BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.

Hi all.

I want to set up server-side logging for (mainly) all the Enterprise Guide users, so we can check what actions are done, and which tables have been accessed at a certain time, and by whom.

I have come to the point where a separate log file is written by every single SAS workspace server instance (coded with YYYYMMDDhhmmss in the filename). But in the default configuration, these logs only show what's happening during startup and shutdown, but not what the user actually does in EG.

I now want to populate these log files with more or less the same logs that are shown in EG in the Log tab of the nodes in the project, without filling the files with unnecessary clutter.

Has anybody done this already and can give me a quick "cookbook"?

SAS version is 9.2 on AIX.

1 ACCEPTED SOLUTION

Accepted Solutions
BrunoMueller
SAS Super FREQ

Hi

You can use the logconfig.trace.xml as a base, change any logging level from debug to info, to reduce the amount of log messages written..

Add the logger name (%c) to the conversion pattern, so you can see which logger writes which messages. You will see that the logger App.Program will show the "SAS Log" for all the code executed.

I just did this today during a training course (SAS9.4). But I guess this was already in place with SAS9.2

With SAS9.4 there are logger that tracks access to SAS data sets

See also the example in doc for SAS9.4 SAS(R) 9.4 Logging: Configuration and Programming Reference

View solution in original post

9 REPLIES 9
BrunoMueller
SAS Super FREQ

Hi

You can use the logconfig.trace.xml as a base, change any logging level from debug to info, to reduce the amount of log messages written..

Add the logger name (%c) to the conversion pattern, so you can see which logger writes which messages. You will see that the logger App.Program will show the "SAS Log" for all the code executed.

I just did this today during a training course (SAS9.4). But I guess this was already in place with SAS9.2

With SAS9.4 there are logger that tracks access to SAS data sets

See also the example in doc for SAS9.4 SAS(R) 9.4 Logging: Configuration and Programming Reference

Peter_C
Rhodochrosite | Level 12

Bruno is "the master" of this, so all I can offer is a minor issue.

If you automate these system option defaults for the user sessions

-logparm rollover=session

-altlog xxxxxxxx.log

You can use #directives in that xxxxxxx to show timestamp and processid in the logfile name. It can be routed to whatever folder suits you. (you just need to ensure users have write permission there).

Then you get all that the user logs show (and all that might be hidden by proc printto, too)

Peter

Kurt_Bremser
Super User

Can you give me a quick overview which processes write these log files? My goal is to have each user's logs in their own home directory tree, so I need to be concerned with the correct permissions. If the workspace server process (that runs under the user's own login) itself writes the log, it won't be a problem.

BrunoMueller
SAS Super FREQ

The user under which the SAS process runs will write the log files. The workspace server (used by EG) does not write any log files by default.

The location where these files are written, are defined in the logconfig.xml file using the FileNamePattern, see example below

   <!-- Rolling log file with default rollover of midnight -->

   <appender class="RollingFileAppender" name="TimeBasedRollingFile">

      <param name="Append" value="false"/>

      <param name="Unique" value="true"/>

      <param name="ImmediateFlush" value="true"/>     

      <rollingPolicy class="TimeBasedRollingPolicy">

         <param name="FileNamePattern" value="/SASProject/EDI_EBI_VA/Lev1/SASApp/WorkspaceServer/Logs/SASApp_WorkspaceServer_%d_%S{hostname}_%S{pid}.log"/>

      </rollingPolicy>

      <layout>

         <param name="HeaderPattern" value="Host: '%S{hostname}', OS: '%S{os_family}', Release: '%S{os_release}', SAS Version: '%S{sup_ver_long2}', Command: '%S{startup_cmd}'"/>

         <param name="ConversionPattern" value="%d %-5p [%t] %X{Client.ID}:%u - %m"/>

      </layout>

   </appender>

StoredProcess Server and PooledWorkspace Server do write log files by default

Slash
Quartz | Level 8

Hi, Bruno

 

    Recently, I'm doing the same thing, thankyou for your answer. But I want to add the sas user to the filename of log, how should I do?

The default name is:

SASApp_WorkspaceServer_%d_%S{hostname}_%S{pid}.log

 

I tried add {userid} or {user}, failed. How shoud I done that? Where is the definition of {hostname}, {pid}.

jakarman
Barite | Level 11

Implement APM all is there. SAS 9.2 Audit and Performance Measurement. The log files with ARM (log4j) as Bruno has described are part of it.
The 9.2 version must be requested at SAS for a download. The 9.3 and 9.4 versions are free for download. SAS Audit, Performance and Measurement package The 9.4 version is smaller as the 9.3 as some things have been moved to the "event manager". It is activating the *.aud files already present in the appserver directories

For monitoring EGuide usage with those personal keys there must be a location on Unix where it is open for storing those files.   

---->-- ja karman --<-----
jakarman
Barite | Level 11

I owe you some of the failures in the config  .../Lev-/SASApp/....   folder structure. These are:

- 38040 - Setting umask and ulimit values for SAS® sessions on UNIX and Linux

- 50345 - Changing the current working directory for the SAS® Workspace Server

- The dogma the SASApp structure is the same as for segregation of authorization and the location for the business application.
  When you will install APM (read the 9.3 APM documentation) all is assumed to be placed in the --/lev1/SASApp/... directory as a business application.
  Sharing APM between SASApp server has become a more advanced topic this way.

I do not understand the how of this technical instructions the Why Who When Where questions looks to be have been bypassed. I know some backgrounds of regulations coming in why SIEM (Security Information Event Monitoring) is important. I would expect someone in your office would propose using  Splunk 
You could use a dedicated xml-file like the aud-ones and activate that in the usermods-config for each server-type.
Changing the original standard xml-file for logging is also an option but I do not know what the effect is with newer tools also possible modifying that.

---->-- ja karman --<-----
Kurt_Bremser
Super User

Thanks all for the help, I now have something reasonable in place.

For further information:

when I set up the 9.2 environment, I decided to let SASApp stay in its pristine state, and instead created several different Application Server environments for our "customers". SASApp basically acts as a blueprint, but is not used otherwise. I then transferred the old 9.1.3 configuration into one of the "customer" trees. I have now converted this tree so that it follows the conventions of SASApp (including "inheritance" of configs) and gotten the logging to work in (mostly) "Info" level. Now I should be able to identify accesses to certain tables and also see user's errors directly on the server.

hackathon24-white-horiz.png

The 2025 SAS Hackathon has begun!

It's finally time to hack! Remember to visit the SAS Hacker's Hub regularly for news and updates.

Latest Updates

Creating Custom Steps in SAS Studio

Check out this tutorial series to learn how to build your own steps in SAS Studio.

Find more tutorials on the SAS Users YouTube channel.

SAS Training: Just a Click Away

 Ready to level-up your skills? Choose your own adventure.

Browse our catalog!

Discussion stats
  • 9 replies
  • 7339 views
  • 6 likes
  • 5 in conversation