Creating and Using Audit Trails Transcript Creating and Using Audit Trails Transcript was developed by Marjorie Lampton. Additional contributions were made by Davetta Dunlap, Anita Hillhouse, Linda Jolley, Ginny Piechota, and Kent Reeve. Editing and production support was provided by the Curriculum Development and Support Department. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Creating and Using Audit Trails Transcript Copyright © 2009 SAS Institute Inc. Cary, NC, USA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise, without the prior written permission of the publisher, SAS Institute Inc. Book code E1515, course code RLSPAUDT, prepared date 11Nov2009. RLSPAUDT_001 ISBN 987-1-60764-121-6 For Your Information Table of Contents Lecture Description ..................................................................................................................... iv Prerequisites ................................................................................................................................. v Accessibility Tips ......................................................................................................................... v Creating and Using Audit Trails..................................................................................... 1 1. Creating and Using Audit Trails ......................................................................................... 4 Appendix A 1. Appendix A: Demonstration Programs ............................................. A-1 Creating and Viewing an Audit Trail .............................................................................. A-3 iii iv For Your Information Lecture Description This e-lecture addresses how to create an audit trail file in order to gather information about changes to a SAS data set and to analyze and report on those changes. To learn more… For information on other courses in the curriculum, contact the SAS Education Division at 1-800-333-7660, or send e-mail to [email protected]. You can also find this information on the Web at support.sas.com/training/ as well as in the Training Course Catalog. For a list of other SAS books that relate to the topics covered in this Course Notes, USA customers can contact our SAS Publishing Department at 1-800-727-3228 or send e-mail to [email protected]. Customers outside the USA, please contact your local SAS office. Also, see the Publications Catalog on the Web at support.sas.com/pubs for a complete list of books and a convenient order form. For Your Information v Prerequisites Before viewing this SAS e-Lecture, you should have completed the SAS® Programming 1: Essentials course. Completion of the SAS® Programming 2: Data Manipulation Techniques course is helpful, but is not required. Accessibility Tips If you are using a screen reader, such as Freedom Scientific’s JAWS, you may want to configure your punctuation settings so that characters used in code samples (comma, ampersand, semicolon, percent) are announced. Typically, the screen reader default for the character & is to read “and.” For clarity in code samples, you may want to configure your screen reader to read & as “ampersand.” In addition, depending on your verbosity options, the character & might be omitted. The same is true for some commas before a code variable. To confirm code lines, you may choose to read some lines character by character. When testing this scenario with Adobe Acrobat Reader 9.1 and JAWS 10, ampersands before SAS macro names were announced only when in character-reading mode. vi For Your Information Creating and Using Audit Trails 1. Creating and Using Audit Trails ....................................................................................... 4 2 Creating and Using Audit Trails 1. Creating and Using Audit Trails Creating and Using Audit Trails Welcome to the SAS e-Lecture Creating and Using Audit Trails. My name is Marjorie, and I am an instructor for SAS. I have been with SAS Institute since 1995, and except for a few years in SAS Consulting (1997-1999), I have been with SAS Education. Today we will be discussing audit trails. 3 4 Creating and Using Audit Trails 1. Creating and Using Audit Trails Creating and Using Audit Trails 1. Creating and Using Audit Trails 2 Let’s get started. 1. Creating and Using Audit Trails 5 Objectives Determine what an audit trail file is and why some organizations choose to use audit trails. Investigate which files are appropriate for audit trails and what operations preserve or remove an audit trail file. Examine the columns in an audit trail file. Initiate an audit trail file. Add values to an audit trail file. Report on an audit trail file. Manage an audit trail file. 3 In this lecture, we will examine the why’s and when’s of audit trails. You will learn to create an audit trail file in order to gather information about changes to a SAS data set and to analyze and report on those changes. 6 Creating and Using Audit Trails What Is an Audit Trail? The audit trail is an optional SAS file that logs modifications to a SAS table. For each addition, deletion, and update to the data, the audit file stores information about the following: ? who made the modification what was modified when the modification was made 4 The audit trail is an optional SAS file that can be created to log modifications to a SAS data file. Each time that an observation is added, deleted, or updated, information is written to the audit trail about who made the modification, what was modified, and when the modification was made. 1. Creating and Using Audit Trails Why Use an Audit Trail? Q Security Q Historical information 5 Many businesses and organizations require an audit trail for security reasons. The audit trail maintains historical information about the data, which gives you the opportunity to develop usage statistics and patterns. The historical information enables you to track individual pieces of data from the moment that they enter the data file to the time that they leave. 7 8 Creating and Using Audit Trails Audit Trail Description An audit trail Q is a SAS file with the same name as the data file that it is monitoring, but with a member type of AUDIT Q is created by the DATASETS procedure Q is read-only Q can be read by any SAS procedure that accepts the TYPE= data set option. 