ARSLOG for Users retrievals only

ssorich · April 06, 2020, 10:43:53 PM

Has anybody tried to determine how to log only user activity (for example from ICN) to the spearate file created by ARSLOG?
It works well to duplicate the entire log, but I'm trying to get only user activiy (non-admin).
Also - is there a way to force a new file at end-of-day?

Thanks!

Justin Derrick · April 07, 2020, 05:21:58 PM

You can put anything you'd like into the arslog script. Scripts are usually written in a UNIX script language, so that it's fast to start up. You can do anything with any of the variables you're passed, so if you have "ICN_USER" as a User ID, you can simply do an:

Code Select


LOG_FILE=LogFileName-`date +%Y%m%d`
if [[ $4 == "ICN_USER" ]] ; then 
   print "$8" >> $LOG_FILE
fi

But just an FYI - it's REALLY important that your code is *FAST*. If you're going to call it hundreds of thousands of times a day, even if it takes half a second to run, it can severely disrupt your CMOD server.

Is there a reason you're not simply doing queries on your System Log the next day? What exactly are you trying to accomplish with this?

-JD.

ssorich · April 07, 2020, 09:52:16 PM

I am trying to get a daily copy of the log to a file to send to splunk..... I suppose the arsdoc to a file would work as well....but that would give somebody all day to cover tracks.... I am NOT of the opinion that the database can be easily modified in the first place, but the auditors see it a slightly different way. I'm not sure I can truncate the file each day using arslog unless the OS will let me truncate the file after it is copied- without stopping the task I would not bet on it.

Justin Derrick · April 08, 2020, 01:05:21 PM

Yeah, this all depends on your level of paranoia. At the end of the day, you need to trust someone to do the work. Putting high levels of access-level security in place is a good start. As much as I hate buzzwords, 'blockchain' is the solution to the problem of detecting attempts to alter log data.

The code I posted for you creates a log file name that includes the date on which it was created, so it should meet that requirement.

-JD.

ssorich · April 09, 2020, 08:00:48 PM

Agreed.... Thanks much. I think I am going to run arsdoc 1x per day for the previous days logs, and find the codes associated with user activity, generate a file, to pass to splunk.

ssorich · April 13, 2020, 10:24:23 PM

Your script does indeed roll to a new file overnight...
Thanks!

Justin Derrick · April 15, 2020, 12:47:30 AM

I'm glad I could help with your arslog question! Take care.

-JD.

ARSLOG for Users retrievals only

ssorich

Justin Derrick

ssorich

Justin Derrick

ssorich

ssorich

Justin Derrick