Difference between revisions of "HowTos/Using the Audit logging"

From Scalix Wiki
Jump to: navigation, search
(TB/TB-2009-05-AUDIT-LOGGING)
 
Line 14: Line 14:
  
  
~openmail/sys/audit.cfg
+
''~openmail/sys/audit.cfg''
  
  
Line 23: Line 23:
  
  
•  omshowaud - to show the current settings
+
•  ''omshowaud'' - to show the current settings
  
  
•  omconfaud - to configure the settings
+
•  ''omconfaud'' - to configure the settings
  
  
 
You can enable Audit logging on the various parts of OpenMail. To see the complete list,
 
You can enable Audit logging on the various parts of OpenMail. To see the complete list,
  
simply issue an omshowaud:
+
simply issue an ''omshowaud:''
  
  
$ omshowaud
+
''$ omshowaud''
  
 
Service Router                                                                        0
 
Service Router                                                                        0
Line 61: Line 61:
  
  
By default, everything is turned off! To see what information you get at the various levels you must look at the audit.cfg file.
+
By default, everything is turned off! To see what information you get at the various levels you must look at the ''audit.cfg'' file.
  
  
audit.cfg
+
'''audit.cfg'''
*********
+
 
The entries in this file are grouped for each part of Scalix that knows about Audit logging. The first trick is working out the mapping between the part number within this audit.cfg file and the part name as specified in the omconfaud command. The section commented as service router is pretty obvious, but how can you tell which sections relate to Remote Client Interface? When you look in the audit.cfg file you do not see any section called Remote Client Interface...you see sections called user-signon and user-signoff. Indeed this had confused people for so long that in B.04 we added an extra file audit.map which shows these mappings.
+
The entries in this file are grouped for each part of Scalix that knows about Audit logging. The first trick is working out the mapping between the part number within this ''audit.cfg'' file and the part name as specified in the ''omconfaud'' command. The section commented as ''service router'' is pretty obvious, but how can you tell which sections relate to ''Remote Client Interface''? When you look in the ''audit.cfg'' file you do not see any section called ''Remote Client Interface''...you see sections called ''user-signon'' and ''user-signoff''. Indeed this had confused people for so long that in B.04 we added an extra file ''audit.map'' which shows these mappings.
  
 
It looks something like this:
 
It looks something like this:
 
$ cat ~scalix/*/s/sys/audit.map
 
#
 
# This file maps entries in ~/sys/audit.cfg (1st col) to services (2nd
 
col)
 
#
 
1      2      # ’routing’ to Service Router
 
2      11      # ’omscan’ to Administration
 
3      8      # ’user-signon’ to Local Client Interface
 
3      9      # ’user-signon’ to Remote Client Interface
 
4      8      # ’user-signoff’ to Local Client Interface
 
4      9      # ’user-signoff’ to Remote Client Interface
 
4      25      # ’user-signoff’ to P7 Client Interface
 
5      11      # ’subsystem-start’ to Administration
 
6      11      # ’subsystem-stop’ to Administration
 
7      16      # ’fax’ to Fax Gateway
 
8      3      # ’delivery’ to Local Delivery
 
9      18      # ’request’ to Request Server
 
10      4      # ’unix-in’ to Unix Mail Gateway
 
11      4      # ’unix-out’ to Unix Mail Gateway
 
12      6      # ’desk-in’ to HPDesk Gateway
 
13      6      # ’desk-out’ to HPDesk Gateway
 
14      5      # ’x400-in’ to X400 Interface
 
15      5      # ’x400-out’ to X400 Interface
 
16      24      # ’dirsync-in’ to Directory Synchronization
 
17      24      # ’dirsync-out’ to Directory Synchronization
 
18      26      # ’bulletin’ to Bulletin Board Server
 
19      29      # ’sms-out’ to SMS Gateway
 
20      29      # ’sms-in’ to SMS Gateway
 
 
The next trick is to understand what parts of the audit.cfg file you can change and what parts
 
are fixed:
 
 
      The file format is as follows:
 
      # service router  <------------------- Descriptive comment
 
                                                             
 
      %    1 routing                        ~/logs/audit <-------- output file name
 
      1  time                            1
 
      2  type                            5
 
      3  ua-message-id                  1
 
      4  ua-ack-id                      3 <--------The audit level that produces this output
 
                                         
 
Unique ID
 
              Text to be output
 
 
      You can change:
 
 
      •    The text to be output
 
 
      •    The output file name
 
 
      •    The Audit level that produces this output
 
 
 
As an example of the kind of things you can set up, here’s an extract of the audit.cfg file:
 
 
Default audit.cfg configuration file.Only the audit log filenames and the
 
audit logging levels (the last number on each line) are administrator-
 
configurable. Use omconfaud for normal audit configuration.
 
 
Do not localise this file. Localise the scripts that read the audit log
 
file instead.
 
 
Field names should be less than 30 characters long.
 
service router
 

Revision as of 15:17, 19 May 2009

Introduction

Audit level logging was originally implemented so that Scalix administrators could extract accounting information. They could determine how often people were logging on, for how long, etc., in order to bill for connection time. The actual output of the Audit logs is pretty basic, but there are already a number of people who have written scripts to take this output and produce PC-format files that can be fed into graphics packages to produce lovely statistics of message pass-through rates etc..

Although originally written with accounting in mind, Audit logging should not be overlooked as a debugging/troubleshooting tool. Indeed, you should consider using Audit logging as your first mechanism when trying to see what’s happening on the system.



Overview


The whole audit logging setup is configured through the file:


~openmail/sys/audit.cfg


In this file, you specify what activities are logged and for what Audit level they are logged.


The commands for setting up Audit level logging are:


omshowaud - to show the current settings


omconfaud - to configure the settings


You can enable Audit logging on the various parts of OpenMail. To see the complete list,

simply issue an omshowaud:


$ omshowaud

Service Router 0

Local Delivery 0

Internet Mail Gateway 0

Local Client Interface 0

Remote Client Interface 0

Administration 0

Request Server 0

Directory Synchronization 0

Bulletin Board Server 0

Lotus Notes Interface 0

SMS Gateway 0

Background Search Service 0


By default, everything is turned off! To see what information you get at the various levels you must look at the audit.cfg file.


audit.cfg

The entries in this file are grouped for each part of Scalix that knows about Audit logging. The first trick is working out the mapping between the part number within this audit.cfg file and the part name as specified in the omconfaud command. The section commented as service router is pretty obvious, but how can you tell which sections relate to Remote Client Interface? When you look in the audit.cfg file you do not see any section called Remote Client Interface...you see sections called user-signon and user-signoff. Indeed this had confused people for so long that in B.04 we added an extra file audit.map which shows these mappings.

It looks something like this:

Retrieved from "https://www.scalix.com/wiki/index.php?title=HowTos/Using_the_Audit_logging&oldid=4733"