Auditing

Logging certain key events in a secure audit database is a major aspect of InterSystems security. Caché allows you to monitor events and add entries to the audit database when those events occur. These events can be within Caché itself or part of an application. The knowledge that all activities are being monitored and that all logs can be reviewed is often an effective deterrent.

This chapter provides information on various topics:

Note:

This chapter describes how to manage audit events with the Management Portal. To manage audit events programmatically, use the Security.EventsOpens in a new tab class.

Basic Auditing Concepts

Caché allows you to enable or disable auditing for the entire Caché instance. When auditing is enabled, Caché logs all requested events. Auditable events fall into two categories:

System audit events — Caché system events that are only logged if they are explicitly enabled.
User—defined audit events — Application events, which are only logged if they are explicitly enabled.

Caché system events are built-in events that monitor actions within Caché, such as start-up, shutdown, logins, and so on; security-related events, such as changes to security or audit settings; and Ensemble-related events, such as changes to a schema or production configuration. Ensemble-related events appear only on Ensemble instances.

Caché does not automatically audit database activity, such as inserts, updates, or deletes for a table, because this kind of activity typically generates so many audit entries as to be useless — or even counterproductive — due to the performance impact on the system. For example, if a medical records application were to log all access to patient medical information, then one such access event might result in hundreds or thousands of database accesses. It is much more efficient to have the application create a single audit entry, rather than have the database manager generate thousands.

Enabling or Disabling Auditing

In the Auditing menu (System Administration > Security > Auditing), there are selections to enable and disable auditing. If the Enable Auditing choice is available, this means that auditing is disabled; if the Disable Auditing choice is available, this means that auditing is enabled. Caché auditing is disabled by default for minimal-security installations; it is enabled by default for normal and locked-down installations.”

Enabling Auditing

To turn on auditing, on the Auditing menu (System Administration > Security > Auditing), select the Enable Auditing choice.

Disabling Auditing

To turn off auditing, on the Auditing menu (System Administration > Security > Auditing), select the Disable Auditing choice.

If you enable (turn on) auditing, then Caché audits:

All system events that are enabled
All user-defined events that are enabled

Elements of an Audit Event

Audit information is available in the CACHEAUDIT database. New entries are added to the end of the log. When you view the audit log, you see the following elements for each entry:

Time (also called UTCTimestamp)

UTC date/time when the event was logged.

Event Source*

The component of the Caché instance that is the source of the event. For system events, this is “%System” or “%Ensemble”. For user-defined events, the name can be any string that includes alphanumeric characters or punctuation, except for colons and commas; it can begin with any of these characters except for the percent sign. This can be up to 64 bytes.

Event Type*

Categorizing information for the event. This string can include any alphanumeric characters or punctuation, except for colons and commas; it can begin with any of these characters except for the percent sign. This can be up to 64 bytes.

Event* (also called Event Name)

Identifier of the event being logged. This string can include any alphanumeric characters or punctuation, except for colons and commas; it can begin with any of these characters except for the percent sign. This can be up to 64 bytes.

PID (also known as a Process ID)

Operating system ID of the Caché process that logged the event. Caché uses the OS PID in its native form.

Web Session (search results only)

The session ID, if there is one, of the web session that caused the event.

User (also called Username)

Value of $USERNAME for the process that logged the event.

Description

A field of up to 128 characters that applications can use to summarize the audit event. This field is intended for a user-readable explanation or display (as compared to the combination of EventSource, EventType, and Event, which uniquely define the audit event).

*Each different kind of event is uniquely identified by the combination of its EventSource, its EventType, and the Event itself.

When you click Details, you see some of the same elements and the following additional elements:

Timestamp

Date/time when the event was logged, in local time.

JobId

ID of the job.

IP Address

IP address of client associated with the process that logged the event.

Executable

The client application associated with the process that logged the event, if there is one.

System ID

The machine and Caché instance that logged the event. For example, for the machine MyMachine and the instance MyInstance, the system ID is MyMachine:MyInstance.

Index

The index entry in the data structure containing the audit log.

Roles

For all events except LoginFailure, the value of $ROLES for the process that logged the event. For LoginFailure, a value of “”, as the user is not logged in.

