of the amserver file that contains the settings you have just changed.
12
Select the file amserver, and click Open.
Based on the new server settings you have entered, the new server appears in AuditMaster Viewer.
13
14
Click Yes to confirm its removal from the list. The status field at the bottom of the main window indicates no server is active.
15
In order to remove the network share, AuditMaster and PSQL services must not be running.
16
17
18
In Windows Explorer, open the folder drive:\PSQL root directory.
19
20
21
Select Do not share this folder, and click OK to delete the share and close the Properties window.
22
23
24
In the AuditMaster Viewer window, right-click the server and select Login. You may also double-click the server name.
25
Note The built-in user ID admin has the default password MASTER. Passwords are case-sensitive, while user names are not. To change this password, see Changing Your User Password. For information on the relation of AuditMaster logins to database and OS logins, read under Displaying Audit Records under PSQL Security.
The new AuditMaster server is now ready to operate without a network share. Other server settings are unchanged and previously captured audit records captured remain in the system. Only the means of the viewer client connection has changed.
Reviewing System Activity in the Status Log
AuditMaster Status Log Viewer displays the activity logging that the system performs on itself. It provides a list of status messages and internal errors generated by AuditMaster operations. In a development environment, it also can be configured to capture messages for debugging purposes.
1
In AuditMaster Viewer, select Admin then View Status Log.
Access the Status Log from operating system Start menu or Apps screen, or from the installation location (the default is C:\<installation directory>\Audit\Data). This method is especially useful if the viewer is not responding because of a system problem, such as disk full.
The Status Log Viewer window displays several types of messages. Normally, these are all status messages to provide information on current system operation.
2
If needed, set filter options to display only the status records you want. The Clear Fields button allows you to start over on most fields. The filtering options are given in the following list:
For example, the text string archiv will display only status records related to AuditMaster archived files.
Selecting for exact text requires that the Message Content field contain the entire text string for the search. If you are searching for partial text strings, leave this check box cleared.
3
The viewer refreshes with only records you wish to see.
4
For example, use the SHIFT key to select both the Date and Time columns to order the records chronologically.
5
The viewer refreshes by sorting the records displayed.
Maintaining Users
As part of AuditMaster security, only trusted personnel are allowed access to the AuditMaster system. As administrator, you must define user names and provide a password for each user. You must also decide whether each user shall also have your same administrator privileges.
This section covers tasks done in the User Maintenance window.
1
Select Admin > User Maintenance.
The User Maintenance window appears.
2
3
Click Create User.
4
The new user appears in the list of current users.
1
Select Admin > User Maintenance.
The User Maintenance window appears.
2
3
Click Delete User.
4
The user is removed from the list.
Setting the Audit Filter
The trusted list restricts auditing by stopping capture of audit records of low value, such as monitoring of system or batch processes that represent no direct access by human users.
Once a name is listed as trusted, the system ignores it globally and logs no activity for that name for any audit configuration.
1
Select the Admin > Audit Filter > Trusted List command.
The Trusted List window appears.
2
The Add button becomes active.
3
Click the Add button.
The name you entered moves to the Users list.
4
Click Close.
5
1
Select the Admin > Audit Filter > Trusted List command.
The Trusted List window appears.
2
The Delete button becomes active.
3
Click the Delete button.
Your selections are removed from the trusted list.
4
Click Close.
5
Maintaining Server Settings
The Server Settings window displays AuditMaster system settings. You can open it using the Admin > Server Settings command.
The window offers groups of settings. As shown in the following table, some of the settings can be changed, although in most cases this is not needed, and in some instances not recommended.
After a change is made to any of these settings except for automated archiving, you must restart the event handler to activate the new setting. See Restarting the AuditMaster Event Handler.
Used with Automated Archiving settings. By default, the value is –1, which means that the system does not monitor the number of archived files. If the value is greater than zero, then the system retains only that number of the most recent files and deletes the older ones. See Archives to Keep.
Used with Automated Archiving settings. By default, the value is –1, which means that the system does not monitor the total size of all archived files. If the value is greater than zero bytes, then the system retains only the most recent files for which the total size is less than or equal to this number of bytes and deletes the older files. See Archive Disk Limit.
A list of file types to monitor, separated by blanks. Default is btrv, the only allowed value in the current release.
Automated Archiving
The Automated Archiving section offers options for configuring the audit record archiving.
By default, AuditMaster automatically moves audit records to an archived file when audit records in the log file reach 75 MB. However, in the Automated Archiving section of Server Settings, you can change this default size, choose to archive by date, or a combination of the two.
If you select the check boxes for both By Date and Time and By Size Threshold, then whichever condition occurs first will prompt the system to create an archived file and reset the log file to empty.
If you clear the By Size Threshold setting and choose only By Date and Time, the system still uses a 2 GB size threshold. If the date and time you select has not occurred and the log file size reaches 2 GB, the system will automatically archive, then when the date and time arrive, it will archive again.
Archives to Keep
The AMmon Settings section offers one settable value, Archives to Keep. By default, the value is –1, which means that the system does not monitor the number of archived files. If the value is greater than zero, then the system retains only that number of the most recent files and deletes the older ones.
After a change is made, you must restart the event handler to activate the new setting. If needed, see Restarting the AuditMaster Event Handler.
Caution Use of this setting may lead to unintentional loss of archived audit records. Be sure to consider the possible situations when it may be undesirable to delete archived files automatically.
Archive Disk Limit
The Common Settings section offers one settable value, Archive Disk Limit. By default, the value is –1, which means that the system does not monitor the total size of all archived files. If the value is greater than zero bytes, then the system retains only the most recent files for which the total size is less than or equal to this number of bytes and deletes the older files.
After a change is made, you must restart the event handler to activate the new setting. If needed, see Restarting the AuditMaster Event Handler.
Caution Use of this setting may lead to unintentional loss of archived audit records. Be sure to consider the possible situations when it may be undesirable to delete archived files automatically.
Errors to Audit
The Errors to Audit group sets the Microkernel Engine status codes to log as audit events.
After AuditMaster installation, a default set of status codes are already selected for logging:
After a change is made, you must restart the event handler to activate the new setting. If needed, see Restarting the AuditMaster Event Handler.
Operations to Audit Globally
The Operations to Audit window offers the same type of settings as the Operations to Audit button in the Audit Configuration window.
The difference is that in Server Settings the options are global for any file in an audit configuration, while in the Audit Configuration window, the button allows you to set operations to audit for individual files.
At installation time, the AuditMaster defaults in this window include all operations except Read. If you select different options, they become the new defaults for any file you add to an audit configuration group. Operations to audit set for files added earlier are not affected unless you click the Apply to All Files button.
Finally, if any file is removed from a group and then added again, its operations to audit settings default to the current selections in this window.
For information on individual file settings, see Operations to Audit by File.
After a change is made, you must restart the event handler to activate the new setting. If needed, see Restarting the AuditMaster Event Handler.
Note In a PSQL database, when the client-side cache engine is turned on, the cache engine reads an entire database page after 8 consecutive reads in anticipation of more reads. The records in the database page read by the cache engine are not audited by the event handler on the server. If auditing requires that every read be captured, verify the setting is off. However, lack of engine caching can reduce database performance. The behavior occurs only when the threshold of 8 consecutive reads is reached. If 7 reads and then an update occurs, no caching occurs and all 7 reads are captured. In PSQL Control Center, expand Local Client, right-click MicroKernel Router, and select Properties, then click Performance tuning to see the setting Use Cache Engine. By default, the setting is off.