Set security audit subsystem failure notifications


Notifications can be generated by a failure of the security audit subsystem. The security audit subsystem notifications can alert auditors that the security audit system is no longer recording auditable security events. Notifications are generated by a failure of the auditing subsystem, they are not related to any auditable security events or event outcome that has occurred. Notifications triggered by an event or an event outcome are not supported.

Before configuring notifications, enable global security and the security audit subsystem in the environment. You must be assigned the auditor role to complete this task.

If a problem is experienced with the security audit subsystem, then a notification can be generated. This is an alert that security events are no longer being audited. Notification can be written to the system log file or can be sent to a specified group of users as an e-mail. we are able to configure notifications to alert the auditor of a problem using both of these methods simultaneously. Notifications are only generated when the Audit subsystem failure action field is set to Log warning or Terminate server.

 

  1. Click Security > Security Auditing.

  2. Confirm the Audit subsystem failure action field is set to Log warning or Terminate server. If the Audit subsystem failure action field is set to No warning, then notifications will not be generated.

  3. Click Security > Security Auditing > Audit monitor .

  4. Under Notifications, Click New

  5. Enter the name that should be associated with this notification configuration in the Notification name field.

  6. Select the Message log check box to specify the failure notifications are recorded in the audit log.

  7. Select the e-mail sent to notification list check box to specify that failure notification e-mail should be sent to the addresses listed in the notification list.

  8. Enter an e-mail address in the E-mail address to add field This step is not needed if e-mail notifications are not going to be sent.

  9. Enter the mail server address in the Outgoing mail (STMP) server address. This step is not needed if e-mail notifications are not going to be sent.

  10. Click Add >> to add the e-mail address and associated mail server to the e-mail notification list.

  11. Repeat steps 5 through 7 for each e-mail address you want to specify in the e-mail notification list.

  12. Click OK.

  13. Select the Enable monitoring check box to turn on audit failure notifications.

  14. Select the notification configuration to be used from the Monitor notification dropdown menu.

  15. Click OK.

 

Results

After completing this task, a notification will be generated if the security auditing subsystem experiences an unrecoverable error resulting in security events no longer being audited.

 

Next steps

After configuring notifications, we can analyze the audit data for potential weaknesses in the current security infrastructure and to discover possible security breaches that might have occurred.

Audit notifications cannot be removed using the admin console. To remove an audit notification you first must run the deleteAuditNotificationMonitorByRef or the deleteAuditNotificationMonitorByName command. After running one of those commands, remove the audit notification by running the deleteAuditNotification command.


Audit monitor collection
Audit notification settings

 

Related tasks


Enable the security auditing subsystem
Audit the security infrastructure
Set security audit notifications using scripting