IBM Support

Netcool/OMNIbus ObjectServer Audit Triggers

Technical Blog Post


Abstract

Netcool/OMNIbus ObjectServer Audit Triggers

Body

The ‘audit_config’ triggers have always been part of the default ObjectServer automations and could come in useful when there is a requirement to keep an audit trail of changes made to the Netcool/OMNIbus ObjectServer.

 

By default, these out-of-the-box triggers are turned OFF. When these triggers are turned ON, they create new synthetic events that are added to the alerts.status table. All the information about who did what and when it was done, is captured in the Summary field of the alert.

 

The audit alerts have the following default attributes:

  • Summary:       Description of change (who, what and when)
  • AlertGroup:     ObjectAudit
  • Manager:        SystemWatch
  • ExpireTime:     never

More information about the signals and their attributes that fire the audit triggers can be found here.

 

Below are some sample alert Summaries showing that the entire trigger group has been enabled. User ‘super’ is created and assigned to the ‘System’ group by the ‘root’ user. In turn user ‘super’ then creates 2 other users, ‘adam’ and ‘norman’ and assigns them respectively to the ‘Administrator’ and ‘Normal’ groups:

 

ALTER TRIGGER GROUP audit_config on ObjectServer NCOMS running on devtest42.hursley.ibm.com. Altered by user root at Tue Jun 21 14:39:38 2016 on host devtest42.hursley.ibm.com

CREATE USER super on ObjectServer NCOMS running on devtest42.hursley.ibm.com. Created by user root at Tue Jun 21 14:39:38 2016 on host devtest42.hursley.ibm.com

ALTER GROUP System on ObjectServer NCOMS running on devtest42.hursley.ibm.com. Altered by user root at Tue Jun 21 14:39:38 2016 on host devtest42.hursley.ibm.com

CREATE USER norman on ObjectServer NCOMS running on devtest42.hursley.ibm.com. Created by user super at Tue Jun 21 14:39:38 2016 on host devtest42.hursley.ibm.com

CREATE USER adam on ObjectServer NCOMS running on devtest42.hursley.ibm.com. Created by user super at Tue Jun 21 14:39:38 2016 on host devtest42.hursley.ibm.com

ALTER GROUP Administrator on ObjectServer NCOMS running on devtest42.hursley.ibm.com. Altered by user super at Tue Jun 21 14:39:38 2016 on host devtest42.hursley.ibm.com

ALTER GROUP Normal on ObjectServer NCOMS running on devtest42.hursley.ibm.com. Altered by user super at Tue Jun 21 14:39:38 2016 on host devtest42.hursley.ibm.com

 

Enabling audit triggers

The online documentation for Tivoli/Netcool OMNbus contains the full list of default audit_config triggers.

You can turn on the entire audit_config trigger group via the Administrator GUI.

Or you could use the SQL interactive interface command-line utility provided with Tivoli Netcool/OMNIbus to issue the following SQL command to the ObjectServer:

alter trigger group audit_config set enabled true;

 

Tracking changes to ObjectServer internal objects

It is possible that only those triggers that track changes to internal objects within the ObjectServer itself, such as tables, users, views etc. may be worth turning on. They are the following triggers:

  • audit_config_alter_object
  • audit_config_create_object
  • audit_config_drop_object

and so turn off all the other config_audit triggers as is shown in the following SQL script:

 

alter trigger group audit_config set enabled true;

alter trigger audit_config_create_menu set enabled false;

alter trigger audit_config_alter_menu set enabled false;

alter trigger audit_config_drop_menu set enabled false;

alter trigger audit_config_create_conv set enabled false;

alter trigger audit_config_alter_conv set enabled false;

alter trigger audit_config_drop_conv set enabled false;

alter trigger audit_config_create_col_visual set enabled false;

alter trigger audit_config_alter_col_visual set enabled false;

alter trigger audit_config_drop_col_visual set enabled false;

alter trigger audit_config_create_tool set enabled false;

alter trigger audit_config_alter_tool set enabled false;

alter trigger audit_config_drop_tool set enabled false;

alter trigger audit_config_create_prompt set enabled false;

alter trigger audit_config_alter_prompt set enabled false;

alter trigger audit_config_drop_prompt set enabled false;

go

 

Filter out some internal objects

Some client applications that connect to the ObjectServer may be constantly creating and destroying transient objects such as views. It may be that such objects are not worth keeping an audit trail of and we’d like to alter the triggers to filter them out. We could make use of the objecttype attribute of the create_object/alter_object/drop_object signal of the trigger.

The default audit_config_create_object trigger could then be replaced with a custom trigger as in the following example:

 

--

-- Create an alert indicating that an object has been created

--

-- Disable the default trigger

alter trigger audit_config_create_object set enabled false;

go

 

-- Create a custom trigger

create or replace trigger custom_audit_config_create_object

group audit_config

enabled true

priority 1

comment 'Create an alert indicating that an object has been created'

on signal create_object

begin

        -- Filter out ‘views’ from audit trail

        if (%signal.objecttype = 'CREATE VIEW') then

            cancel;

        end if;

 

        insert into alerts.status (Identifier, Summary, Node, Manager, Severity, FirstOccurrence, LastOccurrence, AlertGroup, AlertKey, OwnerUID) values ( %signal.objecttype+%signal.name+'@'+%signal.node+to_char(getdate()), %signal.objecttype+' '+%signal.name+' on ObjectServer '+%signal.server+' running on '+%signal.node+'. Created by user '+%signal.username+' at '+to_char(%signal.at)+' on host '+%signal.hostname, %signal.node, 'SystemWatch', 2, %signal.at,%signal.at, 'ObjectAudit', %signal.name, 65534 );

end;

go

 

Do the same for the default audit_config_alter_object and default audit_config_drop_object triggers. Refer: System signals and their attributes for more details.

The default code for these triggers can be found in the automation.sql file that is shipped with the OMNIbus installation in the $NCHOME/omnibus/etc directory

 

View the audit alerts

To create a special view of all audit alerts, one could filter them using:

 

AlertGroup = 'ObjectAudit' and Manager = 'SystemWatch'

 

Searching for specific audit events

It is easy to search for some specific action by filtering the alerts on the ‘Summary’ field.

For example, to find all actions that were done by a user called ‘jack’, simply do the following query:

select Summary from alerts.status where Summary like '.*jack.*';

 

Log to an audit file

If the audit department would prefer this type of audit data in a logfile type format, the triggers could easily be altered to log the information to a custom logfile.

The WRITE INTO ObjectServer SQL command is used to write to a file from within a trigger action.

For an example on how this could be done, refer to the profiler_triggers group that is shipped in the the default automation.sql file.

 

Conclusion

If an organisation has the requirement to keep a strict audit trail of changes made to its systems, then the standard config_audit triggers, included with the ObjectServer could be used as basis to develop a custom ObjectServer audit trail. There are various ways to customize the audit trail and alternative options for its storage. It all depends what the particular auditing requirements are for your organisation.

 

References

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11082373