Architecting, installing and maintaining your SAS environment

How can I log EG file transfers for auditing

Reply
Contributor
Posts: 24

How can I log EG file transfers for auditing

I'd like to have audit logs of files transferred between the server and the PC by Enterprise Guide users using the Copy Files task.   I currently have the Workspace logconfig.xml configured to record job logs but there is nothing being logged regarding file transfers.   Any ideas?

SAS Super FREQ
Posts: 291

Re: How can I log EG file transfers for auditing

Hi Kevind,

 

The workspace server log provides you with an overview of connections made per users, but does not show what you are looking for.

 I think that this would rather be an OS monitoring matter than a SAS monitoring.

 

What version of SAS and OS are you running?

 

Also, please note that it is not recommended to enable Workspace Server logging, other than for troubleshooting.

Each client connection creates a log file, which means your WS log location will fill up so quickly and eventually will take up

big amounts of space.

 

Thanks

Anja

 

Contributor
Posts: 24

Re: How can I log EG file transfers for auditing

We are using SAS 9.4 M2 Grid on RHEL 6.8. So far I have just enabled WS logging on QA but I want to do so for production so that we can detect SAS/ACCESS errors. I feel like I can manage the logs (scan them for errors and remove them) but I don't want to have any unnecessary performance hits. I configured the logging with ImmediateFlush false. So far using threshold INFO but assuming that the ERROR threshold would be enough to detect the ACCESS issues I'm looking for. Regarding the EG file copy, this will be a really good feature, assuming it's encrypted, since Security wants the ssh sftp shutdown, but they would also want some way to review what files are uploaded/downloaded from the servers.
Trusted Advisor
Posts: 1,141

Re: How can I log EG file transfers for auditing

Hello,

 

I might be completely wrong, but I believe the Copy Files functionality does not use, necesarily, any SAS service, as the workspace server, but just .NET functionality, or native OS commands, maximum.

 

Did you already enabled the Logging fuctionality on your EG client? http://support.sas.com/kb/55/414.html

 

 

Contributor
Posts: 24

Re: How can I log EG file transfers for auditing

I found that the EG logging on the PC does capture the copying but I need to track it on the server and haven't found where that would be logged or what service on the server is providing the transfer.  Thanks for the feedback.

2016-11-30 10:55:18,614 [17] INFO  SAS.Tasks.CopyFiles.SasFileTransferTask [(null)] - Running Copy Files task: Copy Files

,,,

2016-11-30 10:57:21,448 [17] INFO  SAS.Tasks.CopyFiles.SasFileTransferTask [(null)] - Checking for existence of target folder: C:/users/kcd01/Downloads
2016-11-30 10:57:21,448 [17] INFO  SAS.Tasks.CopyFiles.SasFileTransferTask [(null)] - DOWNLOADING files...

Trusted Advisor
Posts: 1,141

Re: How can I log EG file transfers for auditing

I am not sure how to answer your question regarding the loggin from sever side, except the OS itself.

If you need additional in deep detail about EG custom tasks I suggest you to ask @ChrisHemedinger, he is your guru Smiley Happy At least he will know where to point you at.

 

 

Community Manager
Posts: 2,761

Re: How can I log EG file transfers for auditing

As you found, EG app logging captures it -- but I can see that's not good enough for your needs.

 

Workspace logging would catch it if you look specifically for IOM::FileService events -- that's the SAS Integration Technologies service that's being used.  However, it will be a challenge to configure your Workspace logging to catch that without filling up with a whole bunch of other stuff that you don't need/want.

 

The Copy Files task isn't the only way to pull content from the server to your PC -- it's just the most convenient method.  Even if we added some sort of event logging in that task, there would be other gaps in your potential auditing.

 

Are you trying to track who might be downloading sensitive data?  Even if there is a business need for this, you just want to be able to audit/track/follow up?

Super User
Posts: 3,102

Re: How can I log EG file transfers for auditing

In addition to @ChrisHemedinger's comments I'm wondering what business requirement you are addressing? If it is monitoring the extraction of sensitive data then I'd suggest there are so many ways you can circumvent auditing that I see it as impossible to cover all of the bases. For example just copying and pasting avoids any possible audit.

Contributor
Posts: 24

Re: How can I log EG file transfers for auditing

I realize that there will be other ways for content to be downloaded off of the server (copy/paste, email, etc) but I've started on this journey to write the tools to know what's occurring on the system and I'll capture these other items as they get identified. I used the logconfig.trace.xml on WS and I didn't see the IOM::FileService events but I did see evidence of the file transfer in these messages:
2016-12-01T15:22:23,078 TRACE [00002894] 2:sas - Bridge PE [7fad0c395fd0] 7fad000a3aa0: 00 00 00 00 2f 68 6f 6d 65 2f 73 61 73 00 01 00 |..../home/sas...|
2016-12-01T15:22:23,078 TRACE [00002894] 2:sas - Bridge PE [7fad0c395fd0] 7fad000a3ab0: 0d 00 00 00 73 61 73 63 68 65 63 6b 2e 6c 6f 67 |....sascheck.log|
Do you have any examples of capturing the IOM:FileServices?

BTW, I recently changed WS logconfig.xml to record errors and wrote a Perl script that reformats the log data into a CSV file and emails it to me so that I now have visibility to users having database connection errors instead of waiting for a SAS user to report the issue and guess how many others are having the issue.
Community Manager
Posts: 2,761

Re: How can I log EG file transfers for auditing

I think if you turn up the logging all the way to DEBUG, you might get the FS events.  But then you'll want to squelch all of the stuff you don't want, else your log folder will run out of quota really fast...

Ask a Question
Discussion stats
  • 9 replies
  • 378 views
  • 2 likes
  • 5 in conversation