Namespace

The namespace that was current when the event was logged.

Routine

The routine or subroutine that was running when the event was logged.

User Info

User-defined information about the process, added programmatically via the %SYS.ProcessQueryOpens in a new tab interface.

O/S Username

Username given to the process by the operating system. When displayed, this is truncated to 16 characters.

This is the actual operating system username only for UNIX® systems.

For Windows:

For a console process, this is the operating system username.
For Telnet, this is the $USERNAME of the process.
For client connections, this is the operating system username of the client.

Status

The value of any %StatusOpens in a new tab object that was audited.

Event Data

A memo field where applications can store up to 3632952 bytes of data associated with the audit event. For example, it can contain a set of application values at the time of the event or can summarize the old and new states of a record or field.

About System Audit Events

System audit events are predefined events that are available for auditing by default. General information about them appears in the table on the System Audit Events page (System Administration > Security > Auditing > Configure System Events), where the columns are:

Event Name — The Event Source (which is %System or %Ensemble), Event Type, and Event proper, all together and concatenated with slashes (“/”).
Enabled — Whether or not the event is enabled (turned on) for auditing.
Total — The number of events of this type that have occurred since the last startup of Caché.
Written — The number of events of this type that have been written to the audit log since the last startup of Caché. This number may differ from the total occurrences.
Reset — Allows you to clear the audit log for this event reset its counter to zero. For more information on counters, see “About Counters.”
Change Status — Allows you to enable or disable the event. For more information on these actions, see the “Enabling or Disabling an Audit Event” section.

They monitor events within Caché or Ensemble and are distinguishable by their Event Source value of %System or %Ensemble:

