By default, auditing security-sensitive events related to EGO, SOAM, cluster management console, hosts,
users, and consumers is disable. However, a cluster administrator collect information to better
monitor system security, by configuring the appropriate configuration file (such as
ego.conf, egosc_conf.xml, rs.xml, and
sd.xml files), to enable various logging for auditing purposes.
Before you begin
For hosts with multiple clusters or Linux®
installations, you must have previously run egoconfig mghost
shared_dir during installation.
About this task
Important: Linux installations require a shared
directory. Also, note the following:
- Audit logs can be enabled independently of each other.
- For hosts with multiple clusters, configure files from within the shared directory, not the
local directory (local directory configurations are ignored). For single-host Windows clusters, you can configure local files.
- Only primary hosts perform
audit logging; compute hosts do not normally have access to the shared locations where configuration
files are stored. You never need to enable audit logging on compute hosts.
- Only events that arrive at the server side are recorded in the corresponding server's audit log.
Events that fail at the client side are not recorded in the server's audit log. For example, when
user authentication is enabled with the GSS-Kerberos plug-in, login events caused by a wrong user
name or password case fail at the client side when the client acquires the TGT from the KDC; such
events are not be recorded in the server's audit log.
Procedure
- To enable logging for auditing of core EGO functions (for example, security):
-
Open the ego.conf file:
- On Windows:
%EGO_CONFDIR%\ego.conf
- On Linux: $EGO_CONFDIR/ego.conf
-
Enable EGO audit logging by adding the following parameter:
- Optional:
You can also define an audit log directory by configuring the
EGO_AUDIT_LOGDIR parameter. This is the default audit log directory
location
- On Windows: EGO_AUDIT_LOGDIR=Installation_top\audits
- On Linux:
EGO_AUDIT_LOGDIR=$EGO_TOP/audits
Note: You can change the directory name, but the location must be a shared directory;
ensure there are no spaces in the directory name.
Once defined, the directory is automatically created.
- Optional: You can also enable audit
logs in ArcSight CEF (Common Event Format) standard, which provides a specific level of detail for
the logs so that they can be analyzed with ArcSight tools. To enable CEF, set:
-
Save and close the file.
- Restart EGO on the primary host.
EGO restarts any currently stopped services. Changes made to stopped services now take
effect.
![[7.3.2 Fix]](../732fix.gif)
Available
with Fix 602717.
To enable logging for auditing the WEBGUI (cluster management console) service:
- Enable cluster management console audit logging:
- Open the ego.conf file:
- On Windows:
%EGO_CONFDIR%\ego.conf
- On Linux: $EGO_CONFDIR/ego.conf
- Enable cluster management console audit
logging by adding the following parameter:
EGO_AUDIT_LOG=Y
- Define an audit log directory by configuring the EGO_AUDIT_LOGDIR
parameter. This is the default audit log directory location:
- On Windows: EGO_AUDIT_LOGDIR=Installation_top\audits
- On Linux:
EGO_AUDIT_LOGDIR=$EGO_TOP/audits
Note:
- You can change the directory name, but the location must be a shared directory; ensure there are
no spaces in the directory name.
- The default EGO_AUDIT_LOGDIR location will be on the shared file system if
high availability is enabled.
Once defined, the directory is automatically created.
- Save and close the file.
Note that there is no automatic file rollover or audit log cleanup. Ensure that you manually
manage the file size (see Configuring EGO audit log file archival rotation).
- Configure the WEBGUI auditing:
- Create a fam.json file to include the
FAM_AUDIT_LOG_ENABLE, FAM_AUDIT_LOG_MAX_FILE_SIZE_MB,
FAM_AUDIT_MAX_ROTATE, and FAM_AUDIT_LOG_DIR parameters and
values, as follows:
- If the fam.json file is not present, or if these settings are not in the
file, then FAM_AUDIT_LOG_MAX_FILE_SIZE_MB and
FAM_AUDIT_LOG_MAX_ROTATE will use the default values of 100 megabytes and 10
backup files respectively.
- If not specified, the default value for FAM_AUDIT_LOG_ENABLE and
FAM_AUDIT_LOG_DIR will come from the $EGO_CONFDIR/ego.conf
file and be the values EGO_AUDIT_LOG and EGO_AUDIT_LOGDIR,
respectively.
