There are two configuration files involved in starting the VMware Smart Assurance Audit Log Adapter. These files are located in the BASEDIR/<productsuite>/smarts/local/conf/audit_parse directory.
The two configuration files are:
-
audit_table.conf—contains data tables that control the output of the audit log adapter. These tables indicate how to process different entries.
-
adapter_name.conf—specifies the location of the raw audit log file to be parsed. The BaseSmartsDir and AuditInputFile parameters in this file must be modified to provide the location of the raw audit log file <server_name>_audit.log. You can edit the adapter_name.conf file by using the sm_edit utility.
The BaseSmartsDir parameter specifies the base directory path for VMware Smart Assurance software (for example, /opt/InCharge/IP/smarts/).
The AuditInputFile parameter specifies the correct log file from which to parse output. This value must be relative to the BaseSmartsDir parameter above, (for example, local/logs/INCHARGE-AM_audit.log).
There are also three ASL files involved in invoking the Audit Log Adapter. These files are located in the BASEDIR/<productsuite>/smarts/local/rules/audit_parse directory. The three ASL files are:
-
parse_audit_log.asl—parses the audit log output from the server and creates the final audit log file using the information in the audit_table.conf file.
-
import_audit_tables.asl—reads the audit_table.conf file.
-
import_audit_params.asl—reads the adapter_name.conf file.
To start the Audit Log Adapter, you must perform the following steps:
-
Before the Audit Log Adapter is started, there must be an existing raw audit log file for the adapter to parse. A raw audit log file is only created when the server has been started, and a Global Console attaches. In order to avoid this dependency on the startup order, you should create an empty raw audit log file prior to starting up the adapter. You can do this by performing the following commands:
-
cd <base smarts dir>
where:
<base smarts dir> is the base VMware Smart Assurance directory where the server is running
-
cd local/logs
-
touch <server_name>_audit.log
-
Copy the adapter_name.conf file from BASEDIR/<productsuite>/smarts/conf/audit_parse directory to BASEDIR/<productsuite>/smarts/local/conf/audit_parse directory. Rename the adapter_name.conf file to <adapter_name>.conf .
For example, if you are going to start up the INCHARGE-AM-AUDIT adapter, then you would copy and rename the adapter_name.conf file to INCHARGE-AM-AUDIT.conf.
-
Edit the <adapter_name>.conf fileto contain the appropriate BaseSmartsDir and AuditInputFile parameters to provide the correct location of the raw audit log file to be parsed. The BaseSmartsDir and AuditInputFile parameters are described above in the description of the adapter_name.conf file.
Also edit the path in the file to point to the location of the log file, <server_name>_audit.log.
Note:To have the same adapter installation run two separate adapters connecting to two different raw audit logs, you can create two separate <adapter_name>.conf files, each specifying a different raw audit log file. This enables you to start two different adapter processes with different adapter names.
-
Edit the bootstrap.conf file to comment out the Ruleset as follows:
#RuleSet = "audit-parse/init.asl"
-
Start the Audit Log Adapter from the command line using the following command:
t BASEDIR/<product_suite>/smarts/bin/sm_server -n <adapter_name> --config=audit_parse --output --daemon s
After the adapter is invoked, it runs as a server.
There are two output files associated with the adapter:
-
-
<adapter_name>.log.the output file from running the adapter.
-
<server>_audit.log-final.the final audit log output.
These two files are located in the local/logs directory relative to the adapter. So, if the adapter is installed in a separate base directory than the server it is auditing, the adapter will read the raw audit log file from the server local/logs directory and write the final audit log file to the adapter local/logs directory.