System Audit Events

Event Source	Event Type and Event	Occurs When	Event Data Contents	Default Status
%Ensemble	%Message ViewContents	A user views the contents of a message in the Message Viewer.	Metadata about the message. Only on Ensemble instances.	On
%Ensemble	%Production ModifyConfiguration	A user modifies the configuration of a production.	A summary of the change. Only on Ensemble instances.	On
%Ensemble	%Production StartStop	A user starts or stops a production.	Action (start or stop) and the username for the initiator of the action. Only on Ensemble instances.	On
%Ensemble	%Schema Modify	A user creates, modifies, or deletes a schema structure.	A summary of the change. Only on Ensemble instances.	On
%System	%DirectMode/ DirectMode	Any command is executed in direct mode.	The text of command.	Off
%System	%Login/ JobEnd	The JOB command ends a background job.	None. See the Description for the name of the routine or class method.	Off
%System	%Login/ JobStart	The JOB command starts a background job.	None. See the Description for the name of the routine or class method.	Off
%System	%Login/ Login	A user successfully logs in.	The protocol, port number, process ID, and application associated with the login. The user’s login roles.	Off
%System	%Login/ LoginFailure	A login attempt fails.	Username.	Varies*
%System	%Login/ Logout	A user logs out.	The application (and, if relevant, the class) associated with the logout.	Off
%System	%Login/ TaskEnd	The Task Manager ends a process.	None. See the Description for the name of the task.	Off
%System	%Login/ TaskStart	The Task Manager starts a process.	None. See the Description for the name of the task.	Off
%System	%Login/ Terminate	A process terminates abnormally.	Varies, as does the Description field’s content; see below.	Off
%System	%SMPExplorer/ Change	Data is altered using the Portal, such as by creating, editing, deleting, compiling, dropping, replacing, or purging classes or tables.	Varies, as does the Description field, depending on the action taken. Includes relevant content such as the compile flags or the schema and table being dropped.	Off
%System	%SMPExplorer/ ExecuteQuery	A query is executed using on the Portal’s SQL page.	The syntax of the executed query.	Off
%System	%SMPExplorer/ Export	Data is exported through the Portal.	The options selected for data export.	Off
%System	%SMPExplorer/ Import	Data is imported through the Portal.	The options selected for data import.	Off
%System	%SMPExplorer/ ViewContents	Data is viewed through the Portal.	The filters that determined what data was viewed. The Description field specifies what was viewed, such as a list of classes, an individual global, or process information.	Off
%System	%SQL/ DynamicStatement	A dynamic SQL call is executed.	The statement text and the values of any host-variable arguments passed to it. If the total length of the statement and its parameters exceeds 3,632,952 characters, the event data is truncated.	Off
%System	%SQL/ EmbeddedStatement	An embedded SQL call is executed. See below for usage details.	The statement text and the values of any host-variable arguments passed to it. If the total length of the statement and its parameters exceeds 3,632,952 characters, the event data is truncated.	Off
%System	%SQL/ PrivilegeFailure	Event defined, but not available for auditing until a future release.	N/A	Off
%System	%SQL/ XDBCStatement	A remote SQL call is executed using ODBC or JDBC.	The statement text and the values of any host-variable arguments passed to it. If the total length of the statement and its parameters exceeds 3,632,952 characters, the event data is truncated.	Off
%System	%Security/ ApplicationChange	An application definition is created, changed, or deleted.	Action (create new, modify, or delete), old and new application data.	On
%System	%Security/ AuditChange	Auditing is stopped or started, entries are erased or deleted, or the list of events being audited is changed.	Action (stop, start, erase, delete, or specify), old and new audit settings.	On
%System	%Security/ AuditReport	Any standard audit report is run.	Identification of audit report.	On
%System	%Security/ DBEncChange	There is a change related to database or data-element encryption.	Varies, as does the Description field’s content. See below.	On
%System	%Security/ DocDBChange	A document database application definition is created, changed, or deleted.	A summary of the change and a list of the current values, if applicable.	On
%System	%Security/ DomainChange	A domain definition is created, changed, or deleted.	Action (new, modify, delete), old and new domain data.	On
%System	%Security/ KMIPServerChange	A KMIP server definition is created, changed, or deleted, or KMIP servers are exported or imported.	A summary of the action and a list of the current values, if applicable. See the Description for additional details.	On
%System	%Security/ LDAPConfigChange	An LDAP configuration is created, changed, or deleted.	A summary of the change and a list of the current values, if applicable.	On
%System	%Security/ OpenAMIdentityServicesChange	OpenAM Identity Services records are exported or imported.	File name and the number of records exported to or imported from the file.	On
%System	%Security/ PhoneProvidersChange	Event defined, but not available for auditing until a future release.	N/A	On
%System	%Security/ Protect	A process generates a security protection error.	The error.	Off
%System	%Security/ ResourceChange	A resource definition is created, changed, or deleted.	Action (new, modify, or delete), old and new resource data.	On
%System	%Security/ RoleChange	A role definition is created, changed, or deleted.	Action (create new, modify, or delete), old and new role data.	On
%System	%Security/ SSLConfigChange	An SSL/TLS configuration’s settings are changed.	The changed fields with old and new values.	On
%System	%Security/ ServiceChange	A service’s security settings are changed.	Old and new service security settings.	On
%System	%Security/ SystemChange	System security settings are changed.	Old and new security settings.	On
%System	%Security/ UserChange	A user definition is created, changed, or deleted.	Action (create new, modify, or delete), old and new user data.	On
%System	%Security/ X509CredentialsChange	A user creates, updates, or deletes a set of X.509 credentials.	Varies by event. See below	On
%System	%Security/ X509UserChange	Event defined, but not available for auditing until a future release.	N/A	On
%System	%System/ AuditRecordLost	An audit entry has not been added to the audit database due to resource limitations that constrain the audit system (such as disk or database full).	None.	On
%System	%System/ ConfigurationChange	Caché successfully starts with a configuration different than the previous start, a new configuration is activated while Caché is running, or a lock is deleted through the Portal or through the ^LOCKTAB utility.	Username for the user who made the change; previous and new values of the changed element. For deleted locks, information about which lock was deleted.	On
%System	%System/ DatabaseChange	There are changes to database properties. See below.	Details about the particular change. See below.	On
%System	%System/ JournalChange	Journaling is started or stopped for a database or process.	When journaling is started, the name of the database and its maximum size; when journaling is stopped, none.	On
%System	%System/ OSCommand	An operating-system command is issued from within the system, such as through a call to the $ZF(-100) function.	The operating system command that was invoked; the directory in which it was invoked; and any flags associated with the command.	On
%System	%System/ RoutineChange	A method or routine is compiled or deleted on the local instance. For more details, see below.	No content, though the Description field depends on the change itself; see below.	Off
%System	%System/ Start	The system starts.	Indication of whether recovery was performed.	On
%System	%System/ Stop	Caché is shut down.	None.	On
%System	%System/ SuspendResume	A process is suspended or resumed.	The process ID of the process.	Off
%System	%System/ UserEventOverflow	An application attempts to log an undefined event.	The name of the event that the application attempted to log.	On

