Symantec Access Management

Hello there,

I want to log all the changes that is happening in CA Directory in a log file.. How to configure? In Sun LDAP the audit log shows the changes of data as below...

time: 20171025104222
dn: uid=eempln1,ou=Users,o=domain.com
changetype: modify
replace: userPassword
userPassword: {SSHA256}LO3QuEoOvRGMw9JL3VRwcELYMylFsEgzOMVhnVPf2M0xJUVl
-
replace: modifiersname
modifiersname: cn=Directory Manager
-
replace: modifytimestamp
modifytimestamp: 20171025144222Z

I want to see same kind of information in CA Directory log.

I see update.log in CA Directory but does not have the value of the attributes.

[5] 20171025.114353.845 "cn=AppAdminUser,o=domain.com" ADD "uid=RepTest,ou=Users,o=domain.com" givenName,cosineMobileTelephoneNumber,userPassword,cosineUserid,objectClass,commonName,surname

thanks

Moved to CA directory forum from CA SSO

Hi Suthakar,

You are on a right track with setting up update-log. What you need to do further to get what you are after, is set either one of the following commands mentioned below. First one will be sufficient while the second one is stated as internal use only. You can make a decision depending on your business requirement.

i.e. show-values vs. show-all-values

set update-log-show-values Command - CA Directory - 12.6 - CA Technologies Documentation 

set update-log-show-all-values Command -- Include Binary Attributes in the Update Log - CA Directory - 12.6 - CA Technol… 

Hope this helps.

Thanks,

Hitesh

Thanks, i tried the option (set update-log-show-values=true) but attribute value is not showing as clear text for attribute ...

[1] 20171026.173828.030 "cn=PolicyStoreAdmin,ou=SpecialUsers,o=domain.com" MOD "uid=RepTest,ou=Netegrity,o=domain.com" rem-attr:commonName,add-attr:commonName:"VGVzdCBTdXRoYSBpbiBBV1M="

Are you sure you have 'update-log-show-values' set and not 'update-log-show-all-values' ? Can you confirm?

Reason I ask because with 'all' , we write all values written to the update log are base-64 encoded as stated in docops and that is what I see you are reporting back. If that is the case, this working as design.

To test further, here what I did:

Logged in as user 'cn=Craig LINK,ou=Administration,ou=Corporate,o=democorp,c=au' in my DSA and tried to modify 'uid=alex,ou=support,ou=Corporate,o=democorp,c=au' entry. Originally it had 'cn=AlexD'

With 'set update-log-show-values=true;' I changed cn from 'AlexD' to 'Alex' and here is what I see in update log:

[40] 20171027.081718.542 "cn=Craig LINK,ou=Administration,ou=Corporate,o=democorp,c=au" MOD "uid=alex,ou=support,ou=Corporate,o=democorp,c=au" rem-attr:commonName,add-attr:commonName:"Alex",rem-attr:modifyTimestamp,add-attr:modifyTimestamp,rem-attr:modifiersName,add-attr:modifiersName

With 'set update-log-show-all-values=true;' I changed it back to 'AlexD' and here is what I see in update log:

[24] 20171027.082511.473 "cn=Craig LINK,ou=Administration,ou=Corporate,o=democorp,c=au" MOD "uid=alex,ou=support,ou=Corporate,o=democorp,c=au" rem-attr:commonName,add-attr:commonName:"QWxleEQ=",rem-attr:modifyTimestamp,add-attr:modifyTimestamp,rem-attr:modifiersName,add-attr:modifiersName

Thank you.. i had two values like this and now set false for all-values

update-log-show-values = TRUE
update-log-show-all-values = TRUE

By the way, for some reason if i have to reload the data from this update log as LDIF format, does CA have any script to convert this log into LDIF format? 

Glad to hear it worked for you. Yes, the problem was you having them both defined while you only need either one of them. 'all-values' includes all that 'values' does.

Anyway, for the script, unfortunately the answer is no. CA Directory does not provide any log scraping tool/script that can read the log and pull out the information you are looking for that can be used as LDIF file as an input (loading purpose) to another DSA.

Thank you for your help. appreciate it.