Re: set audit/listener

---

• From: Jim Duff <spam.this@xxxxxxxxx>
• Date: Fri, 11 Apr 2008 10:25:46 +1000

---

Pierre wrote:

hi,

as far as I understand the help, I may redirect audit events to a
device, say a mailbox.

With SET AUDIT/LISTENER, you are not redirecting, merely asking the audit server to send you a copy of audit messages.

just not to reinvent the wheel, does anyone have an example of a
program which "listen" such events thru a mailbox ?

I don't have one off hand (I do, but I can't post it here), but it's a very simple bit of code.

- Set up a permanent mailbox with a call to SYS$CREMBX().
- Arm an AST to fire when a message is delivered to the mailbox that
reads the message, does something with it, and re-arms the AST.
- Issue your SET AUDIT/LISTENER command.

To interpret the information in the audit message, you need to see the "Systems Management Utilities Reference Manual" here:

<http://h71000.www7.hp.com/doc/83final/6048/6048pro_090.html#
audit_record_format>

You don't mention what language you'd like an example written in.

Here's an example of creating (and deleting) a permanent mailbox in C:

<http://www.eight-cubed.com/examples/framework.php?file=sys_delmbx.c>

To arm a read attention AST for the mailbox, see the mailbox chapter in the "I/O User's Reference Manual" here (I'm using the old version of the manual because PDF sucks):

<http://h71000.www7.hp.com/doc/732FINAL/aa-pv6sf-tk/00/00/36-con.html#
mailboxessetattentionastfunction>

An example of reading from a mailbox using SYS$QIO() can be seen here:

<http://www.eight-cubed.com/examples/framework.php?file=sys_sndopr.c>

Now, in DCL :-)

Session 1> create/mailbox/perm audit_mbx
Session 1> open/read audit_mbx audit_mbx
Session 1> read audit_mbx record

Session 2> set audit/listen=audit_mbx
Session 2> ! Cause an audit event which will cause the read in session 1 Session 2> ! to complete.

Session 1> close audit_mbx

Session 2> set audit/nolisten=audit_mbx

Session 1> delete/mailbox audit_mbx

HTH,
Jim.
--
www.eight-cubed.com
.

---

• Follow-Ups:
  • Re: set audit/listener
    • From: Pierre

• References:
  • set audit/listener
    • From: Pierre

• Prev by Date: Re: Divining the full pathname of a file, all logicals translated
• Next by Date: Re: Immediate:TOLAS Programmer in McHenry, IL - DIRECT CLIENT Requirement
• Previous by thread: set audit/listener
• Next by thread: Re: set audit/listener
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: set audit/listener ... I think DCL will be to slow in case of huge flow of audit. ... device, say a mailbox. ... audit server to send you a copy of audit messages. ... Session 1> read audit_mbx record ... (comp.os.vms) Re: Running VMS off CD ... >>Set up a detached process running a program you write which establishes ... >>reading from the mailbox, as to do so would jam up the audit system. ... (comp.os.vms) Re: Exchange and 565 Security Errors ... following Failure Audit in the event log. ... Mailbox That You Have Delegate Access To ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were ... (microsoft.public.windows.server.sbs) Auditing mailbox access ... opens another user's mailbox? ... We need to audit our Domain ... Admins and make sure no one is reading mail when they ... (microsoft.public.exchange.admin) CommuniGatePro 4.0.6 [EXPLOIT] ... Session ID used in CGP WebMail to track sessions is ... Attacker can send HTML message with img src ... hijack current user session - read mailbox, ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Newsgroups  > comp.os.vms  > 2008-04