*The LoginFailure event is off by default for minimal-security installations; it is on by default for normal and locked-down installations.

Important:

If auditing is enabled, then all enabled events are audited.

About the %System/%Login/Logout and %System/%Login/Terminate Events

A process generates a %System/%Login/Logout event if the process ends because of:

A HALT command
Exiting application mode because of a QUIT command
Executing the TerminateOpens in a new tab method of the SYS.ProcessOpens in a new tab class to terminate itself (which is the same as executing HALT).

A process generates a %System/%Login/Terminate event if the process exits for any other reason, including:

The user closes the Terminal window, resulting in a Terminal disconnect. If the process is in application mode, the Description field of the audit record includes the statement “^routinename client disconnect” (where routinename is the first routine that the process ran); if the process is in programmer mode, the Description field includes the statement “Programmer mode disconnect.”
A Terminal session is ended by an action in another process, including ^RESJOB, ^JOBEXAM, or the Management Portal. If the process is in application mode, the Description field of the audit record includes the statement “^routinename client disconnect” (where routinename is the first routine that the process ran) ; if the process is in programmer mode, the Description field includes the statement “Programmer mode disconnect.” Note that the event data will contain the pid of the process which terminated them.
A core dump or process exception. When a process gets a core dump or exception, it is too late for it to write to the audit file. Therefore, when the clean daemon runs to clean up the state of the process, it writes an audit record to the log with a description “Pid <process nunber> Cleaned”.
A TCP Client disconnect. When a process detects that a client has disconnected, this results in an audit record with a Description field which contains the name of the executable that disconnected, such as “<client application> client disconnect”.

About the %System/%SQL/EmbeddedStatement Event

To use the %System/%SQL/EmbeddedStatement event, you must both enable the event and the #sqlcompile audit macro preprocessor directive:

 #sqlcompile audit = ON

For reference information, see the “#sqlcompile audit” section in the “ObjectScript Macros and the Macro Preprocessor” chapter of Using ObjectScript.

If %System/%SQL/EmbeddedStatement is enabled, then executing any embedded SQL after a #sqlcompile audit = ON directive generates an EmbeddedStatement audit event. For example:

   ...
 #sqlcompile audit = ON
   ...
  &sql(delete from MyTable where %ID = :id)
  // This statement is audited at runtime if %System/%SQL/EmbeddedStatement is enabled.

   ...

 #sqlcompile audit = OFF
   ...
  &sql(delete from MyOtherTable where %ID = :id)
  // This statement is not audited at runtime even if %System/%SQL/EmbeddedStatement is enabled.
   ...

Because an application may have hundreds or thousands of SQL statements (such as those generated as part of compiled class code and those included in system code), the combination of the audit event and the preprocessor directive allows you to be selective in defining which embedded SQL statements to audit.

Additional notes:

The #sqlcompile audit = ON directive on an INSERT, UPDATE, or DELETE statement does not cause the embedded SQL code in any trigger to be audited. To audit a nested SQL statement, you must include an additional #sqlcompile audit = ON directive in the nested code. For example, if trigger code contains embedded SQL, there must be a #sqlcompile audit = ON directive in that trigger code.
The results of the audited statement are not recorded.

You can audit all embedded SQL statements except:

%BEGTRANS
%CHECKPRIV
%INTRANS
%INTRANSACTION
COMMIT
GET
ROLLBACK
SAVEPOINT
SET OPTION
STATISTICS

About the %System/%Security/DBEncChange Event

A process generates a %System/%Security/DBEncChange event because of:

Encryption key activation
Encryption key deactivation
Encryption key and key file creation
Encryption key file modification
Encryption settings modification, such as enabling interactive database encryption activation at startup.

