Editing the SATLOG files is the task of the SAT file manager or the SAT file evaluator. The SATUT utility routine is available for editing purposes, under the SYSAUDIT user ID.
It is executable independently of the SAT subsystem SATCP under any user ID which has the SAT-FILE-MANAGEMENT or SAT-FILE-EVALUATION privilege.
SATUT can also incorporate CONSLOG files in the evaluation, in addition to SATLOG files (see "Tables of auditable information on object-related events (1)").
The SAT evaluation routine SATUT provides the following functions:
It uses the input files to create edited files (replacement files) containing the securityrelevant data selected by the SAT file manager or SAT file evaluator. In this case the aim is to reduce the volume of data and to store security-relevant audit records, i.e. the input files can be replaced by the edited files.
It selects specific audit records from the input files on the basis of certain selection conditions. The selected records are output to a printer (SYSLST) or an XML file, or presented in statistical form, or written to a file (analysis file). In this case the aim is to analyze selected event groups, i.e. the input files are not replaced by the edited files.
In order to save storage space for SATLOG files they should be changed regularly (CHANGE-SAT-FILE command), edited as soon as possible, and replaced by replacement files or swapped out to a data medium for long-term archiving. The effect of editing is to reduce the amount of logged data thanks to the more refined selection options provided by SATUT.
The example in the following shows a batch job that was created under the SYSAUDIT user ID and is executed once per day . In this job a job is created that evaluates all SATLOG files and replacement files from the previous day, provided that their names contain a four-digit representation of the year. The result is stored in a single analysis file. Subsequently the SATLOG files used as the input files are automatically deleted, whereas the replacement files are retained.
To prevent unauthorized access to the printed output logs, the output that is made to the system file SYSLST is redirected to a cataloged file. This can be examined on the screen, for example with SHOW-FILE.
/SET-LOGON-PARAMETERS
/REMARK *------------------------------------------------------------*
/REMARK * THIS BATCH ANALYZES PRODUCED COLLECTION FILES AND *
/REMARK * REPLACEMENT FILES BY DAY. ONLY THE OLDEST DAY IS TAKEN *
/REMARK * INTO ACCOUNT. NO ANALYSIS WILL BE PERFORMED FOR FILES OF *
/REMARK * THE CURRENT DAY. *
/REMARK * *
/REMARK * AFTER THE ANALYSIS BY SATUT, ANALYZED COLLECTION FILES WILL*
/REMARK * BE DELETED BUT IN CASE OF SELECTED REPLACEMENT FILES, *
/REMARK * THE REPLACEMENT FILES ARE NEVER ERASED. *
/REMARK * *
/REMARK * CONDITIONS: SAT LOGGING HAS TO BE ACTIVE AND ACTIVE *
/REMARK * COLLECTION FILE CONTAINS A DATE FORMAT HAVING *
/REMARK * A DATE CONTAINING A YEAR IN 4 CHARACTERS *
/REMARK * (IN THE FILENAME) *
/REMARK * INPUT FILES: COLLECTION FILES AND/OR REPLACEMENT FILES *
/REMARK * HAVING A DATE CONTAINING A YEAR IN 4 *
/REMARK * CHARACTERS (IN THE FILE NAME) *
/REMARK * OUTPUT FILE: ANALYZE.<DATE OF ANALYZED FILES> *
/REMARK *------------------------------------------------------------*
/ASSIGN-SYSOUT TO-FILE=BATCH.SYSOUT
/ASSIGN-SYSLST TO-FILE=BATCH.SYSLST
/ASSIGN-SYSDTA TO-FILE=*SYSCMD
/CHANGE-SAT-FILE
/SET-JOB-STEP
/MODIFY-JOB-SWITCHES ON=(4,5)
/START-EDT
@FSTAT 'SYS.SATLOG.////-*' TO 1
@PROC 1
@@RENUMBER
@@SET #L2=$
@@IF #L2 = 1 GOTO 10
@@NOTE ONLY ONE FILE FOUND -> NO FILES FROM PREVIOUS DAY
@@SET #L3 = 1
@@IF #L3:1-21 <> #L2:1-21 GOTO 20
@@NOTE DATE OF FIRST FOUND FILE EQUAL TO DATE OF LAST FOUND
@@NOTE FILE -> ALL FILES FROM ACTUAL DAY
@10
@@SET #S20 = 'NO ANALYZE PROCESSED. SEE REASONS IN THE '
@@PRINT #S20 NSV
@@SET #S20 = 'WARNING TEXT.'
