Does F-Secure Policy Manager create and maintain an audit log for user and admin activity? For example for these events:
- User login / logoff
- Host deletion / add / rename events
- Policy sub-domain deletion / add / rename events
- Change of policy settings
The F-Secure Policy Manager Server logs can be found in the following folder:
The user login actions are recorded in the fspms-users.log. The log does not show the full user name, only the User ID. To get the full user name, a query must be performed using the H2Console. The H2Console is not enabled by default, so it will need to be enabled before you can run the query.
- C:\Program Files (x86)\F-Secure\Management Server 5\logs
How to enable H2Console:
Note: Please backup your registry before making any registry changes
How to open H2Console and run query:
- Open Registry Editor (regedit)
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\
- Edit "additional_java_args"
- Add parameter: -Dh2ConsoleEnabled=true
- Close registry editor and restart F-Secure Policy Manager Server service by running command line commands net stop fsms and net start fsms
You will receive a result showing which user names correspond to which User ID.
- Open a browser and go to https://localhost:8080
- Click the H2Console link
- Type in query: SELECT * FROM users;
- Click Run (Ctrl+Enter) to run the query
Changes made to policy settings are saved in fspms-policy-audit.log.
Changes made to the Policy domain computers/servers or specifically changes made to the policy domain structure are saved in fspms-domain-tree-audit.log.
Another log to look into is fspms-active-directory-rules.log. For example, in case the AD synchronization rule was executed, and the host with unique ID, 4d896695-8de1-4f96-9c29-0ebd2bb60418 was moved into a domain, you will find the following is logged:
20.06.2022 17:59:01,276 INFO [activeDirectoryRules] - Starting to process manually triggered rule [ruleId=5, domainController='LDAP://<domain name>', containerDn='OU=<OU name>,DC=<partial domain name>,DC=<partial domain name>', containerGuid='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', targetDomainId=<policy domain ID>, enabled=true]
20.06.2022 17:59:01,386 INFO [activeDirectoryRules] - 1 hosts found in Active Directory, 0 of them unmanaged
20.06.2022 17:59:01,388 INFO [activeDirectoryRules] - Domain <policy domain name> updated
20.06.2022 17:59:01,390 INFO [activeDirectoryRules] - Host having identity 4d896695-8de1-4f96-9c29-0ebd2bb60418 moved
20.06.2022 17:59:01,416 INFO [activeDirectoryRules] - Rule was successfully processed
Q: How to find out who deleted a policy sub-domain in Policy Manage Console?
A: This information is available in the fspms-domain-tree-audit.logs. Below is an example, where a sub-domain called test was added and immediately deleted.
05.12.2019 09:44:17,785 INFO [audit.domainTree] - User 'admin' added domain test (id=76) to domain Root (id=1)
05.12.2019 09:44:23,615 INFO [audit.domainTree] - User 'admin' deleted domain test (id=76)
Article no: 000007129