By default, auditing security-sensitive events related to EGO and SOAM services and to
host, user, and consumer containers is disable. However, a cluster administrator collect information
to better monitor system security, by configuring the ego.conf,
egosc_conf.xml, rs.xml, and sd.xml
files, as appropriate, to enable various logging for auditing purposes.
Before you begin
For multi-host clusters or Linux® installations, you
must have previously run egoconfig mghost
shared_dir during installation.
About this task
Important: Linux installations require a shared
directory. Also, note the following:
- Audit logs can be enabled independently of each other.
- For multi-host clusters, configure files from within the shared directory, not the local
directory (local directory configurations are ignored). For single-host Windows clusters, you can configure local files.
- Only primary hosts perform
audit logging; compute hosts do not normally have access to the shared locations where configuration
files are stored. You never need to enable audit logging on compute hosts.
- Only events that arrive at the server side are recorded in the corresponding server's audit log.
Events that fail at the client side are not recorded in the server's audit log. For example, when
user authentication is enabled with the GSS-Kerberos plug-in, login events caused by a wrong user
name or password case fail at the client side when the client acquires the TGT from the KDC; such
events are not be recorded in the server's audit log.
Procedure
- To enable logging for auditing of core EGO functions (for example, security):
-
Open the ego.conf file:
- On Windows:
%EGO_CONFDIR%\ego.conf
- On Linux: $EGO_CONFDIR/ego.conf
-
Enable EGO audit logging by adding the following parameter:
- Optional:
You can also define an audit log directory by configuring the
EGO_AUDIT_LOGDIR parameter. This is the default audit log directory location
and name:
- On Windows: EGO_AUDIT_LOGDIR=Installation_top\audits
- On Linux:
EGO_AUDIT_LOGDIR=$EGO_TOP/audits
Note: You can change the name, but the location must be a shared directory; ensure there
are no spaces in the directory name.
Once defined, the directory is automatically created.
- Optional: You can also enable audit
logs in ArcSight CEF (Common Event Format) standard, which provides a specific level of detail for
the logs so that they can be analyzed with ArcSight tools. To enable CEF, set:
-
Save and close the file.
- To enable audit logging for the service controller (for example, to audit the starting
and stopping of EGO services):
-
Open the egosc_conf.xml file:
- On Windows:
%EGO_CONFDIR%\..\..\eservice\esc\conf\egosc_conf.xml
- On Linux:
$EGO_CONFDIR/../../eservice/esc/conf/egosc_conf.xml
-
Enable the EGO service controller log (egoservice.audit.log) by adding the
following element:
<ESC_AUDIT_LOG>ON</ESC_AUDIT_LOG>
-
Save and close the file.
- To enable audit logging for the repository service:
-
Open the rs.xml file:
- On Windows:
%EGO_CONFDIR%\..\..\eservice\esc\conf\services\rs.xml
- On Linux:
$EGO_CONFDIR/../../eservice/esc/conf/services/rs.xml
-
Enable the repository service audit log by adding the following element to the
ego:ActivitySpecification sections for all OS types:
<ego:EnvironmentVariable
name="RS_AUDIT_LOG">ON</ego:EnvironmentVariable
>
Note: The default setting is OFF. The setting is case sensitive.
The RS logs information into the configured audit log directory, as specified by the parameter
EGO_AUDIT_LOGDIR defined in
ego.conf. If this parameter is
not found or defined, the RS logs to this directory:
- On Windows: Installation_top\audits
- On Linux : $EGO_TOP/audits
-
Save and close the file.
-
Stop the RS service.
- To enable audit logging for the session director:
- Open sd.xml file:
- On Windows:
%EGO_CONFDIR%\..\..\eservice\esc\conf\services\sd.xml
- On Linux:
$EGO_ESRVDIR/esc/conf/services/sd.xml
- Set the SD_AUDIT_LOG environment variable to
ON and save your changes:
<ego:EnvironmentVariable name="SD_AUDIT_LOG">ON</ego:EnvironmentVariable>
-
Save and close the file.
- To
enable client host information in the audit log to capture user operations that are triggered,
especially those done through the browser-based cluster management console:
-
Open ego.conf file:
- On Windows:
%EGO_CONFDIR%\ego.conf
- On Linux: $EGO_CONFDIR/ego.conf
Set the
EGO_AUDIT_LOG_WITH_HOSTINFO parameter to
Y
and save your changes:
EGO_AUDIT_LOG_WITH_HOSTINFO=Y
Once you have enabled client host information in the audit logs, you can create or
delete a role from the
cluster management console to audit their operations
(for example, go to and
create or delete the
Guest
role).
Details for the operation are logged to the
$EGO_TOP/audits/ego.audit.log audit log; for
example:
NOTICE CONFIG Admin ROLE Guest created. DETAIL: [ROLE_NAME] is , [ROLE_DESC] is <>. Request from ABC.ibm.com:9.125.66.199.
NOTICE CONFIG Admin ROLE Guest deleted. DETAIL: [ROLE_NAME] is . Request from ibm145- ABC.ibm.com:9.125.66.199.
-
Restart EGO on the primary host.
EGO restarts any currently stopped services. Changes made to stopped services now take
effect.