The EventData includes data relevant to the event, such as the encryption key ID and key file or a key file administrator name.

About the %System/%Security/X509CredentialsChange Event

For create or update operations, the event data lists the changed properties, subject to security considerations. For Subject Key Identifier and Thumbprint, the event data is a hexadecimal string of space-separated one-byte words; for Certificate, PrivateKey, PrivateKeyPassword, and PrivateKeyType, there is no event data.

For delete operations, there is no event data.

About the %System/%System/DatabaseChange Event

A process generates a %System/%System/DatabaseChange because of any of the following changes to a database:

Creation
Modification
Mounting
Dismounting
Compaction
Truncation
Global compaction
Defragmentation

For creation and modification, changes to the following properties cause auditing events (which are included in the event data):

BlockSize (Create only)
ClusterMountMode (Cluster systems only)
ExpansionSize
GlobalJournalState
MaxSize
NewGlobalCollation
NewGlobalGrowthBlock
NewGlobalIsKeep
NewGlobalPointerBlock
ReadOnly
ResourceName
Size

For mounting and dismounting, the event data records the database that was mounted or dismounted. For compaction, truncation, global compaction, and defragmentation, the event data includes include the parameters that the user selected.

About the %System/%System/RoutineChange Event

A process generates a %System/%System/RoutineChange event because a routine has been compiled or deleted. When enabled, this event causes a record to be written to the audit log whenever a routine or class is compiled. The Description field of the audit record includes the database directory where the modification took place, what routine or class was modified, and the word “Deleted” if the routine was deleted.

Caché audits events on the local server but not for associated instances. For example, if one instance of Caché is an application server that is associated with another instance that is a database server, creating and compiling a new routine on the application server is not audited on the database server, even if the RoutineChange audit event is enabled on the database server. To create a comprehensive list of all changes on all associated instances, enable the relevant events on all the instances and combine their audit logs.

Managing User-Defined Audit Events

This section includes the following topics:

For information on enabling or disabling a user-defined audit event, see “Enabling or Disabling an Audit Event.”

About User-Defined Audit Events

In addition to system events, Caché allows you to create custom events that your application can be add to the audit database. These are known as user-defined audit events or user audit events.

All currently defined events are listed on the User-Defined Audit Events page (System Administration > Security > Auditing > Configure User Events).

Creating a User-Defined Audit Event

For Caché to audit a user-defined event, it must be added to the list of events and then enabled. The procedure is:

In the Management Portal, go to the User-Defined Audit Events page (System Administration > Security > Auditing > Configure User Events).
Click Create New Event. This displays the Edit Audit Event page.
On this page, enter values in the Event Source, Event Type, Event Name, and Description fields where these components have the purposes described in “ Elements of an Audit Log Entry.”
By default, the Enabled check box on this page is selected. Click it to disable the event.
Click the page’s Save button to create the event.
Make sure that auditing is enabled.
Once the event is defined and auditing is enabled, you can add the event to the audit log by executing the following command:
```
Do $SYSTEM.Security.Audit(EventSource,EventType,Event,EventData,Description)
```
using the EventSource, EventType, Event, and EventData values that you defined in the Portal. For more details, see the section “ Adding an Entry to the Audit Log.”

Adding an Entry to the Audit Log

Applications can add their own entries to the audit log with the $SYSTEM.Security.Audit function:

Do $SYSTEM.Security.Audit(EventSource,EventType,Event,EventData,Description)

where EventSource, EventType, Event, EventData, and Description are as described in the section “Elements of an Audit Log Entry.” Both the EventData and Description arguments can hold variables or literal values (where strings must appear in quotation marks). Caché provides all other elements of the log item automatically.

The content of EventData can span multiple lines. Its content is processed in a manner similar to the argument of the ObjectScript Write command, so it uses the following form:

"Line 1"_$Char(13,10)_"Line 2"

In this case, the content listed in the Audit Detail is displayed as “Line 1”, then $Char(13,10) is a carriage return and line feed, then there is “Line 2”.

