To allow you to review and report on assistant administrator actions, DRA logs all user operations in the log archive on the Administration server computer. User operations include all attempts to change definitions, such as updating user accounts, deleting groups, or redefining ActiveViews. DRA also logs specific internal operations, such as Administration server initialization and related server information. In addition to logging these audit events, DRA logs the before and after values for the event so that you can see exactly what changed.
DRA uses a folder, NetIQLogArchiveData, called a log archive to securely store archived log data. DRA archives the logs over time and then deletes older data to make room for newer data through a process called grooming.
DRA uses the audit events stored in the log archive files to display Activity Detail reports, such as showing what changes have been made to an object during a specified time period. You can also configure DRA to export information from these log archive files to a SQL Server database that NetIQ Reporting Center uses to display Management reports.
DRA always writes audit events to the log archive. You can enable or disable having DRA write events to the Windows event logs as well.
When you install DRA, audit events are not logged in the Windows event log by default. You can enable this type of logging by modifying a registry key.
WARNING:Be careful when editing your Windows Registry. If there is an error in your Registry, your computer may become nonfunctional. If an error occurs, you can restore the Registry to its state when you last successfully started your computer. For more information, see the Help for the Windows Registry Editor.
To enable event auditing:
Click Start > Run.
Type regedit in the Open field and click OK.
Expand the following registry key: HKLM\Software\WOW6432Node\Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\.
Click Edit > New > DWORD Value.
Enter IsNTAuditEnabled as the key name.
Click Edit > Modify.
Enter 1 in the Value data field and click OK.
Close Registry Editor.
To disable event auditing:
Click Start > Run.
Type regedit in the Open field and click OK.
Expand the following registry key: HKLM\Software\WOW6432Node\Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\.
Select the IsNTAuditEnabled key.
Click Edit > Modify.
Enter 0 in the Value data field and click OK.
Close Registry Editor.
To ensure that all user actions are audited, DRA provides alternate logging methods when the product cannot verify logging activity. When you install DRA, the AuditFailsFilePath key and path are added to your registry to ensure the following actions:
If DRA detects that audit events are no longer being logged in a log archive, DRA logs the audit events in a local file on the Administration server.
If DRA cannot write audit events to a local file, DRA writes audit events to the Windows event log.
If DRA cannot write audit events to the Windows event log, the product writes audit events to the DRA log.
If DRA detects that audit events are not being logged, it blocks further user operations.
To enable write operations when the log archive is unavailable, you must also set a registry key value for the AllowOperationsOnAuditFailure key.
WARNING:Be careful when editing your Windows Registry. If there is an error in your Registry, your computer may become nonfunctional. If an error occurs, you can restore the Registry to its state when you last successfully started your computer. For more information, see the Help for the Windows Registry Editor.
To enable write operations:
Click Start > Run.
Type regedit in the Open field and click OK.
Expand the following registry key: HKLM\Software\WOW6432Node\Mission Critical Software\OnePoint\Administration\Audit\.
Click Edit > New > DWORD Value.
Enter AllowOperationsOnAuditFailure as the key name.
Click Edit > Modify.
Enter 736458265 in the Value data field.
Select Decimal in the Base field and click OK.
Close Registry Editor.