Configure security audit subsystem failure notifications
Notifications can be generated by a failure of the security audit subsystem. The security audit subsystem notifications can alert auditors that the security audit system is no longer recording auditable security events. Notifications are generated by a failure of the auditing subsystem, they are not related to any auditable security events or event outcome that has occurred. Notifications triggered by an event or an event outcome are not supported.
Before configuring notifications, enable global security and the security audit subsystem in the environment. We must be assigned the auditor role to complete this task.
If a problem is experienced with the security audit subsystem, then a notification can be generated. This is an alert that security events are no longer being audited. Notification can be written to the system log file or can be sent to a specified group of users as an email. We are able to configure notifications to alert the auditor of a problem using both of these methods simultaneously. Notifications are only generated when the Audit subsystem failure action field is set to Log warning or Terminate server.
- Optional: Click Security > Security Auditing.
- Optional: Confirm the Audit subsystem failure action field is set to Log warning or Terminate server. If the Audit subsystem failure action field is set to No warning, then notifications will not be generated.
- Click Security > Security Auditing > Audit monitor .
- Under Notifications, Click New
- Enter the name that should be associated with this notification configuration in the Notification name field.
- Select the Message log check box to specify the failure notifications are recorded in the audit log.
- Select the email sent to notification list check box to specify that failure notification email should be sent to the addresses listed in the notification list.
- Enter an email address in the email address to add field This step is not needed if email notifications are not going to be sent.
- Enter the mail server address in the Outgoing mail (STMP) server address. This step is not needed if email notifications are not going to be sent.
- Click Add >> to add the email address and associated mail server to the email notification list.
- Repeat steps 5 through 7 for each email address to specify in the email notification list.
- Click OK.
- Select the Enable monitoring check box to turn on audit failure notifications.
- Select the notification configuration to be used from the Monitor notification dropdown menu.
- Click OK.
Results
After completing this task, a notification will be generated if the security auditing subsystem experiences an unrecoverable error resulting in security events no longer being audited.
What to do next
After configuring notifications, we can analyze your audit data for potential weaknesses in the current security infrastructure and to discover possible security breaches that might have occurred.
Audit notifications cannot be removed using the console. To remove an audit notification you first must run the deleteAuditNotificationMonitorByRef or the deleteAuditNotificationMonitorByName command. After running one of those commands, remove the audit notification by running the deleteAuditNotification command.
Subtopics
- Audit monitor collection
Use this page to configure audit subsystem failure notifications. The Auditor monitor panel lists the existing notification configurations and is the gateway for creating new notification configurations and for managing the existing notification configurations.
- Audit notification settings
Use this page to create and manage notification configurations that define how auditors are made aware of audit subsystem failures.
Related tasks
Audit the security infrastructure Enable the security auditing subsystem Configure security audit notifications