The AdminUI by default logs events to the /audit/ folder as txn, audit, and access XPS txt files. However there is no easy way to correlate the username to the OID/XID changed. You could put this data into an audit database and use a Report Server to generate reports of these events. But the Report Server is no longer available. With a few modifications, the same data can be written out to the smaccess.log for easier parsing.
Step 1 - Enable Enhanced Tracing registry
Edit the SiteMinder registry at this location:
Create this REG_DWORD entry:
Enable Enhance Tracing= 1
Step 2 - Enable Audit Logging for SM Objects
Enter # for LogObj
Enter "C" to change value
Enter "Q" until you exit XPSConfig
Step 3 - Enable SM Logging for Administrators
Open the SmConsole (click OK for warning message)
Go to the Logs tab
Under Policy Server Audit Log section
Select "Log All Events" for Administrator Access Events
Select "Log All Events" for Administrator Changes to Policy Store Objects
Step 4 - Restart the Policy Server to pick up changes
Results - Example Agent creation, modification and deletion by siteminder user
- Step 2 modification will trigger a warning message:
Logging of admin change to Policy Store should not be enabled. It would be logged by XPSAudit. Please check Logs tab.
-Steps 2 and 3 will cause duplication as events are logged into the smaccess.log and /audit/ files.
- The granularity of this auditing is limited. It will show you object Creation, Updates, and Deletions of the specific Object ID. However it will not tell you what specifically the change made was. For instance if the Description was changed, or what setting was changed. Only that a change was made to the object.