Configuring security audit subsystem failure notifications
Notifications can be generated by a failure of the security audit subsystem. The security audit subsystem notifications can alert auditors that the security audit system is no longer recording auditable security events. Notifications are generated by a failure of the auditing subsystem, they are not related to any auditable security events or event outcome that has occurred. Notifications triggered by an event or an event outcome are not supported.
Before you begin
About this task
Procedure
- Optional: Click .
- Optional: Confirm the Audit subsystem failure
action field is set to Log warning or Terminate server. If the Audit subsystem failure action field is set to No warning, then notifications will not be generated.
- Click .
- Under Notifications, Click New
- Enter the name that should be associated with this notification configuration in the Notification name field.
- Select the Message log check box to specify the failure notifications are recorded in the audit log.
- Select the email sent to notification list check box to specify that failure notification email should be sent to the addresses listed in the notification list.
- Enter an email address in the email address to add field
This step is not needed if email notifications are not going to be sent.
- Enter the mail server address in the Outgoing mail (STMP)
server address. This step is not needed if email notifications are not going to be sent.
- Click Add >> to add the email address and associated mail server to the email notification list.
- Repeat steps 5 through 7 for each email address you want to specify in the email notification list.
- Click OK.
- Select the Enable monitoring check box to turn on audit failure notifications.
- Select the notification configuration to be used from the Monitor notification dropdown menu.
- Click OK.
Results
What to do next
After configuring notifications, you can analyze your audit data for potential weaknesses in the current security infrastructure and to discover possible security breaches that might have occurred.
Audit notifications cannot be removed using the administrative console. To remove an audit notification you first must run the deleteAuditNotificationMonitorByRef or the deleteAuditNotificationMonitorByName command. After running one of those commands, remove the audit notification by running the deleteAuditNotification command.