System - Auditing

SysAdmin users can change these settings.

To specify Audit Log settings:

1. Sign on as Sys Admin. Click SETTINGS > System > Auditing.
2. Select a log category: Event Log, Syslog, Error Display, Failed Signons. Make selections and click Change Logging Settings. For more information, see the subsections below.

Event Log

As SysAdmin, click SETTINGS > System > Auditing > Event Log. The Configure Event Log Settings page opens. Make selections and click Change Setting.

Options:

• Windows Event Logging.
  • Enabled. Each audit log entry is written to a local Windows Event log and to the MOVEit Transfer audit database.
  • Disabled. Audit log entries are written only to the MOVEit Transfer audit database.
• Windows Event Log Name. The Windows log that receives the records. Application or MOVEit

Audit log entries that report successful actions are entered as Information level events. Entries that report unsuccessful actions are entered as Error level events.

Example of an entry written to the Windows Application Event Log:

Although MOVEit Transfer can send audit entries directly to a remote Syslog server, other utilities are available for sending logs from local Event Logs to SysLog or SNMP management consoles. For more information, see SysLog and SNMP.

Syslog

As SysAdmin, click SETTINGS > System > Auditing > Syslog. The Configure Syslog Settings page opens. Make your selections and click

Note: In addition to editing this setting, a SysAdmin must configure a Syslog host, and optionally configure a Port to use for the connection (default = 514), and the Facility that audit messages appear as on the Syslog management console (default = FTP).

Options:

• Syslog Logging.
  • Enabled. Each audit log entry is sent to the specified host as well as to the MOVEit Transfer audit database.
  • Disabled. Audit records are sent to only the MOVEit Transfer audit database.
• Syslog Host. Host to which to send the entries.
• Send Test Syslog Message. Sends a test message to specified host. Because the BSD Syslog implementation is based on UDP, the administrator must manually verify that the test message arrived at the remote Syslog management console.
• Syslog Port (optional). Alternate port for the Syslog connection. If blank, it reverts to the default port.
• Syslog Facility (optional). The facility under which the MOVEit Transfer Syslog messages will appear on the remote Syslog host.

SysLog is based on UDP (usually port 514) and is therefore a best efforts protocol because neither the client nor the server know whether SysLog messages are dropped by the network.

Audit log entries that report successful actions are entered as Information level events. Entries that report unsuccessful actions are entered as Error level events.

Example:

If the test is successful, a message similar to below should show up in the Syslog management console on the remote Syslog server:

Error Display

As SysAdmin, click SETTINGS > System > Auditing > Syslog. The Set Error Display Settings page opens. Make a selection and click Change Setting.

Option:

• Show System Error Messages.
  • Yes. If a system exception is generated by MOVEit Transfer, users receive an error page that includes a description and details of the error, stack trace information that describes system actions when the error occurred, and instructions to contact Tech Support
  • No. User receives notification that an error has occurred, and instructions to notify Tech Support

For more information, see Exception Handling.

Failed Signons

Normally, MOVEit Transfer records every failed signon attempt that happens on the system to the audit log. On some busy systems, large numbers of these records can make it difficult to search for other issues, and can slow down access to all audit log records. To alleviate this problem, you can prevent certain types of signon failures from being recorded in the log.

• As SysAdmin, click SETTINGS > System > Auditing > Failed Signons. The Enable Logging of Extraneous Failed Signons page opens. Make a selection and click Change Logging Settings.
  • Log Insecure FTP Failed Signons:
    • Yes. Logs all failed signons.
    • No. Prevents the following type of failed signon events from being recorded in the audit log:

      Insecure FTP Failed Signons occur when the server is configured to disallow all non-secure FTP signons. This is the default configuration of a MOVEit DMZ server. If a user attempts to sign on to the MOVEit Transfer FTP server before initiating a secure connection, the user will be disallowed, and a failed signon event will occur.

      Note: This option does NOT prevent audit log records from being written if the MOVEit Transfer FTP server is configured to allow insecure access, but either the user's IP address or user account is prevented from using the insecure FTP interface.