I just had a friend e-mail me and state he was being contacted by his previous employer complaining he made changes to their TSM retention times causing them to lose data. The TSM admin who took over is blaming him stating he changed the retention and now the data is gone. My friend does not remember making any retention changes and the problem is that any change to the copygroup updates the "Last Update by (administrator)" and the "Last Update Date/Time" so it's not substantial evidence of who did what. The only way to verify what had really occurred would be to either keep the actlog for an extremely long period of time, or dump it to a text file that you zip and archive. (Even then it's a text file and could be tampered with) In the case of my friend, he left the company last November and anyone could have altered the copygroup since then.
How many of you archive your TSM Activity Log, and how long do you keep it for? Obviously it good for security and tracking purposes, but who manages it and can you reliably keep it in a read-only state? Of course this is also a case where a bi-monthly audit of retention settings would have helped.
I actually wrote a script to take the TSM Actlog to TSIEM (Actually at the time it was TCIM - Tivoli Compliance Insight Manager).
ReplyDeleteTake every administrative (ie - not Query/Select) action by every admin and convert it to w7csv format. Worked pretty well.
It would be nice if IBM could intergrate it. Seems like a pretty solid candidate for integration.
Hi Chad,
ReplyDeleteWe use a reporting tool that basically keeps all the info in SQL so we only have 30 days on the TSM Server.
Then SQL can do all the maintenance :)
We keep all event, activity and summary logs for 1 year inside TSM activity log as even required our security guidance of many customers for audit purposes. It is not that much of data in TSM DB.
ReplyDelete