Chapter 13. Auditing and monitoring 273
4. Serena logs on again at 6:38 a.m. Noticed that we do not see a logoff from
Serena prior to this second logon, which means that Serena never logged off.
The system timed out her session, or she experienced a network
communications error that terminated her session. Either way, we know that
she did not explicitly perform a logoff.
5. Serena then performs a host retrieve of a document from icmnlsdb. Looking
at the column Object Name Prefix, we can see which specific document she
retrieved for viewing. Noticed that we do not see the viewing of the document
as an activity in the log because we did not select View as an audited activity.
6. Finally, at 6:39 a.m. Serena logs off.
IBM Records Manager’s auditing and reporting capabilities are very powerful.
Some of the data fields such as Event Comment shown earlier can be quite
intimidating because of the amount of data placed into a single field. We can also
see that with the implementation of style sheets or exporting the data to a XML
parser, we can create highly customized reports to suit almost any need or
Combine this capability with the ease of creating custom attributes, and the value
of the auditing and reporting capabilities becomes even greater.
13.4 Monitoring your records
Monitoring of IBM Records Manager system is a bit more than just running a few
audit reports on users and actions. You should have some idea of what is
expected to be happening within the system so that you can create meaningful
and accurate reports. Some of the things that affect the type of reports you would
set up are:
Are you required to adhere to a published set of rules or standards such as
DOD 5015.2, The National Archives (PRO), SEC 17-a4 or Basil II? Each of
these have unique requirements that could determine what type of reports
you need and the data you keep.
Is your organization multinational? If so, regulations and laws vary from
country to country. At times, these laws or regulations might be in conflict with
one another. How this will affect the types of audit events and audit reports
you might be required to run can only be determined after careful review.
What volume of records are you expecting to have declared on a daily,
weekly, or monthly basis? If you obtain a baseline and the volumes change
suddenly, is it indicative of a problem? Monitoring volumes might tell you that
a new group of users have not been trained properly if they are declaring
everything as a record and this is not normal procedure. The distribution of