Does F-Secure Policy Manager Console have activity logging (audit trail / auditing)?

Does F-Secure Policy Manager Console have activity logging (audit trail / auditing)? - F-Secure Community

Issue:

Does F-Secure Policy Manager create and maintain an audit log for user and admin activity? For example for these events:

User login / logoff
Host deletion / add / rename events
Policy sub-domain deletion / add / rename events
Change of policy settings

Resolution:

The F-Secure Policy Manager Server logs can be found in the following folder:

C:\Program Files (x86)\F-Secure\Management Server 5\logs

The user login actions are recorded in the fspms-users.log. The log does not show the full user name, only the User ID. To get the full user name, a query must be performed using the H2Console. The H2Console is not enabled by default, so it will need to be enabled before you can run the query.

How to enable H2Console:

Note: Please backup your registry before making any registry changes

Open Registry Editor (regedit)
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\
Edit "additional_java_args"
Add parameter: -Dh2ConsoleEnabled=true
Close registry editor and restart F-Secure Policy Manager Server service by running command line commands net stop fsms and net start fsms

How to open H2Console and run query:

Open a browser and go to https://localhost:8080
Click the H2Console link
Type in query: SELECT * FROM users;
Click Run (Ctrl+Enter) to run the query

You will receive a result showing which user names correspond to which User ID.

Changes made to policy settings are saved in fspms-policy-audit.log.

Changes made to the Policy domain computers/servers or specifically changes made to the policy domain structure are saved in fspms-domain-tree-audit.log.

Q: How to find out who deleted a policy sub-domain in Policy Manage Console?
A: This information is available in the fspms-domain-tree-audit.logs. Below is an example, where a sub-domain called test was added and immediately deleted.

05.12.2019 09:44:17,785 INFO [audit.domainTree] - User 'admin' added domain test (id=76) to domain Root (id=1)
05.12.2019 09:44:23,615 INFO [audit.domainTree] - User 'admin' deleted domain test (id=76)

Article no: 000007129