For example, a medical records application from XYZ Software Company might use values such as:


 $SYSTEM.Security.Audit(
     "XYZ Software",
     "Medical Record",
     "Patient Record Access",
     765432,
     "Access to medical record for patient 765432"
     )

Note that the application uses the EventData element to record the ID of the patient whose record was accessed.

Further, if there is an “XYZ Software/Record Update/Modify Assignment” event defined and enabled, then the following code changes the value of a user-selected element of a list and notes the change in the audit database:

 For i=1:1:10 {
     Kill fVal(i)
     Set fVal(i) = i * i
 }

 Read "Which field to change? ",fNum,!
 Read "What is the new value? ",newVal,!
 Set oldVal = fVal(fNum)
 Set fVal(fNum) = newVal
 Set Data = "Changed field " _ fNum _ " from " _ oldVal _ " to "_ newVal _ "."
 Set Description = "Record changed by user with an application manager role"
 Do $SYSTEM.Security.Audit(
     "XYZ Software", 
     "Record Update", 
     "Modify Assignment",
     Data,
     Description
 )
 Write "Field changed; change noted in audit database."

Audit returns 1 or 0 to indicate that the addition succeeded or failed.

No privilege is required to add an entry to the audit log.

Deleting a User-Defined Audit Event

To delete a user event:

From the Management Portal home page, go to the User-Defined Audit Events page (System Administration > Security > Auditing > Configure User Events).
On this page, locate the event that you wish to enable or disable and select Delete from the column near the right-hand part of the table.
When prompted, confirm that you wish to delete the event.

Note:

If you delete a user-defined audit event, it is no longer available as part of the Caché instance for auditing.

Enabling or Disabling an Audit Event

To enable or disable an audit event:

From the Management Portal home page, go to either:
- The System Audit Events page (System Administration > Security > Auditing > Configure System Events).
- The User-Defined Audit Events page (System Administration > Security > Auditing > Configure User Events).
On the System Audit Events or the User-Defined Audit Events page, locate the event that you wish to enable or disable and select Change Status from the right-most column of the table. This changes the Enabled status from No to Yes, or vice versa.

Managing Auditing and the Audit Database

When events are logged, they are visible in the audit database, IRISAUDIT. The audit database also contains general information, including the name of the server, the name of the Caché configuration, when the log was started, and when the log was closed.

The following actions are available for managing the audit log:

Viewing the Audit Database

To view the audit database:

Select View Audit Database from the Auditing menu, which displays the View Audit Database page (System Administration > Security > Auditing > View Audit Database).
To refine the search, use the fields in this page’s left pane and select the Search button at the bottom of the pane. (Select Reset Values at the bottom of the pane to restore the default values.) See below for a list of fields for refining your search.
To see more detailed information about a particular audit event, click the Details link in its row.

To refine the search, the fields are:

Event Source — The component of the instance that is the source of the event.
Event Type — Any categorizing information for the event.
Event Name — The identifier of the event being logged (also known simply as the Event).
System IDs — An identifier for the instance that appears in each audit log entry of the form machine_name:instance_name. For example, an instance called MyInstance running on a machine called MyMachine, then its system ID is MyMachine:MyInstance.
PIDs — The operating-system ID of the process that logged the event.
Users — The user who performed the activity that triggered the event.
Authentications — How the user who triggered the audit event was authenticated to the instance.
Begin Date/Time — The date and time for the first event to be displayed (midnight at the beginning of the current day, by default). To choose a starting date from a calendar, click the calendar icon to the right of the field.
End Date/Time — The date and time for the last (most recent) event to be displayed (the current time, by default). To choose an end date from a calendar, click the calendar icon to the right of the field.
Maximum Rows — The maximum number of rows to display in a listing of the audit log (up to 10,000).

Note:

For fields with an arrow to the right, click the arrow to display a list of all the values in use. For fields that display an initial asterisk (“*”), choose or enter the asterisk to display all possible values for the field.

For background information on the fields displayed, see “Elements of an Audit Event.”