@@PRINT #S20 NSV
@@RETURN
@20
@@SET #L1 = 1
@@ON #L1 FIND 'SYS.SATLOG.'
@@NOTE EXTRACT DATE
@@SET #I2 = #I1 + 1
@@SET #I3 = #I2 + 9
@@SET #S1 = #L1:#I2-#I3
@@DELETE
@@NOTE CREATE SATUT PROCEDURE
@@QUOTE !
@@CREATE 1 : !/SET-LOGON-PARAMETERS!
@@CREATE 2 : !/ASSIGN-SYSLST TO-FILE=LST.SEL.DAILY.!,#S1
@@CREATE 2.5 : !/ASSIGN-SYSOUT TO-FILE=OUT.SEL.DAILY.!,#S1
@@CREATE 3 : !/START-SATUT!
@@NOTE SELECT FILES OF PREVIOUS DAY
@@CREATE 4 : !//SELECT-INPUT-FILES INPUT-FILES=*STD(DATE=!,#S1,!)!
@@NOTE SELECT FILES ACCORDING TO CERTAIN CONDITIONS:
@@CREATE 5 : !//ADD-SELECTION-CONDITIONS NAME=PRIVI, CONDITION= -!
@@NOTE SELECT USER IDS
@@CREATE 6 : !// OBJ-UID IN-LIST ('US1','US2','US3') -!
@@NOTE DEFINE CONTENTS OF RESULT FIELD
@@CREATE 7 : !//AND RES EQUAL F -!
@@NOTE DEFINE OBJECT
@@CREATE 8 : !//AND EVT IN-LIST ('PST','PRT') !
@@NOTE EXECUTE SELECTION
@@CREATE 8.5 : !//START-SELECTION FROM-FILE=*INPUT-FILES, - !
@@CREATE 8.7 : !//TO-FILE=*PAR(FILE=0, CONDITION-NAME=PRIVI) !
@@NOTE OUTPUT SELECTED RECORDS TO SYSLST
@@CREATE 9 : !//SHOW-SELECTED-RECORDS SORT-CRITERION=*EVT, -!
@@CREATE 10 : !// FROM-FILE=0, OUTPUT=*SYSLST(LINES=114) !
@@NOTE SAVE SELECTED RECORDS IN FILE TO BE ARCHIVED
@@CREATE 11 : !//SAVE-SELECTED-RECORDS TO-REDUCTION-NAME=ANALYZE.!,#S1
@@CREATE 12 : !//END!
@@CREATE 12.5 : !/SHOW-FILE-ATTRIBUTES ANALYZE.!,#S1
@@NOTE ERASE PROCESSED SATLOG FILES
@@CREATE 12.7 : !/DELETE-FILE SYS.SATLOG.!,#S1,!.,IGNORE=ACCESS!
@@CREATE 14 : !/SET-JOB-STEP!
@@CREATE 15 : !/ASSIGN-SYSLST TO-FILE=*PRIMARY!
@@CREATE 15.5 : !/ASSIGN-SYSOUT TO-FILE=*PRIMARY!
@@CREATE 16 : !/EXIT-JOB SYSTEM-OUTPUT=*NONE!
@@QUOTE '
@@WRITE 'E.RUN-DAILY' O
@@SYSTEM 'ENTER-JOB E.RUN-DAILY'
@END
@DO 1
@HALT
/MODIFY-JOB-SWITCHES OFF=(4,5)
/ASSIGN-SYSDTA TO-FILE=*PRIMARY
/ASSIGN-SYSLST TO-FILE=*PRIMARY
/EXIT-JOB SYSTEM-OUTPUT=*NONE