Is There Audit Logging for EEM Policy Creation/Deletion

Document ID : KB000016585
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

When policies are created/deleted in EEM, is there any audit logging that can be viewed regarding this activity?

Answer:

The events are logged to /opt/CA/SharedComponents/EmbeddedEntitlementsManager/logs/audit.log. 

Each event in the audit.log file start with the <event> tag and end with </event>. Below are examples of events that will appear in the audit.log when creating, modifying, or deleting a policy.

Create Policy
------------------

<Event> <Resource>/iTechPoz/Store/WorkloadAutomationAE/TestPolicy</Resource> <ResourceClass>Policy</ResourceClass> <Src>EiamAdmin</Src> <Tag>f3f8c7ac98fe59baeaca9a90b8379b99-599ddc8e-4c1b91f0-1fd</Tag> <Taxonomy>IAM.Admin.soInsert.S.I</Taxonomy> <SequenceNumber>1257</SequenceNumber> <GUID>e59edc8689ac82cd8371bda3fb01d0b7-599ddc8e-4c1b91f0-1</GUID> <Hostname>machine1</Hostname> <iSponsorName>iPoz</iSponsorName> <Status>Success</Status> <Date>1507850608</Date> <OS>Linux 3.10.0-327.el7.x86_64</OS> <Severity>Info</Severity> </Event>

Modify Policy
-----------------

<Event> <Resource>/iTechPoz/Store/WorkloadAutomationAE/TestPolicy</Resource> <ResourceClass>Policy</ResourceClass> <Src>EiamAdmin</Src> <Tag>410a237c521b1087d020620de9af4ce1-599ddc8e-4c1b91f0-1fe</Tag> <Taxonomy>IAM.Admin.soModify.S.I</Taxonomy> <SequenceNumber>1261</SequenceNumber> <GUID>e59edc8689ac82cd8371bda3fb01d0b7-599ddc8e-4c1b91f0-1</GUID> <Hostname>machine1</Hostname> <iSponsorName>iPoz</iSponsorName> <Status>Success</Status> <Date>1507850662</Date> <OS>Linux 3.10.0-327.el7.x86_64</OS> <Severity>Info</Severity> </Event>

Delete Policy
-----------------

<Event> <Resource>/iTechPoz/Store/WorkloadAutomationAE/TestPolicy</Resource> <ResourceClass>Policy</ResourceClass> <Src>EiamAdmin</Src> <Tag>81cf1c86756fd6fc703b9b3ca6dc0f5-599ddc8e-4c1b91f0-200</Tag> <Taxonomy>IAM.Admin.soRemove.S.I</Taxonomy> <SequenceNumber>1266</SequenceNumber> <GUID>e59edc8689ac82cd8371bda3fb01d0b7-599ddc8e-4c1b91f0-1</GUID> <Hostname>machine1</Hostname> <iSponsorName>iPoz</iSponsorName> <Status>Success</Status> <Date>1507850718</Date> <OS>Linux 3.10.0-327.el7.x86_64</OS> <Severity>Info</Severity> </Event>


Here is a quick explanation of the some of the event elements that help identify the event...

<Resource> - shows the policy name and the application to which it belongs.

<Src> - shows the user that took the action on the policy

<Taxonomy> - identifies the type of action taken. soInsert=create, soModify=edit, soRemove=delete

<Status> - shows whether the action was successful or not

<Date> - epoch timestamp of the event

On the Common Components DVD image, we provide an EEM Reporting utility that will pull in these events from the EEM audit logs and store them in a database. It then allows you to generate reports on the events that is easier than mining from the logs. Here is a link to the documentation on this utility...

https://docops.ca.com/ca-workload-automation-ae/11-4-2/en/getting-started/common-components-overview/ca-eem-reporting