Can you provide more information, like what version of SAS 9.4 platform are you using? What does the installation look like,how many machines? Do you have a web server? Is SAS environment manager installed?

Thanks

Hello,

When the user logs in is in the SASMetadataServer*.log in the form:

SASMeta_MetadataServer_2020-03-15_v64-t71221-01_31503.log:

2020-03-15T12:05:00,163 INFO [00330077] :sasevs@saspw - New client connection (9374) accepted from server port 8561 for user sasevs@saspw. Encryption level is Credentials using encryption algorithm SASPROPRIETARY. Peer IP address and port are [::ffff:10.11.14.195]:45570 for APPNAME=Environment Manager 904500.

You could probably figure out when they logged out examining the closed line matching the (9374) connection.

You can help yourself in the admin guide to auditting but the recommended way to monitor is to use SAS Environment Manager.

SAS Help Center: Audit Changes to Server Logging Configurations

Please look into the SAS environment Manager Service Architecture Framework for 9.4 - https://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/index.html
The list of available reports is at the end of that link, in particular the Audit Reports - log forensic section should be of interest to you.

@huntdoug has given the correct answer. You can either install / configure the auditing and logging / EM service architecture - which records much more detailed information, or you can look at the metadata server log for basic connection info.

I had to do this for someone just a few days ago and they didn't have the the full auditing and logging installed, so I analysed the metadata server log. using this simple program - it may not be perfect, so check your results:

*reads in metadata server log and attempts to determine who connected.;

filename mdlog "/Path to the metadata server log/sasmeta......log" ;

data connections;
length userid $32;
format time time. date date.;
infile mdlog ;
input @1 date yymmdd10. @12 time time8.;

userid=scan(_infile_,4,':');
userid=strip(scan(userid,1,'-'));

/*
Sample data
2021-03-29T23:43:35,642 INFO [133178522] :sastrust@saspw - Request made to cluster SASMeta - Logical Metadata Server (A5L3816M.AX000001).
2021-03-29T23:43:35,642 INFO [133178522] :sastrust@saspw - Redirect client in cluster SASMeta - Logical Metadata Server (A5L3816M.AX000001) to server SASMeta - Metadata Server (A5L3816M.AZ000001) at sasmeta.xyz.co.nz:8561.
2021-03-29T23:43:35,652 INFO [133178526] :sasevs@saspw - New client connection (6181722) accepted from server port 8561 for SAS token user sasevs@saspw. Encryption level is Everything using encryption algorithm AES. Peer IP address and port are [10.123.456.789]:56444 for APPNAME=/SASAuthorizationServices - Web Infra Platform Identity Services 9.4.

*/

if userid not in('svc_sas_prod','sasevs@saspw','sasadm@saspw','sastrust@saspw','svc_lasradm_prod');

run;

*unique users;
proc sort data=connections out=uniqueusers nodupkey;
by userid;
run;

And I only had to report on connections for one week, so I just ran this 7 times to analyse the 7 daily metadata log files, so clearly this could be enhanced to automate processing of a range of logs.

Unfortunately, it only reports who connected to the SAS System, not what they did.

To implement more comprehensive auditing and logging can be a reasonable amount of work to set up. If you set up workspace server logging (for example, every EG session has the log saved to disk), this can consume lots of disk space, so you need to consider retention periods, automated archiving etc. Typically a dedicated log disk volume is set up of maybe 100 or 200GB in size just to store logs.

Auditing and logging seems to be a requirement more and more these days. I've had to set this up for a number of government sites to comply with increased security requirements.

Just to be clear you will need a SAS mid-tier server to run SAS Environment Manager. This could be installed on one of your existing physical servers or on a new one. You will also need to install the Environment Manager agent on all SAS servers you want to monitor. 

Yes, I was already aware of that. That's why I pointed out the requirement to add one if you go with Environment Manager.

@ksuman 
It is possible to have midtier on metadata or compute server.
As your installation is 9.4M6, midtier must already be there.

As about the information you are trying to seek is achievable but requires some degree of programming/scripting with your local environment in view. Your Linux administrator should be able to help.

To see what your users are doing, without using Environment Manager, activate server-side logging for the workspace server (logconfig.xml), and then parse the logs.