Here is an example
fam.json file:
{
"FAM_AUDIT_LOG_ENABLE": true,
"FAM_AUDIT_LOG_MAX_FILE_SIZE_MB": 10,
"FAM_AUDIT_LOG_MAX_ROTATE": 5,
"FAM_AUDIT_LOG_DIR": "${EGO_CONFDIR}/../../audits"
}
- Save the fam.json file to your EGO_CONFDIR
directory; for example:
- On Windows:
%EGO_CONFDIR%\fam.json
- On Linux: $EGO_CONFDIR/fam.json
- Restart EGO on the primary host.
EGO restarts any currently stopped services. Changes made to stopped services now take
effect.
This configuration creates an auditing file, called fam.audit.log to log
WEBGUI events in CEF (Common Event Format) standard.
- To enable audit logging for the service controller (for example, to audit the starting
and stopping of EGO services):
-
Open the egosc_conf.xml file:
- On Windows:
%EGO_CONFDIR%\..\..\eservice\esc\conf\egosc_conf.xml
- On Linux:
$EGO_CONFDIR/../../eservice/esc/conf/egosc_conf.xml
-
Enable the EGO service controller log (egoservice.audit.log) by adding the
following element:
<ESC_AUDIT_LOG>ON</ESC_AUDIT_LOG>
-
Save and close the file.
- Restart EGO on the primary host.
EGO restarts any currently stopped services. Changes made to stopped services now take
effect.
- To enable audit logging for the repository service:
-
Open the rs.xml file:
- On Windows:
%EGO_CONFDIR%\..\..\eservice\esc\conf\services\rs.xml
- On Linux:
$EGO_CONFDIR/../../eservice/esc/conf/services/rs.xml
-
Enable the repository service audit log by adding the following element to the
ego:ActivitySpecification sections for all OS types:
<ego:EnvironmentVariable
name="RS_AUDIT_LOG">ON</ego:EnvironmentVariable>
Note: The default setting is OFF. The setting is case sensitive.
The RS logs information into the configured audit log directory, as specified by the parameter
EGO_AUDIT_LOGDIR defined in
ego.conf. If this parameter is
not found or defined, the RS logs to this directory:
- On Windows: Installation_top\audits
- On Linux : $EGO_TOP/audits
-
Save and close the file.
-
Stop the RS service:
- Restart EGO on the primary host.
EGO restarts any currently stopped services. Changes made to stopped services now take
effect.
- To enable audit logging for the session director:
- Open sd.xml file:
- On Windows:
%EGO_CONFDIR%\..\..\eservice\esc\conf\services\sd.xml
- On Linux:
$EGO_ESRVDIR/esc/conf/services/sd.xml
- Set the SD_AUDIT_LOG environment variable to
ON and save your changes:
<ego:EnvironmentVariable name="SD_AUDIT_LOG">ON</ego:EnvironmentVariable>
-
Save and close the file.
- Restart EGO on the primary host.
EGO restarts any currently stopped services. Changes made to stopped services now take
effect.
- Available
with Fix 601711.
To enable client host information in the audit log to capture user operations that are triggered,
especially those done through the browser-based cluster management console:
-
Open ego.conf file:
- On Windows:
%EGO_CONFDIR%\ego.conf
- On Linux: $EGO_CONFDIR/ego.conf
- Enable the EGO_AUDIT_LOG_WITH_HOSTINFO following parameter:
EGO_AUDIT_LOG_WITH_HOSTINFO=Y
-
Save and close the file.
- Restart EGO on the primary host.
EGO restarts any currently stopped services. Changes made to stopped services now take
effect.
Once you have enabled client host information in the audit logs, you can
create or delete a role from the
cluster management console to audit their operations
(for example, go to and
create or delete the
Guest role).
Details for the operation are logged to the
$EGO_TOP/audits/ego.audit.log audit log; for
example:
NOTICE CONFIG Admin ROLE Guest created. DETAIL: [ROLE_NAME] is , [ROLE_DESC] is <>. Request from ABC.ibm.com:9.125.66.199.
NOTICE CONFIG Admin ROLE Guest deleted. DETAIL: [ROLE_NAME] is . Request from ibm145- ABC.ibm.com:9.125.66.199.