Loading Audit Policies Error

KMoody

Member
Progress: 11.7.5
Server OS: SUSE Linux Enterprise Server 15 SP1

On the Linux server, we first dump from a database (D1) and load it into another (D2). After loading all non-auditing information into D2, we run the following:

Code:
/* ... */
  /* Load Audit Data
     Note: Requires a minimum of Audit Data Reporter permission */
  MESSAGE "Running /usr/dlc/src/prodict/dump/_lodsec.r " + dumpPath + "/ ad " +  dbPath + "/" + databaseName.
  RUN /usr/dlc/src/prodict/dump/_lodsec.r (dumpPath + "/", "ad", databaseName, "").

  /* Load Audit Policies as XML
     Note: Requires Audit Administrator permission */
  MESSAGE "Running /usr/dlc/src/prodict/dump/_lodaudp.r".
  RUN /usr/dlc/src/prodict/dump/_lodaudp.r ("x", dumpPath + "/_audit-policies.xml", TRUE).
/* ... */

However, we get the following error when this program runs _loadaudp:
Invalid update event id 32001 (table MENUFILE/PUB)

I've confirmed that event 32001 exists in D1. It looks like this in _audit-policies.xml:
XML:
...
<Policy GUID="opr23HgJTY7lEc2a+GvD4Q" Name="test">
    <policy-properties>
      <_Audit-policy-description>test</_Audit-policy-description>
      <_Audit-data-security-level>0</_Audit-data-security-level>
      <_Audit-custom-detail-level>1</_Audit-custom-detail-level>
      <_Audit-policy-active>YES</_Audit-policy-active>
    </policy-properties>
    <audit-table Name="MENUFILE" Owner="PUB">
      <_Audit-create-level>2</_Audit-create-level>
      <_Create-event-id>5100</_Create-event-id>
      <_Audit-update-level>3</_Audit-update-level>
      <_Update-event-id>32001</_Update-event-id>
      <_Audit-delete-level>2</_Audit-delete-level>
      <_Delete-event-id>5102</_Delete-event-id>
    </audit-table>
    <audit-event Event-id="32001">
      <_Event-level>2</_Event-level>
      <_Event-criteria></_Event-criteria>
    </audit-event>
  </Policy>
....

Why would D2 see it as invalid?
 
Last edited:

Stefan

Well-Known Member
The source code may help - consultingwerk/ADE-Sourcecode -

Code:
            /* check the update event id value */

            hBufferAudEvent:FIND-FIRST("where _Event-id = " + STRING(workAuditFilePolicy._Update-event-id)) NO-ERROR.

            IF NOT hBufferAudEvent:AVAILABLE THEN DO:
                /* if default event it is zero, than it doesn't apply. */
               IF ENTRY(2,cIds) <> "0" THEN DO:
                   ASSIGN pErrorMsg = "Invalid update event id " + STRING(workAuditFilePolicy._Update-event-id)
                         + " (table " + workAuditFilePolicy._File-name + "/" + workAuditFilePolicy._Owner + ")".
 

KMoody

Member
Okay, thanks! I figured out that application level events (events greater than or equal to 32001) weren't dumping and loading. How do I do that programmatically? I sucessfully dumped these events using src/prodict/dump_d.p, but when I ran load_d.p for _aud-event, I got this error:

The file [path]/_aud-ecan not be found.

I've confirmed that _aud-event exists in that directory and that the loader has Audit Event Inserter permissions. What am I missing? Am I going about this the wrong way?

EDIT: Turns out that running proutil auditarchive and auditload allows me to successfully dump and load all my auditing data, including _aud-events. However, auditload takes nearly 2.5 hours to run, despite only processing 9.4 GB of data (76,020,000 records). Is there any way to speed up auditload?
 
Last edited:
Top