MVCM Audit Logging location (MVCM MVCA)

Version 1
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    MainView Console Management for zEnterprise - Base


    APPLIES TO:

    MVCM MVCA MainView Console Management for zEnterprise MainView Console Automation for zEnterprise



    QUESTION:

    We are planning to copy the MVCM and MVCA audit logs to a central repository and would like to know the path names on the Linux side from which they can be parsed.


    ANSWER:

    MVCM Audit logs, by default are kept in 3 separate locations. The reason for this is there are 3 separate processes that generate auditing information. First, there is an audit log for connections and commands through the Console Consolidation server. These logs contain all console commands enter by users through CCS viewers or the Automation Viewer. Next, there are Audit logs produced by the Authentication server, which tracks user password changes and connections to Automation servers, as well as commands sent to the HMC via the Automation server. Finally, there is the Administrator audit log, which tracks changes made by Administrators through the MVCM web config interface.

    By default, the Console Consolidation Audit logs are in the directory

         /usr/iocinst/config/CCSSERVERNAME/AuditLogs
              where CCSSERVERNAME is the name of the CCS server where the consoles are configured.

    The Authentication Server logs are in

         /usr/iocinst/logs/authserver

    There are 3 log file names here, and only 2 are audit logs: password_change.n.log and audit.n.log. The 3rd log file contains debugging information from the server. The "n" will be a number from 0 to 7 which are the number of days we store logs before overwriting the information. 0 is the most current log.

    Finally, the Administrator audit log is stored in

        /usr/iocinst/logs/hgc/auditlog.csv

    Here are samples of the logs:

    /usr/iocinst/config/ccs/CCSSERVERNAME/AuditLogs
     
    Date,Time,UserId,Host,Session Name,Command,Status
    2018/10/11,10:15:47,,"172.22.xxx.xxx","CCSSESSION",".CONNECT.","0"
    2018/10/11,10:24:16,,"172.22.xxx.xxx","CCSSESSION","24-020:;01-001@E","PERMITTED"
    2018/10/11,10:27:56,,"172.22.xxx.xxx","CCSSESSION",".CONNECT.","0"
    2018/11/04,05:22:39,"USERNAME","10.64.xxx.xxx","",".LOGIN.","0"
    2018/11/04,05:22:39,"USERNAME","10.64.xxx.xxx","CCSSESSION",".CONNECT.","0"
    2018/11/05,04:06:58,"USERNAME","10.64.xxx.xxx","CCSSESSION",".DISCONNECT.","SSL_ERROR_SYSCALL"
    2018/11/09,12:24:16,"USERNAME","192.168.xxx.xxx","",".LOGIN.","0"
    2018/11/09,12:24:16,"USERNAME","192.168.xxx.xxx","CCSSESSION",".CONNECT.","0"
    2018/11/09,12:24:26,"USERNAME","192.168.xxx.xxx","CCSSESSION","22-003:1,none;22-009@E","PERMITTED"
    2018/11/09,12:24:42,"USERNAME","192.168.xxx.xxx","CCSSESSION","22-003:2,warm;22-009@E","PERMITTED"
    2018/11/09,12:24:46,"USERNAME","192.168.xxx.xxx","CCSSESSION","22-003@2","PERMITTED"
    2018/11/09,12:25:03,"USERNAME","192.168.xxx.xxx","CCSSESSION","22-003@1","PERMITTED"
    2018/11/09,12:25:03,"USERNAME","192.168.xxx.xxx","CCSSESSION","22-003@1","PERMITTED"



    /usr/iocinst/logs/authserver/audit.0.log
     
    Aug 20, 2018 8:25:10 PM : client = 127.0.0.1, client-ip = 172.22.xxx.xxx, requestor = 10.64.xxx.xxx, user = USERNAME, password = ********, domain = null, resource = CONSOLENAME, resource-type = CCS, authenticated = true
    Aug 20, 2018 8:25:54 PM : client = 127.0.0.1, client-ip = 172.22.xxx.xxx, requestor = 10.64.xxx.xxx, user = USERNAME, password = ********, domain = null, resource = CONSOLENAME, resource-type = CCS, authenticated = true



    /usr/iocinst/logs/authserver/password_change.0.log

    Dec 19, 2018 11:21:58 AM : USER_MODIFIED, from host = 172.28.xxx.xxx, ip = 172.28.xxx.xxx, by user = iocadmin, user = USERNAME ()
    Feb 4, 2019 10:44:04 AM : USER_MODIFIED, from host = 172.28.xxx.xxx, ip = 172.28.xxx.xxx, by user = iocadmin, user = USERNAME ()
    Feb 4, 2019 10:58:25 AM : USER_MODIFIED, from host = 172.28.xxx.xxx, ip = 172.28.xxx.xxx, by user = iocadmin, user = USERNAME ()
    Feb 4, 2019 10:58:37 AM : USER_MODIFIED, from host = 172.28.xxx.xxx, ip = 172.28.xxx.xxx, by user = iocadmin, user = USERNAME ()



    /usr/iocinst/logs/hgc/auditlog.csv

    2019-02-08 13:19:10,iocadmin,172.28.xxx.xxx,System,LOGON,.LOGON.
    2019-02-26 13:29:48,iocadmin,10.230.xxx.xxx,System,LOGON,.LOGON.
    2019-02-26 13:30:26,iocadmin,10.230.xxx.xxx,Backup,Last Config,Uploaded saved configuration
    2019-02-26 13:30:45,iocadmin,10.230.xxx.xxx,Backup,Good config,Uploaded saved configuration
    2019-02-26 13:31:10,iocadmin,10.230.xxx.xxx,Backup,Last Config,Restored saved configuration
    2019-02-26 13:31:12,Database Upgrade,localhost,CCS,CCSSERVER1,Configuration copied from :  updated:
    2019-02-26 13:31:12,Database Upgrade,localhost,CCS,CCSSERVER2,Configuration copied from :  updated:
    2019-02-26 13:31:12,Database Upgrade,localhost,CCS,CCSSERVER3,Configuration copied from :  updated:
    2019-02-26 13:31:12,Database Upgrade,localhost,CCS,CCSSERVER4,Configuration copied from :  updated:
    2019-02-26 13:31:24,iocadmin,10.230.xxx.xxx,System,default,System Reboot
    2019-03-07 18:23:21,iocadmin,172.28.xxx.xxx,System,LOGON,.LOGON.
    2019-03-12 16:09:47,iocadmin,172.28.xxx.xxx,System,LOGON,.LOGON.
    2019-03-12 16:10:02,iocadmin,172.28.xxx.xxx,Authentication,Server,Authentication configuration updated
    2019-03-12 16:10:14,iocadmin,172.28.xxx.xxx,Authentication,Server,Authentication configuration updated
    2019-03-13 11:41:01,iocadmin,172.28.xxx.xxx,System,LOGON,.LOGON.


     


    Article Number:

    000165649


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles