Enabling EGO and SOAM event logging for auditing

By default, auditing security-sensitive events related to EGO and SOAM services and to host, user, and consumer containers is disable. However, a cluster administrator collect information to better monitor system security, by configuring the ego.conf, egosc_conf.xml, rs.xml, and sd.xml files, as appropriate, to enable various logging for auditing purposes.

Before you begin

For multi-host clusters or Linux® installations, you must have previously run egoconfig mghost shared_dir during installation.

About this task

Important: Linux installations require a shared directory. Also, note the following:
  • Audit logs can be enabled independently of each other.
  • For multi-host clusters, configure files from within the shared directory, not the local directory (local directory configurations are ignored). For single-host Windows clusters, you can configure local files.
  • Only primary hosts perform audit logging; compute hosts do not normally have access to the shared locations where configuration files are stored. You never need to enable audit logging on compute hosts.
  • Only events that arrive at the server side are recorded in the corresponding server's audit log. Events that fail at the client side are not recorded in the server's audit log. For example, when user authentication is enabled with the GSS-Kerberos plug-in, login events caused by a wrong user name or password case fail at the client side when the client acquires the TGT from the KDC; such events are not be recorded in the server's audit log.

Procedure

  1. To enable logging for auditing of core EGO functions (for example, security):
    1. Open the ego.conf file:
      • On Windows: %EGO_CONFDIR%\ego.conf
      • On Linux: $EGO_CONFDIR/ego.conf
    2. Enable EGO audit logging by adding the following parameter:
      EGO_AUDIT_LOG=Y
    3. Optional: You can also define an audit log directory by configuring the EGO_AUDIT_LOGDIR parameter. This is the default audit log directory location and name:
      • On Windows: EGO_AUDIT_LOGDIR=Installation_top\audits
      • On Linux: EGO_AUDIT_LOGDIR=$EGO_TOP/audits
      Note: You can change the name, but the location must be a shared directory; ensure there are no spaces in the directory name.

      Once defined, the directory is automatically created.

    4. Optional: You can also enable audit logs in ArcSight CEF (Common Event Format) standard, which provides a specific level of detail for the logs so that they can be analyzed with ArcSight tools. To enable CEF, set:
      EGO_AUDIT_LOG_CEF=Y
    5. Save and close the file.

      Note that there is no automatic file rollover or audit log cleanup. Ensure that you manually manage the file size (see Configuring EGO audit log rotation).

  2. To enable audit logging for the service controller (for example, to audit the starting and stopping of EGO services):
    1. Open the egosc_conf.xml file:
      • On Windows: %EGO_CONFDIR%\..\..\eservice\esc\conf\egosc_conf.xml
      • On Linux: $EGO_CONFDIR/../../eservice/esc/conf/egosc_conf.xml
    2. Enable the EGO service controller log (egoservice.audit.log) by adding the following element:
      <ESC_AUDIT_LOG>ON</ESC_AUDIT_LOG>
    3. Save and close the file.
  3. To enable audit logging for the repository service:
    1. Open the rs.xml file:
      • On Windows: %EGO_CONFDIR%\..\..\eservice\esc\conf\services\rs.xml
      • On Linux: $EGO_CONFDIR/../../eservice/esc/conf/services/rs.xml
    2. Enable the repository service audit log by adding the following element to the ego:ActivitySpecification sections for all OS types:

      <ego:EnvironmentVariable name="RS_AUDIT_LOG">ON</ego:EnvironmentVariable>

      Note: The default setting is OFF. The setting is case sensitive.
      The RS logs information into the configured audit log directory, as specified by the parameter EGO_AUDIT_LOGDIR defined in ego.conf. If this parameter is not found or defined, the RS logs to this directory:
      • On Windows: Installation_top\audits
      • On Linux : $EGO_TOP/audits
    3. Save and close the file.
    4. Stop the RS service.

      egosh service stop RS

  4. To enable audit logging for the session director:
    1. Open sd.xml file:
      • On Windows: %EGO_CONFDIR%\..\..\eservice\esc\conf\services\sd.xml
      • On Linux: $EGO_ESRVDIR/esc/conf/services/sd.xml
    2. Set the SD_AUDIT_LOG environment variable to ON and save your changes:
      <ego:EnvironmentVariable name="SD_AUDIT_LOG">ON</ego:EnvironmentVariable>
    3. Save and close the file.
  5. (7.3.2 Fix)To enable client host information in the audit log to capture user operations that are triggered, especially those done through the browser-based cluster management console:
    1. Open ego.conf file:
      • On Windows: %EGO_CONFDIR%\ego.conf
      • On Linux: $EGO_CONFDIR/ego.conf
      Set the EGO_AUDIT_LOG_WITH_HOSTINFO parameter to Y and save your changes:
      EGO_AUDIT_LOG_WITH_HOSTINFO=Y
      Once you have enabled client host information in the audit logs, you can create or delete a role from the cluster management console to audit their operations (for example, go to System & Services > Users > Roles and create or delete the Guest role).
      Details for the operation are logged to the $EGO_TOP/audits/ego.audit.log audit log; for example:
      NOTICE CONFIG Admin ROLE Guest created. DETAIL: [ROLE_NAME] is , [ROLE_DESC] is <>. Request from ABC.ibm.com:9.125.66.199.
      NOTICE CONFIG Admin ROLE Guest deleted. DETAIL: [ROLE_NAME] is . Request from ibm145- ABC.ibm.com:9.125.66.199.
  6. Restart EGO on the primary host.

    egosh ego restart

    EGO restarts any currently stopped services. Changes made to stopped services now take effect.