Part 2: Auditing data access, who did what and when?

0

In my last blog, I demonstrated how to configure a SAS server to write a record to a log file showing who is opening, editing or renaming a SAS table. In this blog we will see how we can process that information. The documentation shows one way to do this via some SAS programs that will parse the log files and create reports.

SAS Environment Manager Service Architecture framework provides some other interesting techniques that we can use. SAS Environment Manager includes the ability to monitor log files and create events based on text that is written to the logs. Events are displayed in the Event Center within SAS Environment Manager and, if the service architecture framework is configured, are also fed to the SAS Environment Manager Data Mart.

By default, SAS Environment Manager monitors the log files for SAS servers and automatically creates events for error messages recorded in those logs. However, it is very easy to configure the log tracking to fire events as a result of other specific log entries.

In the previous blog our configuration resulted in log messages with the following format:

2015-09-03T18:00:44,311 TRACE [00000004] :barbara@meta01 –
LOGGER=Audit.Data.Dataset.Open Libref=OSSALES Engine=META Member=ORDER_FACT
MemberType=DATA Openmode=INPUT Path=/opt/OrionSales/data

This format needs to be adjusted slightly so that the events are picked up by log-tracking. SAS Environment Manager event levels differ from those that SAS outputs. SAS Environment Manager will not recognize a TRACE event. To have it pick up the event we can re-classify it as a DEBUG event.   To do that change the conversion pattern in the appender to %d DEBUG [%t] %X{Client.ID}:%u – LOGGER=%c %m. This will output the log message:

2015-09-23T14:13:19,866 DEBUG [00000004] :barbara@meta01 –
LOGGER=Audit.Data.Dataset.Open Libref=OSSALES Engine=META Member=ORDER_FACT
MemberType=DATA Openmode=INPUT Path=/opt/OrionSales/data 

Notice that instead of the SAS logging level of TRACE, we changed the conversion pattern to write the string DEBUG in the location where the logging level is written.

Now we can set up log tracking on the audit logs so that any data set access message will generate an event. We will then view this event in SAS Environment Manager and see how to report on the events.

Each SAS server has a file sev_logtracker_plugin.properties. This file contains entries for each type of SAS server log entry that SAS Environment Manager looks for. You can add to this file to create events for criteria of your choosing. Each SAS server has its own properties file, so logging events can be created for specific server types.

The default stored process server file is located at <config>\SASApp\StoredProcess\sev_logtracker_plugin.properties and has the following entries which enable it to track fatal and error messages and user lockout warnings.

# All fatal
level.fatal.1=.*

# All errors
level.error.1=.*

# User lockout warnings
level.warn.1=.*Access to this account.*is locked out.*

To create an event when a user edits, deletes or updates a SAS dataset add the following line to the file. The text after the equals sign can be any regular expression.

level.debug.1=.*Audit.Data.*

This will fire an event when a DEBUG message appears in the log that contains the string Audit.Data

In our appender in the previous blog we chose to write the logs that contain access messages to a new directory. In order to turn on log-tracking on that directory we need to edit the log tracking configuration for the Stored Process Server and add the directory.

To do that log on to SAS Environment Manager and:

  1. Select Resources > Services  locate the compute01 SASApp – Stored Process Server and select it
  2. Select Inventory and select Edit
  3. Add  the directory /opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs to the service.log_track.files attribute and click OK    (multiple directories are separated by commas)

Audit1

The result of this configuration is that that events are displayed in SAS Environment Manager when a table is accessed. To view the events select Analyze > Event Center.

Audit2

You could take this approach a step further and fire an alert based on some other criteria such as a specific table being edited. Alerts are a user-defined type of event that indicates a critical condition in a selected resource.

An additional benefit to this approach is that if SAS Environment Manager Service Architecture framework is configured, events are automatically included in the EVENTS table in the SAS Environment Manager Data Mart.

Audit3

From here the data can be used for reporting with traditional SAS tools, or within SAS Visual Analytics if the automatic feed of data to SAS Visual Analytics is configured.

Share

About Author

Gerry Nelson

Principal Technical Consultant

Gerry Nelson is a Principal Technical Architect in the Global Enablement and Learning (GEL) Team within SAS R&D's Global Technical Enablement Division. His primary focus is on administration of SAS environments, particularly migration, promotion and upgrading.

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top