|
HP OpenVMS Systemsask the wizard |
|
The Question is: The OpenVMS Documentation says I can use wildcards in the name specification when dumping the security audit file as specified above. I can't seem to get it to work... I have a file with an auditing ACE, and it is generating security audit entries when it is accessed. I can see them when I look at the log with /select=object=class=file, but when I look specifically for that file or use wildcards (using /select=object=n ame=<my filename>, it produces no results. What am I missing? There are no examples of this that I have found. Please help! The Answer is :
Regarding: anal/aud/selec=object=(name=wmsfas.*)-...
First problem, the OpenVMS Wizard suspects you really want to use:
/SELECT=FILE_NAME=filespec
Second problem, the file name contains a device and directory
specification which is significant in the search string. You
therefore need to specify or wildcard the initial part of your
file specification.
/SELECT=FILE_NAME=*wmsfas.*
(Note that although this is logically a file specification, as
far as ANALYZE/AUDIT is concerned, it's just a string. So you
can't think about it as having discrete fields subject to normal
defaulting rules - you therefore *must* include everything down
to version numbers, or use wildcards).
So why doesn't your select work?
ANALYZE/AUDIT is, of necessity, a rather complex command. This is
especially true of the /SELECT qualifier. Perhaps the simplest way to
understand which keyword to use is by observing the field name as
displayed on a sample of your target audit messages.
/SELECT=OBJECT=NAME=string will match those records which display
a field labelled "Object name:". For example (censored slightly):
Auditable event: System UAF record modification
Event time: 23-AUG-2002 11:41:51.89
PID: 2020013A
Process name: **********
Username: SYSTEM
Process owner: [SYSTEM]
Image name: **********
Object class name: FILE
Object name: SYS$CLUSTER:[SYSEXE]SYSUAF.DAT;1
User record: **********
Last Network Login: New: 23-AUG-2002 11:41
Original: 23-AUG-2002 11:41
Since your target field is "File name:" you need to use the FILE_NAME
keyword.
|