Does F-Secure Policy Manager Console have activity logging (audit trail / auditing)? - WithSecure Community
<main>
<article class="userContent">
<h3 data-version="5" data-article="000007129" data-id="issue">Issue:</h3>
<p>Does F-Secure Policy Manager create and maintain an audit log for user and admin activity? For example for these events:<br></p><ul><li>User login / logoff</li><li>Host deletion / add / rename events</li><li>Policy sub-domain deletion / add / rename events </li><li>Change of policy settings</li></ul><h3 data-id="resolution">Resolution:</h3>
<p>The F-Secure Policy Manager Server logs can be found in the following folder:<br></p><ul><li><b><span style="font-family: arial;">C:\Program Files (x86)\F-Secure\Management Server 5\logs</span></b></li></ul><span style="font-family: arial;">The user login actions are recorded in the <b>fspms-users.log</b>. The log does not show the full user name, only the User ID. To get the full user name, a query must be performed using the H2Console. The H2Console is not enabled by default, so it will need to be enabled before you can run the query. <br><br>How to enable H2Console:<br><br><b>Note:</b> Please backup your registry before making any registry changes</span>
<ol><li><span style="font-family: arial;">Open Registry Editor (regedit)</span></li><li><span style="font-family: arial;">Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\</span></li><li><span style="font-family: arial;">Edit "additional_java_args"</span></li><li><span style="font-family: arial;">Add parameter: <b>-Dh2ConsoleEnabled=true</b></span></li><li><span style="font-family: arial;">Close registry editor and restart F-Secure Policy Manager Server service by running command line commands <b>net stop fsms</b> and <b>net start fsms</b></span></li></ol>
How to open H2Console and run query:
<ol><li>Open a browser and go to <a href="https://localhost:8080" rel="nofollow">https://localhost:8080</a></li><li>Click the H2Console link</li><li>Type in query: <b>SELECT * FROM users;</b></li><li>Click <b>Run (Ctrl+Enter) </b>to run the query</li></ol>
You will receive a result showing which user names correspond to which User ID. <br><br><span style="font-family: arial;">Changes made to policy settings are saved in </span><span style="font-family: arial;"><b>fspms-policy-audit.log</b>.</span><br><br><span style="font-family: arial;">Changes made to the Policy domain computers/servers or specifically changes made to the policy domain structure are saved in<b> </b></span><b><span style="font-family: arial;">fspms-domain-tree-audit.log</span></b><span style="font-family: arial;">.</span><br><br>Another log to look into is fspms-active-directory-rules.log. For example, in case the AD synchronization rule was executed, and the host with unique ID, 4d896695-8de1-4f96-9c29-0ebd2bb60418 was moved into a domain, you will find the following is logged:<br><br>20.06.2022 17:59:01,276 INFO [activeDirectoryRules] - Starting to process manually triggered rule [ruleId=5, domainController='LDAP://<domain name>', containerDn='OU=<OU name>,DC=<partial domain name>,DC=<partial domain name>', containerGuid='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', targetDomainId=<policy domain ID>, enabled=true]<br>20.06.2022 17:59:01,386 INFO [activeDirectoryRules] - 1 hosts found in Active Directory, 0 of them unmanaged<br>20.06.2022 17:59:01,388 INFO [activeDirectoryRules] - Domain <policy domain name> updated<br>20.06.2022 17:59:01,390 INFO [activeDirectoryRules] - Host having identity 4d896695-8de1-4f96-9c29-0ebd2bb60418 moved<br>20.06.2022 17:59:01,416 INFO [activeDirectoryRules] - Rule was successfully processed<br><br><span style="font-family: arial;">Q:</span><b><span style="font-family: arial;"> </span></b>How to find out who deleted a policy sub-domain in Policy Manage Console?<br>A: This information is available in the <b>fspms-domain-tree-audit.log</b>s. Below is an example, where a sub-domain called test was added and immediately deleted.<br><br>05.12.2019 09:44:17,785 INFO [audit.domainTree] - User 'admin' added domain test (id=76) to domain Root (id=1)<br>05.12.2019 09:44:23,615 INFO [audit.domainTree] - User 'admin' deleted domain test (id=76)<br>
<p>Article no: 000007129</p>
</article>
</main>