How to log AdminUI activity to the smaccess.log.

Document ID : KB000098031
Last Modified Date : 18/07/2018
Show Technical Document Details
Introduction:
The AdminUI by default logs events to the /audit/ folder as txn, audit, and access XPS txt files. However there is no easy way to correlate the username to the OID/XID changed. You could put this data into an audit database and use a Report Server to generate reports of these events. But the Report Server is no longer available. With a few modifications, the same data can be written out to the smaccess.log for easier parsing.
Instructions:
Step 1 - Enable Enhanced Tracing registry
Edit the SiteMinder registry at this location:
  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports

Create this REG_DWORD entry:
Enable Enhance Tracing= 1

Step 2 - Enable Audit Logging for SM Objects
  Open XPSConfig
    Enter "SM"
       Enter # for LogObj
         Enter "C" to change value
           Enter "Q" until you exit XPSConfig

Step 3 - Enable SM Logging for Administrators
  Open the SmConsole (click OK for warning message)
    Go to the Logs tab
       Under Policy Server Audit Log section
         Select "Log All Events" for Administrator Access Events
         Select "Log All Events" for Administrator Changes to Policy Store Objects

Step 4 - Restart the Policy Server to pick up changes

Results - Example Agent creation, modification and deletion by siteminder user

[Agent][Create][][servername][28/Jun/2018:17:09:38 -0500][][][siteminder][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][agent2][01-aa1526e0-a780-4898-8fec-de3e6be6dbc5][]

[Agent][Update][][servername][28/Jun/2018:17:10:28 -0500][][][siteminder][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][agent1][01-728c847d-5046-4c79-93ad-5fc76606a598][]

[Agent][Delete][][servername][28/Jun/2018:17:10:45 -0500][][][siteminder][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][agent1][01-728c847d-5046-4c79-93ad-5fc76606a598][]

 
Additional Information:
Important Information
- Step 2 modification will trigger a warning message:
Logging of admin change to Policy Store should not be enabled. It would be logged by XPSAudit. Please check Logs tab.

-Steps 2 and 3 will cause duplication as events are logged into the smaccess.log and /audit/ files.

- The granularity of this auditing is limited. It will show you object Creation, Updates, and Deletions of the specific Object ID. However it will not tell you what specifically the change made was. For instance if the Description was changed, or what setting was changed. Only that a change was made to the object.