BookmarkSubscribeRSS Feed
kevind
Obsidian | Level 7

I'd like to have audit logs of files transferred between the server and the PC by Enterprise Guide users using the Copy Files task.   I currently have the Workspace logconfig.xml configured to record job logs but there is nothing being logged regarding file transfers.   Any ideas?

9 REPLIES 9
anja
SAS Employee

Hi Kevind,

 

The workspace server log provides you with an overview of connections made per users, but does not show what you are looking for.

 I think that this would rather be an OS monitoring matter than a SAS monitoring.

 

What version of SAS and OS are you running?

 

Also, please note that it is not recommended to enable Workspace Server logging, other than for troubleshooting.

Each client connection creates a log file, which means your WS log location will fill up so quickly and eventually will take up

big amounts of space.

 

Thanks

Anja

 

kevind
Obsidian | Level 7
We are using SAS 9.4 M2 Grid on RHEL 6.8. So far I have just enabled WS logging on QA but I want to do so for production so that we can detect SAS/ACCESS errors. I feel like I can manage the logs (scan them for errors and remove them) but I don't want to have any unnecessary performance hits. I configured the logging with ImmediateFlush false. So far using threshold INFO but assuming that the ERROR threshold would be enough to detect the ACCESS issues I'm looking for. Regarding the EG file copy, this will be a really good feature, assuming it's encrypted, since Security wants the ssh sftp shutdown, but they would also want some way to review what files are uploaded/downloaded from the servers.
JuanS_OCS
Amethyst | Level 16

Hello,

 

I might be completely wrong, but I believe the Copy Files functionality does not use, necesarily, any SAS service, as the workspace server, but just .NET functionality, or native OS commands, maximum.

 

Did you already enabled the Logging fuctionality on your EG client? http://support.sas.com/kb/55/414.html

 

 

kevind
Obsidian | Level 7

I found that the EG logging on the PC does capture the copying but I need to track it on the server and haven't found where that would be logged or what service on the server is providing the transfer.  Thanks for the feedback.

2016-11-30 10:55:18,614 [17] INFO  SAS.Tasks.CopyFiles.SasFileTransferTask [(null)] - Running Copy Files task: Copy Files

,,,

2016-11-30 10:57:21,448 [17] INFO  SAS.Tasks.CopyFiles.SasFileTransferTask [(null)] - Checking for existence of target folder: C:/users/kcd01/Downloads
2016-11-30 10:57:21,448 [17] INFO  SAS.Tasks.CopyFiles.SasFileTransferTask [(null)] - DOWNLOADING files...

JuanS_OCS
Amethyst | Level 16

I am not sure how to answer your question regarding the loggin from sever side, except the OS itself.

If you need additional in deep detail about EG custom tasks I suggest you to ask @ChrisHemedinger, he is your guru 🙂 At least he will know where to point you at.

 

 

ChrisHemedinger
Community Manager

As you found, EG app logging captures it -- but I can see that's not good enough for your needs.

 

Workspace logging would catch it if you look specifically for IOM::FileService events -- that's the SAS Integration Technologies service that's being used.  However, it will be a challenge to configure your Workspace logging to catch that without filling up with a whole bunch of other stuff that you don't need/want.

 

The Copy Files task isn't the only way to pull content from the server to your PC -- it's just the most convenient method.  Even if we added some sort of event logging in that task, there would be other gaps in your potential auditing.

 

Are you trying to track who might be downloading sensitive data?  Even if there is a business need for this, you just want to be able to audit/track/follow up?

It's time to register for SAS Innovate! Join your SAS user peers in Las Vegas on April 16-19 2024.
SASKiwi
PROC Star

In addition to @ChrisHemedinger's comments I'm wondering what business requirement you are addressing? If it is monitoring the extraction of sensitive data then I'd suggest there are so many ways you can circumvent auditing that I see it as impossible to cover all of the bases. For example just copying and pasting avoids any possible audit.

kevind
Obsidian | Level 7
I realize that there will be other ways for content to be downloaded off of the server (copy/paste, email, etc) but I've started on this journey to write the tools to know what's occurring on the system and I'll capture these other items as they get identified. I used the logconfig.trace.xml on WS and I didn't see the IOM::FileService events but I did see evidence of the file transfer in these messages:
2016-12-01T15:22:23,078 TRACE [00002894] 2:sas - Bridge PE [7fad0c395fd0] 7fad000a3aa0: 00 00 00 00 2f 68 6f 6d 65 2f 73 61 73 00 01 00 |..../home/sas...|
2016-12-01T15:22:23,078 TRACE [00002894] 2:sas - Bridge PE [7fad0c395fd0] 7fad000a3ab0: 0d 00 00 00 73 61 73 63 68 65 63 6b 2e 6c 6f 67 |....sascheck.log|
Do you have any examples of capturing the IOM:FileServices?

BTW, I recently changed WS logconfig.xml to record errors and wrote a Perl script that reformats the log data into a CSV file and emails it to me so that I now have visibility to users having database connection errors instead of waiting for a SAS user to report the issue and guess how many others are having the issue.
ChrisHemedinger
Community Manager

I think if you turn up the logging all the way to DEBUG, you might get the FS events.  But then you'll want to squelch all of the stuff you don't want, else your log folder will run out of quota really fast...

It's time to register for SAS Innovate! Join your SAS user peers in Las Vegas on April 16-19 2024.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 9 replies
  • 1418 views
  • 2 likes
  • 5 in conversation