Administer > Log files > Global Shell audit logs

Global Shell audit logs

When a user accesses or modifies a managed server with the Global Shell feature, SA records the event in an audit log. The Global Shell audit logs contain information about the following events:

  • Logins and logouts with Global Shell and Remote Terminal sessions
  • The commands entered in Global Shell and Remote Terminal sessions
  • File system operations (such as create and remove) on managed servers
  • Commands and scripts that run on managed servers through the Remote Shell (rosh)

The Global Shell audit logs are on the server where the OGFS is installed.

To view a log file, open a terminal window, log into the server running the OGFS, and use a command-line utility such as more, grep, or tail. For an example that uses the tail command, see Example of Monitoring Global Shell Audit Logs.

The Global Shell audit logs are made up of three sets of logs files:

The section also provides information on the following topics:

Shell event logs

The shell event logs contain information about operations that users have performed on managed servers with the Global Shell. These logs are in the following directory (where ogfs-host is the name of the server running the OGFS):

/var/opt/opsware/ogfs/mnt/audit/event/ogfs-host

The log file name has the following syntax (where n is the log rotation number):

audit.log.n

For each event, SA writes a single line to an event log file. Each line in the log file contains the following information about the event:

  • Unique ID of the event
  • Unique ID of the parent event
  • Date of the operation
  • ID of the SA user who performed the operation
  • Name of the SA user who performed the operation
  • Name of the component that generated the audit event
  • Version of the SA component that generated the audit event
  • Name of the SA feature which generated the audit event
  • Name of the operation (action)
  • Verbosity level
  • Exit status of the event
  • ID of the managed server
  • Name of the managed server
  • Details of the event

The following example shows a single line in an audit event log file:

jdoe@m185:051202182224813:13 jdoe@m185:051202182224790:12
2006/01/28-12:40:19.622 User.Id=2610003 User.Name=jdoe
Hub:1.1 GlobalShell AgentRunTrustedScript 1 OK
Device.Id=10003 Device.Name=m192.dev.opsware.com
ConnectMethod=PUSH RemotePath= RemoteUser=root
ScriptName=__global__.sc_snapshot.sh
ScriptVersion=30b.2.1572 ChangeTime=1128971572
RemoteErrorName=

In this example, the first field is the ID of the event:

jdoe@m185:051202182224813:13

This ID field has the following syntax:

opsware-user@ogfs-host:YYMMDDHHmmssSSS:n

The n at the end of the ID field is a sequence number of the audit event generated in a session. The ID field matches the name of a shell stream log file.

Shell stream logs

The shell stream logs contain the stdout of scripts that are run from the Global Shell. These logs are in the following directory (where ogfs-host is the name of the server running the OGFS):

/var/opt/opsware/ogfs/mnt/audit/streams/ogfs-host

The log file name has the following syntax:

opsware-user@ogfs-host:YYMMDDHHmmssSSS:n

The log file name matches the ID field in the shell event log. A header line in the log file contains the file name, character set, version, and SA user name. If the stdout of the script contains control characters, the shell stream log will contain the same control characters.

Shell script logs

The shell script logs contain the contents of scripts that are run from the Global Shell. These logs are in the following directory (where ogfs-host is the name of the server running the OGFS):

/var/opt/opsware/ogfs/mnt/audit/scripts/ogfs-host

The log file name is a hash string based on the script contents; for example:

23f1d546cc657137fa012f78d0adfdd56095c3b5

A header line in the log file contains the file name, character set, version, and SA user name.

Example of monitoring Global Shell audit logs

The following example monitors the commands entered by an end user who logs into a managed server with a Remote Terminal session:

  1. In a terminal window, as root, log into the core server running the OGFS. The following steps refer to this window as the “auditing window.”

  2. In the auditing window, go to the audit/event directory:

    cd /var/opt/opsware/ogfs/mnt/audit/event/ogfs-host

  3. In the SA Client, open a Remote Terminal to a UNIX managed server.

  4. In the auditing window, examine the last line in the audit.log file:

    tail -1 audit.log.n

    For example, the following entry from the audit.log file indicates that the SA user jdoe opened a Remote Terminal to the host (Device.Name) toro.example.com. The event ID is jdoe@m235:060413184452579:59.

    jdoe@m235:060413184452595:60 jdoe@m235:060413184452579:59 2006/04/13-18:44:52.728 User.Id=6220044 User.Name=jdoe Hub:1.1 GlobalShellAgentLogin 1 OK Device.Id=840044 Device.Name=toro.example.com ConnectMethod=JUMP RemotePath= RemoteUser=root

  5. In the auditing window, go to the audit/streams directory:

    cd /var/opt/opsware/ogfs/mnt/audit/streams/ogfs-host

  6. In the auditing window, use the tail -f command to monitor the file that corresponds to the Remote Terminal session. The file name is the same as the event ID. For example, if the event ID is jdoe@m235:060413184452579:59, then you would enter the following command:

    tail -f jdoe*59

  7. In the Remote Terminal window, enter some UNIX commands such as pwd and ls.

  8. Watch the auditing window. The commands (and their output) from the Remote Terminal session are written to the file in the audit/streams directory.

