HP OpenVMS Systems

ask the wizard
Content starts here


» close window

The Question is:

The OpenVMS Documentation says I can use wildcards in the name specification
 when dumping the security audit file as specified above.  I can't seem to get
 it to work...
I have a file with an auditing ACE, and it is generating security audit entries
 when it is accessed.  I can see them when I look at the log with
 /select=object=class=file, but when I look specifically for that file or use
 wildcards (using /select=object=n
ame=<my filename>, it produces no results.
What am I missing?  There are no examples of this that I have found.
Please help!

The Answer is :

  Regarding: anal/aud/selec=object=(name=wmsfas.*)-...
  First problem, the OpenVMS Wizard suspects you really want to use:
  Second problem, the file name contains a device and directory
  specification which is significant in the search string. You
  therefore need to specify or wildcard the initial part of your
  file specification.
  (Note that although this is logically a file specification, as
  far as ANALYZE/AUDIT is concerned, it's just a string. So you
  can't think about it as having discrete fields subject to normal
  defaulting rules - you therefore *must* include everything down
  to version numbers, or use wildcards).
  So why doesn't your select work?
  ANALYZE/AUDIT is, of necessity, a rather complex command. This is
  especially true of the /SELECT qualifier. Perhaps the simplest way to
  understand which keyword to use is by observing the field name as
  displayed on a sample of your target audit messages.
  /SELECT=OBJECT=NAME=string will match those records which display
  a field labelled "Object name:". For example (censored slightly):
Auditable event:          System UAF record modification
Event time:               23-AUG-2002 11:41:51.89
PID:                      2020013A
Process name:             **********
Username:                 SYSTEM
Process owner:            [SYSTEM]
Image name:               **********
Object class name:        FILE
Object name:              SYS$CLUSTER:[SYSEXE]SYSUAF.DAT;1
User record:              **********
Last Network Login:       New:      23-AUG-2002 11:41
                          Original: 23-AUG-2002 11:41
  Since your target field is "File name:" you need to use the FILE_NAME

answer written or last revised on ( 24-AUG-2002 )

» close window