The Question is:
The OpenVMS Documentation says I can use wildcards in the name specification
when dumping the security audit file as specified above. I can't seem to get
it to work...
I have a file with an auditing ACE, and it is generating security audit entries
when it is accessed. I can see them when I look at the log with
/select=object=class=file, but when I look specifically for that file or use
wildcards (using /select=object=n
ame=<my filename>, it produces no results.
What am I missing? There are no examples of this that I have found.
The Answer is :
First problem, the OpenVMS Wizard suspects you really want to use:
Second problem, the file name contains a device and directory
specification which is significant in the search string. You
therefore need to specify or wildcard the initial part of your
(Note that although this is logically a file specification, as
far as ANALYZE/AUDIT is concerned, it's just a string. So you
can't think about it as having discrete fields subject to normal
defaulting rules - you therefore *must* include everything down
to version numbers, or use wildcards).
So why doesn't your select work?
ANALYZE/AUDIT is, of necessity, a rather complex command. This is
especially true of the /SELECT qualifier. Perhaps the simplest way to
understand which keyword to use is by observing the field name as
displayed on a sample of your target audit messages.
/SELECT=OBJECT=NAME=string will match those records which display
a field labelled "Object name:". For example (censored slightly):
Auditable event: System UAF record modification
Event time: 23-AUG-2002 11:41:51.89
Process name: **********
Process owner: [SYSTEM]
Image name: **********
Object class name: FILE
Object name: SYS$CLUSTER:[SYSEXE]SYSUAF.DAT;1
User record: **********
Last Network Login: New: 23-AUG-2002 11:41
Original: 23-AUG-2002 11:41
Since your target field is "File name:" you need to use the FILE_NAME