Digital signatures in the Global Shell audit logs

The shell stream and script log files contain digital signatures and fingerprints, which are generated with the RSA-SHA1 algorithm. To verify the signature and fingerprint of a log file, open a terminal window, log into the OGFS, and enter the following command:

/opt/opsware/agentproxy/bin/auditverify stream_file_name \

rsa_key_path

This is an example in bash:

STREAMDIR=/var/opt/opsware/ogfs/mnt/audit/streams/acct.opsw.com

STREAMFILE=jdoe@somehost:051210003000111:61

RSAKEYPATH=/var/opt/opsware/crypto/waybot/waybot.srv

/opt/opsware/agentproxy/bin/auditverify $STREAMDIR/$STREAMFILE \ $RSAKEYPATH

If the log file has not been modified, auditverify displays the following message:

[AuditVerify]: Verification Result: Valid Signature

By default, the logs are signed with the private key in the following file:

/var/opt/opsware/crypto/agent/agent.srv

To change the key file used for signing, modify the audit.signature.key_path system configuration parameter as described in Configuring the Global Shell Audit Logs.

Storage management for the Global Shell audit logs

By periodically removing the shell stream and script log files, SA prevents these files from filling up the available disk space. SA provides system configuration parameters that determine when the log files are removed. These parameters enable you to specify the removal of the log files based on the age (archive_days) of the files or the amount of disk space (archive_size) used by the files.

The following parameters specify the age of the files to remove:

audit.stream.archive_days

audit.script.archive_days

The following parameters specify the amount of disk space that the files can occupy before they are removed:

audit.stream.archive_size

audit.script.archive_size

The following table provides details on these parameters. For instructions on modifying these system configurations, see Configuring the Global Shell Audit Logs.

Parameters for Global Shell Audit Log Configuration

Parameter

Description

Default Value

audit.script.archive_days

Audit script files older than this value (in days) are deleted. 0 means files are never deleted.

Note: Using a 0 value or very high number results in OGSH connection issues, due to the high number of large files created under /var/opt/opsware/mnt/audit/streams.

If this occurs, renaming the subdirectories under streams will temporarily resolve the issue.

90

audit.script.archive_size

Maximum amount of disk space (in MB) used by all audit script files. Older files are removed first. Zero (0) means no maximum.

Note: Using a 0 value or very high number results in OGSH connection issues, due to the high number of large files created under /var/opt/opsware/mnt/audit/streams.

If this occurs, renaming the subdirectories under streams will temporarily resolve the issue.

 

1000

audit.signature.algorithm

Signature algorithm to use when signing audit streams.

RSA-SHA1

audit.signature.key_path

Location of the private key used when signing audit streams.

/var/opt/opsware/crypto/waybot/waybot.srv

audit.stream.archive_days

Audit stream files older than this value (in days) are deleted. 0 means files are never deleted.

10

audit.stream.archive_size

Maximum amount of disk space (in MB) used by all audit stream files. Older files are removed first. 0 means no maximum.

1000

audit.stream.file_keep

Maximum number of rotated audit stream files.

50

audit.stream.file_size

Maximum file size for audit streams. Specified in MB. The largest allowed value is 50MB.

10

Configuring the Global Shell audit logs

You can change some system configuration parameters for the global shell audit logs such as the maximum log file size. For a list of the parameters you can change, see the Parameters for Global Shell Audit Log Configuration table. To configure the parameters, perform the following steps:

  1. Select the Administration tab in the SA Client.
  2. In the navigation pane select System Configuration > Configuration Parameters. This displays the SA components, facilities and realms that have system configuration parameters.
  3. In the list of SA components, select Hub. This displays the system configuration parameters for this component.
  4. Locate and modify the system configuration parameters you want to change, as listed in the table above.
  5. Select the Revert button to discard your changes or the Save button to save your changes.

Send Help Center feedback