Copying, Exporting, and Purging the Audit Database

The audit log is stored in the %SYS.Audit table in the %SYS namespace; all audit data is mapped to the IRISAUDIT database and protected by the %DB_IRISAUDIT resource. By default, the %Manager role holds the Read permission on this resource and no role holds the Write permission.

The audit log database is managed with the same tools as other Caché databases. For example, you can use the Management Portal to specify its initial size, growth increment, and location; while the audit log database does not have a specified maximum size, it is constrained by disk space and other such factors.

The Management Portal allows you to perform special management operations on the audit database:

Copying — You can copy entries for one or more days to a specified namespace.
Exporting — You can export entries for one or more days from the log to a file.
Purging — You can remove entries for one or more days from the log.

Note:

All these operations act on all entries for one or more days. There are no operations for particular entries.

Copying the Audit Database

Caché allows you to copy all or part of an audit database to a namespace other than IRISAUDIT. To do this:

From the Management Portal home page, go to the Copy Audit Log page (System Administration > Security > Auditing > Copy Audit Log).
On the Copy Audit Log page, first select either:
- Copy all items from the audit log
- Copy items that are older than this many days from audit log In the field here, enter a number of days; any item older than this is copied to the new namespace.
Next, use the drop-down menu to choose the namespace where you wish to copy the audit entries.
If you wish to delete the audit items after they are copied, select the check box with that choice.
Click OK to copy the entries.

Caché places the selected audit log entries in the ^IRIS.AuditD global in the selected namespace. To view this data:

From the Management Portal home page, go to the Globals page (System Explorer > Globals).
From the Globals page, select the following items in the following order:
1. The Databases radio button from the upper left area of the page.
2. The name of the database holding the copied audit log entries.
3. The System check box that appears above the list of globals.
This displays a list of globals in the database, including ^IRIS.AuditD. Globals are listed without the preceding “^” character that is needed to manipulate them programmatically or in the Terminal.

Note:

Clicking View Globals on this page refreshes the page but unchecks in the System check box, thereby making ^IRIS.AuditD unavailable.
Click Data from the IRIS.AuditD line to display detailed information on the audit log entries.

Once you have copied audit data to another namespace, you can use the queries of the %SYS.AuditOpens in a new tab class to look at that data.

Exporting the Audit Database

Caché allows you to export all or part of an audit database. To do this:

From the Management Portal home page, go to the Export Audit Log page (System Administration > Security > Auditing > Export Audit Log).
On the Export Audit Log page, first select either:
- Export all items from the audit log
- Export items that are older than this many days from audit log In the field here, enter a number of days; any item older than this is exported to the new namespace.
Next, in the Export to file field, enter the path of the file where you wish to export the audit entries. If you do not enter a full path, the root for the path provided is install-dir/Mgr/.
If you wish to delete the audit items after they are exported, select the check box with that choice.
Click OK to export the entries.

Purging the Audit Database

Caché allows you to purge all or part of a database.

Important:

Purging the database is not a reversible action — purged items are permanently removed. You cannot restore items to the audit database once you have purged them.

To do this:

From the Management Portal home page, go to the Purge Audit Log page (System Administration > Security > Auditing > Purge Audit Log).
On the Purge Audit Log page, first select either:
- Purge all items from the audit log
- Purge items that are older than this many days from audit log In the field here, enter a number of days; any item older than this is purged.
Click OK to purge the entries.

Encrypting the Audit Database

Caché allows you to encrypt the database that holds the audit log. This is described in the section “ Configuring Encryption Startup Settings” in the chapter “Managed Key Encryption” in the Security Administration Guide.

General Management Functions

Because the audit log is stored in a table, you can manage it with standard Caché system management tools and techniques:

Journaling is always turned on for it.
You can use standard ObjectScript commands to read it. In addition, its contents are accessible via standard SQL and you can use any standard SQL tool to work with it.
You can back it up using standard Caché database backup facilities.
If it becomes full, a <FILEFULL> error occurs and is handled in the same way as for any other Caché database. To avoid this situation, see the “Maintaining the Size of the Audit Database” section.

Note:

All access is subject to standard security restrictions at the database and namespace levels, or through SQL for table-based activity.

