Issue:
Does Policy Manager create and maintain an audit log for user and admin activity? For example for these events:
- User login / logoff
- Host deletion / add / rename events
- Policy sub-domain deletion / add / rename events
- Change of policy settings
Resolution:
The Policy Manager Server logs can be found in the following folder:
- C:\Program Files (x86)\F-Secure\Management Server 5\logs
The user login actions are recorded in the fspms-users.log. The log does not show the full user name, only the User ID. To get the full user name, a query must be performed using the H2Console. The H2Console is not enabled by default, so it will need to be enabled before you can run the query.
How to enable H2Console:
Note: Please backup your registry before making any registry changes
- Open Registry Editor (regedit)
- Policy Manager 15: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\
- Policy Manager 16: HKLM\SOFTWARE\WithSecure\Policy Manager\Policy Manager Server
- Edit "additional_java_args"
- Add parameter: -Dh2ConsoleEnabled=true
- Close registry editor and restart Policy Manager Server service by running command line commands net stop fsms and net start fsms (net stop wspms and net start wspms for Policy Manager 16)
How to open H2Console and run query:
- Open a browser and go to https://localhost:8080
- Click the H2Console link
- Type in query: SELECT * FROM users;
- Click Run (Ctrl+Enter) to run the query
You will receive a result showing which user names correspond to which User ID.
Changes made to policy settings are saved in fspms-policy-audit.log.
Changes made to the Policy domain computers/servers or specifically changes made to the policy domain structure are saved in fspms-domain-tree-audit.log.
Another log to look into is fspms-active-directory-rules.log. For example, in case the AD synchronization rule was executed, and the host with unique ID, 4d896695-8de1-4f96-9c29-0ebd2bb60418 was moved into a domain, you will find the following is logged:
20.06.2022 17:59:01,276 INFO [activeDirectoryRules] - Starting to process manually triggered rule [ruleId=5, domainController='LDAP://<domain name>', containerDn='OU=<OU name>,DC=<partial domain name>,DC=<partial domain name>', containerGuid='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', targetDomainId=<policy domain ID>, enabled=true]
20.06.2022 17:59:01,386 INFO [activeDirectoryRules] - 1 hosts found in Active Directory, 0 of them unmanaged
20.06.2022 17:59:01,388 INFO [activeDirectoryRules] - Domain <policy domain name> updated
20.06.2022 17:59:01,390 INFO [activeDirectoryRules] - Host having identity 4d896695-8de1-4f96-9c29-0ebd2bb60418 moved
20.06.2022 17:59:01,416 INFO [activeDirectoryRules] - Rule was successfully processed
Q: How to find out who deleted a policy sub-domain in Policy Manage Console?
A: This information is available in the fspms-domain-tree-audit.logs. Below is an example, where a sub-domain called test was added and immediately deleted.
05.12.2019 09:44:17,785 INFO [audit.domainTree] - User 'admin' added domain test (id=76) to domain Root (id=1)
05.12.2019 09:44:23,615 INFO [audit.domainTree] - User 'admin' deleted domain test (id=76)
Article no: 000007129