Description
I'm auditing to a text files and I would like to import this information into my SQL Server Database using the SMAuditImport utility, but it fails:
C:\Program Files\CA\siteminder\bin>smauditimport.exe c:\temp\smaccess.log "auditstore" sa mypassword
Error: Missing fields on line 1
Error: Missing fields on line 2
Error: Missing fields on line 3
Error: Missing fields on line 4
Error: Missing fields on line 5
Error: Missing fields on line 6
Error: Missing fields on line 7
Error: Missing fields on line 8
Error: Missing fields on line 9
Error: Missing fields on line 10
Error: Missing fields on line 11
Error: Missing fields on line 12
Error: Missing fields on line 13
Error: Missing fields on line 14
Error: Missing fields on line 15
Successfully inserted a total of 0 rows to smaccesslog4 table.
Successfully inserted a total of 0 rows to smobjlog4 table.
Total rows inserted: 0.
Solution
Audit file is not in the expected format.
Snippet of audit file:
<- Begin
AuthAccept lempvm05 [29/Sep/2009:15:56:16 -0500] "138.42.193.154 Mikel" "lempvm05 get /transpolar/tickets.html" [idletime=3600;maxtime=7200;authlevel=5;] [0] [] []
AzAccept lempvm05 [29/Sep/2009:15:56:16 -0500] "138.42.193.154 Mikel" "lempvm05 get /transpolar/main.html" [] [0] [] []
-> End
By design Enhanced Audit Tracing is a requiriment for the SMAuditImport tool.
Enhanced Audit Tracing can be enable as follows:
For windows:
Add the following key:
TYPE=DWORD
\netegrity\SiteMinder\CurrentVersion\Reports\Enable Enhance Tracing
For Solaris:
The file ~ siteminder/registry/sm.registry should be edited.
Under the line:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports
Add the following:
Enable Enhance Tracing= 0x1; REG_DWORD
Notes:
- The registry key doesn't exist as a part of Policy server installation and has to be added manually.
- If the value is SET to 1; Enhanced Tracing is enabled and all the fields are logged in text file for auditing events.