Does F-Secure Policy Manager Console have activity logging (audit trail / auditing)? - F-Secure Community
<main> <article class="userContent"> <h3 data-version="3" data-article="000007129" data-id="issue">Issue:</h3> <p>Does F-Secure Policy Manager create and maintain an audit log for user and admin activity? For example for these events:<br></p><ul><li>User login / logoff</li><li>Host deletion / add / rename events</li><li>Policy sub-domain deletion / add / rename events </li><li>Change of policy settings</li></ul><h3 data-id="resolution">Resolution:</h3> <p>The F-Secure Policy Manager Server logs can be found in the following folder:<br></p><ul><li><b><span style="font-family: arial;">C:\Program Files (x86)\F-Secure\Management Server 5\logs</span></b></li></ul><span style="font-family: arial;">The user login actions are recorded in the <b>fspms-users.log</b>. The log does not show the full user name, only the User ID. To get the full user name, a query must be performed using the H2Console. The H2Console is not enabled by default, so it will need to be enabled before you can run the query. <br><br>How to enable H2Console:<br><br><b>Note:</b> Please backup your registry before making any registry changes</span> <ol><li><span style="font-family: arial;">Open Registry Editor (regedit)</span></li><li><span style="font-family: arial;">Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\</span></li><li><span style="font-family: arial;">Edit "additional_java_args"</span></li><li><span style="font-family: arial;">Add parameter: <b>-Dh2ConsoleEnabled=true</b></span></li><li><span style="font-family: arial;">Close registry editor and restart F-Secure Policy Manager Server service by running command line commands <b>net stop fsms</b> and <b>net start fsms</b></span></li></ol> How to open H2Console and run query: <ol><li>Open a browser and go to <a href="https://localhost:8080" rel="nofollow">https://localhost:8080</a></li><li>Click the H2Console link</li><li>Type in query: <b>SELECT * FROM users;</b></li><li>Click <b>Run (Ctrl+Enter) </b>to run the query</li></ol> You will receive a result showing which user names correspond to which User ID. <br><br><span style="font-family: arial;">Changes made to policy settings are saved in </span><span style="font-family: arial;"><b>fspms-policy-audit.log</b>.</span><br><br><span style="font-family: arial;">Changes made to the Policy domain computers/servers or specifically changes made to the policy domain structure are saved in<b> </b></span><b><span style="font-family: arial;">fspms-domain-tree-audit.log</span></b><span style="font-family: arial;">.</span><br><br><span style="font-family: arial;">Q:</span><b><span style="font-family: arial;"> </span></b>How to find out who deleted a policy sub-domain in Policy Manage Console?<br>A: This information is available in the <b>fspms-domain-tree-audit.log</b>s. Below is an example, where a sub-domain called test was added and immediately deleted.<br><br>05.12.2019 09:44:17,785 INFO [audit.domainTree] - User 'admin' added domain test (id=76) to domain Root (id=1)<br>05.12.2019 09:44:23,615 INFO [audit.domainTree] - User 'admin' deleted domain test (id=76)<br> <p>Article no: 000007129</p> </article> </main>