Capture sas.audit.record configuration definition updates

drahorg

In Viya 2024.09LTS I was asked to report all changes performed by SAS admins in Env Manager ->Configuration -> sas.audit.record. Specifically for the “activity.recording.level” and “audit.recording.level”, to capture the level that these were set at, as well as datetime when the change has been done.

Can you pls let me know if this is being captured in Postgres, and if so in which table and column(s)?

Also is this information captured anywhere else?

Presently the activity.recording.level=high and audit.recording.level=low

Thanks a lot,

ronf_sas

Hi @drahorg . Good question. I was not sure of the answer, so I did a little trial and error testing with the sas-viya CLI and the audit plugin to look at the audit records. First I changed the sas.audit.record/audit.recording.level property to DISABLED, and then changed it back to the default, LOW. I didn't find anything useful using sas-viya audit list, so then I used sas-viya audit list-activities, which queries the activity records, which are the newer revamped audit records. Here is what I found:

[root@hostname scripts]# ./sas-viya audit list-activities --user-id sasboot --after 2025-04-15T00:00:00Z --resolve-uri
ID Time Stamp Action State User ID Application Administrative Action Object Name Object Type Service Name URI User Interaction Secure
8cb7c469-2613-4672-80a8-d2585efe64a5 2025-04-15T12:29:19Z update success sasboot true sas.audit.record Configuration configuration /configuration/configurations/9a8435d5-06ca-4d04-b888-574d9d925372 true
b1615f7b-a6af-4baf-90cb-9edd274fb7e7 2025-04-15T12:32:39Z update success sasboot true sas.audit.record Configuration configuration /configuration/configurations/9a8435d5-06ca-4d04-b888-574d9d925372 true

So this tells me that the sas.audit.record (Object Type) property was updated (Action). It tells the time and who did it. What it doesn't tell me is that audit.recording.level property was changed nor does it provide the before and after value. I did a similar test by changing sas.audit.record/activity.recording.level and the results were similar. I also chose a few other random services to make configuration changes on and get similar results.

[root@trck1015055 scripts]# ./sas-viya audit list-activities --user-id sasboot --after 2025-04-15T00:00:00Z --resolve-uri
ID Time Stamp Action State User ID Application Administrative Action Object Name Object Type Service Name URI User Interaction Secure
8cb7c469-2613-4672-80a8-d2585efe64a5 2025-04-15T12:29:19Z update success sasboot true sas.audit.record Configuration configuration /configuration/configurations/9a8435d5-06ca-4d04-b888-574d9d925372 true
b1615f7b-a6af-4baf-90cb-9edd274fb7e7 2025-04-15T12:32:39Z update success sasboot true sas.audit.record Configuration configuration /configuration/configurations/9a8435d5-06ca-4d04-b888-574d9d925372 true
c394d979-e78e-4745-beaa-495d81e7c82f 2025-04-15T12:34:45Z update success sasboot true sas.identities Configuration configuration /configuration/configurations/4fbf97b7-7953-4dfe-bd32-083fed73d2c4 true
ace2940e-e6e4-4629-8791-030e7622e45e 2025-04-15T12:36:38Z update success sasboot true sas.identities Configuration configuration /configuration/configurations/4fbf97b7-7953-4dfe-bd32-083fed73d2c4 true
1f564a09-b7e3-498e-b66f-f2381656f5cd 2025-04-15T12:36:58Z update success sasboot true sas.logon.initial Configuration configuration /configuration/configurations/d436d15e-019b-40d5-88fa-c923902d642b true
c755989c-774f-44e8-81d7-b8c807cee834 2025-04-15T12:39:16Z update success sasboot true sas.logon.initial Configuration configuration /configuration/configurations/d436d15e-019b-40d5-88fa-c923902d642b true
3dee5e93-5cbf-4e88-a271-52aeb823f482 2025-04-15T12:39:44Z update success sasboot true sas.notifications Configuration configuration /configuration/configurations/14690a99-71ad-425c-98c4-ca417fd645d4 true
725ce1a4-ec1a-477b-ae21-d8425cbb3cf6 2025-04-15T12:39:57Z update success sasboot true sas.report.service Configuration configuration /configuration/configurations/9516f56a-4641-41d1-aca7-a672b8e17859 true
3054e259-8073-46df-81ea-1efc42e061fa 2025-04-15T12:40:24Z update success sasboot true sas.report.service Configuration configuration /configuration/configurations/9516f56a-4641-41d1-aca7-a672b8e17859 true
f42202ed-79c6-48ab-a11e-4436fbb67334 2025-04-15T12:40:32Z update success sasboot true sas.notifications Configuration configuration /configuration/configurations/14690a99-71ad-425c-98c4-ca417fd645d4 true
4f718d3a-4ba7-480b-9480-976b7d473fdd 2025-04-15T15:32:07Z update success sasboot true sas.audit.record Configuration configuration /configuration/configurations/9a8435d5-06ca-4d04-b888-574d9d925372 true
af50333b-233c-45ab-9bc5-4bab3dffea01 2025-04-15T15:37:03Z update success sasboot true sas.audit.record Configuration configuration /configuration/configurations/9a8435d5-06ca-4d04-b888-574d9d925372 true

I also used fulljson output and the --details options, but did not get the additional information that you are asking about.

While this does not completely meet your needs, it does help you know who modified a configuration definition and when. I will check to see if we have any open feature requests to have more detail included.

For more information about querying audit records, refer to https://go.documentation.sas.com/doc/en/sasadmincdc/v_062/calaudit/n1medruepeq0wzn19tv45t84j47j.htm

BrunoMueller

Similar to what @ronf_sas showed, there are audit entries created when a configuration value changes.

Here is an example:

sas-viya audit list --application configuration --after 2025-04-16T07:25Z --sort-by timeStamp
ID                                     Time Stamp                    Action   State     User ID     Application     Administrative Action   URI
aaec1d34-50a6-40ad-84a2-5c8100530a47   2025-04-16T07:25:36.811974Z   read     success   christine   configuration   true                    /configuration/definitions
ac04d4db-0caf-42c5-b3e6-e7a43f6dec0c   2025-04-16T07:25:42.517068Z   read     success   christine   configuration   true                    /configuration/configurations
57e673f5-ec1a-420a-bfe9-e458990bbc7b   2025-04-16T07:26:06.509543Z   update   success   christine   configuration   true                    /configuration/configurations/658a92ed-fa14-4fe9-8b49-c209f05d2bff
5df70104-6750-4fdd-8d66-1d9df5beb46e   2025-04-16T07:26:06.643746Z   read     success   christine   configuration   true                    /configuration/configurations

Look at the line where the action is update, use the the id at the end of the URI. This id can be used together with this command to list the configuration affected, you will see the new value

sas-viya configuration configurations show --id 658a92ed-fa14-4fe9-8b49-c209f05d2bff
id                   : 658a92ed-fa14-4fe9-8b49-c209f05d2bff
metadata.isDefault   : false
metadata.mediaType   : application/vnd.sas.configuration.config.logging.level+json;version=1
metadata.services    : [authorization]
name                 : com.sas.authorization.service.authorize.AuthorizationLogger
level                : OFF

Capture sas.audit.record configuration definition updates

Re: Capture sas.audit.record configuration definition updates

Re: Capture sas.audit.record configuration definition updates