IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Audit logging
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Take Action and command execution audit logging
If you have IBM Tivoli Monitoring V6.3 or later, audit records are generated for Take Action and tacmd executecommand execution. Take Action execution includes Take Actions initiated from the Tivoli Enterprise Portal, running the tacmd executeaction command, situation Take Action commands, and workflow policy Take Action commands. The identity of the user who initiated the Take Action is passed to the monitoring agent using a secure session token.
The session token leverages the common IBM Tivoli Monitoring encryption key and synchronization of time between the IBM Tivoli Monitoring servers and monitoring agents. If the encryption key is not synchronized, then any commands are rejected as invalid due to validation errors with the identity. If system times between the portal server (for Tivoli Enterprise Portal users) or the hub monitoring server (for tacmd command users) is more than 25 minutes out of sync with that of the target monitoring agent according to Universal Coordinated Time (UTC), then the command is rejected as unauthorized due to a permission time out.
Situation Take Action execution and workflow policy Take Action execution records the identity of the user who last modified the situation or workflow policy.
The audit messages are available in the audit log at the monitoring agent or through the Tivoli Enterprise Portal as historical data or real-time queries of the audit log.
The TEMS Security Compatibility Mode allows server components that are at a version before V6.3 to execute commands or Take Actions for monitoring agents with Tivoli Enterprise Monitoring Agent Framework V6.3 or later. If TEMS Security Compatibility mode is not enabled and you have a portal server or monitoring server at version before V6.3, then Take Actions or tacmd executecommand commands might be rejected as unauthorized and audited. When TEMS Security Compatibility Mode is enabled, the identity of the original user might not be available in the audit records. Best practice is to upgrade your infrastructure to IBM Tivoli Monitoring V6.3 or later and to disable TEMS Compatibility mode for maximum security and assurance that the identity of the Take Actions and tacmd executecommand executions are properly audited.
You can also use AAGP policies to control which users can execute a TakeAction or tacmd executecommand against a managed system. SeeAccess Authorization Group Profile.
Parent topic:
Audit logging