Enable and disable security audits

You can enable and disable security audits in HPOM globally by setting the value Turn on in general in the auditing namespace in the Server Configuration dialog box. Security audits are disabled by default and can only be enabled by setting Turn on in general to True.

NOTE:
Changing the value of Turn on in general is not sufficient by itself to enable or disable the security-auditing feature. You also have to restart the HPOM services that you want to audit, for example: OvPmad (policy management and deployment).

After you set Turn on in general to True and restart the services, you can change the value of Turn on at runtime to enable and disable auditing without having to restart the resources and services again. Auditable events are written to the HPOM custom event log. Normal events which cannot (or do not need to) be audited, such as application errors and warnings, are written to the standard Windows event log.

The auditing namespace also contains values for enabling and disabling each auditable event source, for example:

• Turn on action execution auditing
• Turn on agent certificate request handling auditing
• Turn on config change auditing
• Turn on forwarded message change auditing
• Turn on local message change auditing
• Turn on outage auditing
• Turn on policy management and deployment auditing
• Turn on user roles configuration auditing

You can enable or disable auditing of each event source at any time either individually or collectively.

To enable or disable auditing globally for the first time

The steps described in this procedure allow you to enable or disable auditing globally, that is, for all the HPOM components, which are able to write to the HPOM custom log for auditing.

CAUTION:
This procedure is not recommended for enabling or disabling auditing on an HPOM management server, which is running in a high-availability cluster. For more information, see Security audits in a high-availability environment.

1. In the console tree, right-click Operations Manager, and then click ConfigureServer.... The Server Configuration dialog opens.

2. Click Namespaces, and then click Auditing. A list of values appears.

3. Set the value of Turn on in general as follows:
   • Enable auditing: True
   • Disable auditing: False
4. Click Apply.
5. Restart the services associated with the event sources you want to audit. You can do this globally with the following two commands:

   c:>net stop winmgmt

   c:\>vpstat -3 -r

   Alternatively, you can restart services individually (or in a batch file) as follows:

   c:\>net stop WinMgmt
   c:\>net stop OvSecurityServer
   c:\>net start OvSecurityServer
   c:\>net start OvPmad
   c:\>net start OvEpStatusEngine
   c:\>net start OvOWReqCheckSrv
   c:\>net start OvAutoDiscovery
   

   NOTE:
   After you restart the services, you can change the value of Turn on at runtime to enable and disable auditing without having to restart the services again.
6. Start the Windows Event Viewer and, in the console tree, click the OvConfigChanges item.
7. You can now control auditing more quickly and accurately using the procedure below.

The sample VB script "SetAuditing.vbs" in the directory "examples\OvOW\Policy Management\scripts" can be used to globally enable or disable auditing. Call "cscript.exe SetAuditing.vbs /enable" and auditing will be enabled.

To manage auditing for individual event sources

This procedure allows you to enable or disable auditing at runtime for individual or multiple event sources, without having to restart any associated Windows services for the change to take effect.

NOTE:
The values that you modify in this procedure only take effect after auditing has been enabled globally for the first time, and the Windows services that you want to audit restarted.

1. In the console tree, right-click Operations Manager, and then click ConfigureServer.... The Server Configuration dialog opens.

2. Click Namespaces, and then click Auditing. A list of values appears.

3. Set the value of Turn on at runtime as follows:
   • Enable auditing: True
   • Disable auditing: False
4. Click Apply.
5. To enable or disable auditing for individual event sources:
   1. Set the value of Turn on at runtime to True.
   2. Set values for the individual event sources that you want to enable or disable, for example:
   3. • Turn on action execution auditing
      • Turn on agent certificate request handling auditing
      • Turn on config change auditing
      • Turn on forwarded message change auditing
      • Turn on local message change auditing
      • Turn on outage auditing
      • Turn on policy management and deployment auditing
      • Turn on user roles configuration auditing
   4. Set the values to True (enabled) or False (disabled), as required, and then click Apply.

Related Topics:

• Security audits
• Event sources in security audits
• Security audits in a high-availability environment