I have a requirement to track all attempts when an unauthorized user tries to get into a given Notes database using the Notes client.
I can track successful events easily with a queryopen event in the database. Obviously, this won’t work if the user isn’t in the ACL.
So - exactly how would I programmatically determine that a user has tried to access our database? Once I can determine the events, I need to FTP a file of failures to a central database that could possibly trigger an internal investigation as to why that user was trying to go where they shouldn’t.
I think you should try DYSANT AuditLog - it monitors all changes made to Domino data.
It monitors and registers
Who, when, and what did to your Domino data (it caputers such events as
document, database, ACL, database design - creation, opening, modification, delatation), in spite of number of monitored databases and its source code security
I think that in the context of Sarbanes-Oxley this is your tool
I may not be thinking this through properly, but as I recall, these “events” are recorded in the Notes Log. You should be able to loop through the log, getting all of these errors, and writing them to another database.
Attempts to access a database which are not successful because of ACL restrictions are logged by the server to it’s local log.nsf file in the following format:
ATTEMPT TO ACCESS DATABASE file.nsf by UserName/OU/O was denied
You could write an agent to check new log file entries for attempts to access the database in question and save notifications to a file.
Actually, since authentication happens at the server level, I think you need to interrogate the log.nsf for this type of information, I don’t think you can use any db events since the user never gets into the database.
I would probably write a script agent that would use the ftsearch method on the log.nsf, this way, the agent could also handle the file transfer for you as well.
Create an Event Handler in the Monitoring Configuration database. The event you are attempting to monitor is a Security Event, severity - Warning(High), Value (0x1323) with original text of “ATTEMPT TO ACCESS DATABASE by was denied.” You can set the event handler to only monitor a specific server. When this event occurs, you can choose from a number of listed actions (mail notification, pager, SNMP, etc) to execute. You should be able to adapt this process to meet your needs.