Chapter 13. Auditing and monitoring 273
4. Serena logs on again at 6:38 a.m. Noticed that we do not see a logoff from
Serena prior to this second logon, which means that Serena never logged off.
The system timed out her session, or she experienced a network
communications error that terminated her session. Either way, we know that
she did not explicitly perform a logoff.
5. Serena then performs a host retrieve of a document from icmnlsdb. Looking
at the column Object Name Prefix, we can see which specific document she
retrieved for viewing. Noticed that we do not see the viewing of the document
as an activity in the log because we did not select View as an audited activity.
6. Finally, at 6:39 a.m. Serena logs off.
IBM Records Manager’s auditing and reporting capabilities are very powerful.
Some of the data fields such as Event Comment shown earlier can be quite
intimidating because of the amount of data placed into a single field. We can also
see that with the implementation of style sheets or exporting the data to a XML
parser, we can create highly customized reports to suit almost any need or
Combine this capability with the ease of creating custom attributes, and the value
of the auditing and reporting capabilities becomes even greater.
13.4 Monitoring your records
Monitoring of IBM Records Manager system is a bit more than just running a few
audit reports on users and actions. You should have some idea of what is
expected to be happening within the system so that you can create meaningful
and accurate reports. Some of the things that affect the type of reports you would
set up are:
Are you required to adhere to a published set of rules or standards such as
DOD 5015.2, The National Archives (PRO), SEC 17-a4 or Basil II? Each of
these have unique requirements that could determine what type of reports
you need and the data you keep.
Is your organization multinational? If so, regulations and laws vary from
country to country. At times, these laws or regulations might be in conflict with
one another. How this will affect the types of audit events and audit reports
you might be required to run can only be determined after careful review.
What volume of records are you expecting to have declared on a daily,
weekly, or monthly basis? If you obtain a baseline and the volumes change
suddenly, is it indicative of a problem? Monitoring volumes might tell you that
a new group of users have not been trained properly if they are declaring
everything as a record and this is not normal procedure. The distribution of
274 Working with IBM Records Manager
the records across the components of the file plan should be considered. If
50% of your records are expected to be related to account openings and only
10% of the records are actually declared under account openings this might
also indicate a user issue.
Is this a high volume system with a large number of users? If so, how quickly
will the database grow if you enable most of the options in the auditing
configuration? This affects how often you want to run reports and purge the
data. Reports can quickly grow in size and take longer to run as the queries
have more data to search through. Running scheduled reports, exporting
them to a content archive such as Content Manager and purging the data
from the IBM Records Manager system can improve performance and reduce
database backup time. The archived reports can also be declared as records
based upon time period, user name, type or style of report and will be easy to
reference in the future. Before you purge, make sure that the regulations and
laws you adhere to allow for this type of activity.
Regular reporting on expired items is necessary to ensure timely expungement
of records. Remember keeping documents or e-mail messages longer than
necessary can be just as damaging to your organization as not being able to
provide the documents if required.