The %SYS.AuditOpens in a new tab table in the %SYS namespace holds the audit log. All audit data is mapped to the IRISAUDIT database. (You can also copy audit data to any other database using the functionality described in the section “Copying the Audit Database”; you can then use the %SYS.AuditOpens in a new tab class, which is available in every namespace, to query the audit log.)

Maintaining the Size of the Audit Database

As Caché runs, it writes to the audit log. Without intervention, this will eventually fill the audit database. If the audit database becomes full, then Caché either continues running without capturing audit entries or halts until it can write to the audit database; the Freeze system on audit database error setting determines this behavior.

To properly store audit information and prevent any issues, you should regularly export and save the contents of the audit database and then purge its contents. To do this:

Export the contents of the audit database as described in the “Exporting the Audit Database” section.

Note:

InterSystems recommends that you export all entries from the database.
Check that the exported contents of the audit database are valid.

Important:

InterSystems recommends that you confirm that this data is valid, as purging the data is a non-reversible action.
Purge old entries from the existing database as described in “Purging the Audit Database”.

Important:

InterSystems recommends that you purge all entries except those of the last day, which ensures that there is an overlap in the different groups of saved entries.

Caution:

If the audit database becomes full and Caché continues running, it does not record audit entries for actions that cause audit events. Further, in a forensic context, the existence of only a single AuditRecordLost audit entry indicates that at least one record was lost.

Other Auditing Issues

This section covers the following topics:

Freezing Caché If There Can Be No Audit Log Writes

During operations of Caché, it may become impossible to write to the audit database. This can happen due to a filled disk, a failed network connection, or some other reason. If this occurs, Caché can then work in either of two different modes:

The default behavior is to generate an error when there is a problem writing to the Audit log.
Alternatively, a switch can be set so that the system freezes if there is a problem writing to the Audit log.

To set this switch, use the ^SECURITY routine:

In the Terminal, go to the %SYS namespace:
```
> zn "%SYS"
```
Start ^SECURITY:
```
> Do ^SECURITY
```
Within ^SECURITY, choose option 6 (Auditing Setup); within Auditing Setup, choose option 1 (Enable auditing).
When it displays the prompt: Freeze system on audit database error? Enter “Yes” or “Y”. Confirm any changes when prompted.

This establishes the behavior of freezing the system.

For a disk full error, the way to recover from this is to force down the system, free up space on the audit disk, then restart. For an error caused by database corruption, the audit database must be moved or deleted, and a new one created or copied into its place. Note that a restart of the system will not be enough to clear the error, since the restart may write audit records, and cause the system to freeze again.

For example, with the default behavior, if the disk containing the audit database fills up, then the attempt to write to the audit log will generate a <FILEFULL> error (disk full). The audit record is not written to the audit log, and is therefore lost. When the problem is resolved, an entry is written into the audit log that lists how many audit events were lost.

When this switch is set, and a write error occurs when writing to the audit log, the process which was trying to write to the audit log receives an error (such as <FILEFULL>). The process then writes the error message to the messages.log, and then freezes the system.

About Counters

To facilitate security monitoring, Caché keeps a counter for each audit event type and makes these counters available via the Caché monitoring interface. These counters are maintained even if auditing is not enabled. As an example, a site might monitor the LoginFailure event counter, to help detect break-in attempts.

Note:

Audit counters are reset when the instances is restarted.

Resetting the Counters for a System Audit Event

To reset the counters for a system event:

From the Management Portal home page, go to the System Audit Events page (System Administration > Security > Auditing > Configure System Events).
On this page, locate the event that you wish to enable or disable and select Reset from the column near the right-hand part of the table.
When prompted, click OK. This resets both the Total and Written counters for the event.

Resetting the Counters for a User-Defined Audit Event

To reset the counters for a user event:

From the Management Portal home page, go to the User-Defined Audit Events page (System Administration > Security > Auditing > Configure User Events).
On this page, locate the event that you wish to enable or disable and select Reset from the column near the right-hand part of the table. This resets both the Total and Written counters for the event.
When prompted, click OK. This resets both the Total and Written counters for the event.