6 The audit trail is created by the default Base SAS engine and has the same libref and member name as the data file, but it has a data set type of AUDIT. The audit trail file must reside in the same SAS data library as the data file associated with it. A SAS data set can have one, and only one, audit file. Procedures such as PROC PRINT, PROC TABULATE, and PROC FREQ can read audit trail files using the data set option TYPE=AUDIT. 1. Creating and Using Audit Trails 9 Business Task You must monitor the updates for the data set customer. Creating an audit trail file enables you to document the following: Who? What? When? 7 Let’s assume the role of an employee who is tasked with monitoring the updates for the customer data. We want to capture the changes made to the data. We will record who made the change, what change was made, and when the change was made, as well other useful information. 10 Creating and Using Audit Trails Customer Data Here are the first few observations of the orion.customer data: 8 First, let’s view the customer data set. Here are the first few observations. There are six variables: Customer_ID, Country, Gender, Customer_Name, Birth_Date, and Customer_Type_ID. 1. Creating and Using Audit Trails Customer Data proc contents data=orion.customer; run; 9 To understand better the structure of the orion.customer data, let’s submit a PROC CONTENTS step as seen in the yellow box and review the output. 11 12 Creating and Using Audit Trails Customer Data proc contents data=orion.customer; run; 10 Among other attributes, we note there are 77 observations, ... 1. Creating and Using Audit Trails Customer Data proc contents data=orion.customer; run; 11 ... the data set is not password protected, and ... 13 14 Creating and Using Audit Trails Customer Data proc contents data=orion.customer; run; 12 ... there is no audit trail associated with this data set. 1. Creating and Using Audit Trails 15 Initiate the Audit Trail The PROC DATASETS step below will initiate an audit trail for the customer data in the orion library. proc datasets lib=orion nolist; audit customer; initiate; run; 13 Let’s initiate an audit trail by executing the PROC DATASETS step shown in the yellow box. This procedure step is an example of the basic syntax for initiating an audit trail. Here we are accepting all the defaults. 16 Creating and Using Audit Trails Customer Data proc contents data=orion.customer; run; 14 A repeat execution of the PROC CONTENTS step shows that there is now an active audit trail associated with the customer data set. The four image options (Before, Admin, Error, and Data) have been set by default. 1. Creating and Using Audit Trails 17 Change in the Customer Data Set proc fsedit data=orion.customer; run; 15 Now let’s make a change to the customer data. We will change the name Jim to James. To make this change, we use PROC FSEDIT to open the file in edit mode in an FSEDIT window. 18 Creating and Using Audit Trails Report on the Audit Trail proc print data=orion.customer(type=audit) heading=h; run; Birth_ Obs Customer_ID Country Gender Customer_Name Customer_ Date Type_ID _ATDATETIME_ 1 4 US M Jim Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 2 4 US M James Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 Obs _ATOBSNO_ 1 1 2 1 _ATRETURNCODE_ _ATUSERID_ _ATOPCODE_ . sasmgl DR . sasmgl DW _ATMESSAGE_ 16 Now let’s report on the audit file. We will use PROC PRINT as seen in the yellow box. Note the data set option (TYPE=AUDIT). 1. Creating and Using Audit Trails Report on the Audit Trail proc print data=orion.customer(type=audit) heading=h; run; Birth_ Obs Customer_ID Country Gender Customer_Name Customer_ Date Type_ID _ATDATETIME_ 1 4 US M Jim Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 2 4 US M James Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 Obs _ATOBSNO_ 1 1 2 1 _ATRETURNCODE_ _ATUSERID_ _ATOPCODE_ . sasmgl DR . sasmgl DW _ATMESSAGE_ 17 We know the what because we see an image of the data before and after the change. 19 20 Creating and Using Audit Trails Report on the Audit Trail proc print data=orion.customer(type=audit) heading=h; run; Birth_ Obs Customer_ID Country Gender Customer_Name Customer_ Date Type_ID _ATDATETIME_ 1 4 US M Jim Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 2 4 US M James Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 Obs _ATOBSNO_ 1 1 2 1 _ATRETURNCODE_ _ATUSERID_ _ATOPCODE_ . sasmgl DR . sasmgl DW _ATMESSAGE_ 18 We know the who because we know the user making the change was logged on as sasmgl. 1. Creating and Using Audit Trails Report on the Audit Trail proc print data=orion.customer(type=audit) heading=h; run; Birth_ Obs Customer_ID Country Gender Customer_Name Customer_ Date Type_ID _ATDATETIME_ 1 4 US M Jim Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 2 4 US M James Kvarniq 27JUN1974 1020 16FEB2009:11:53:31 Obs _ATOBSNO_ 1 1 2 1 _ATRETURNCODE_ _ATUSERID_ _ATOPCODE_ . sasmgl DR . sasmgl DW _ATMESSAGE_ 19 And we know the when because the date and time are recorded. As we continue in this lecture, we will examine all the audit trail variables. 21 22 Creating and Using Audit Trails Preserving an Audit Trail Type of Process Update-in-place Example DATA step w/ MODIFY PROC SQL w/ INSERT PROC SQL w/ DELETE PROC APPEND PROC FSEDIT Preserve Audit Trail? Yes 20 Let’s discuss the types of processes that preserve an audit trail. There are two basic types of process operations: • Update-in-place - A process in which data is updated in place – that is, a process in which the data is changed in the existing file and no new output data set is created • Create output data sets - A process in which a new output data sets is created Only operations that perform an update-in-place of the data set will preserve the audit trail. Update-inplace operation examples are the MODIFY statement in the DATA step; PROC SQL statements such as UPDATE, INSERT, and DELETE; and PROC APPEND and PROC FSEDIT. 1. Creating and Using Audit Trails 23 Preserving an Audit Trail Type of Process Example Preserve Audit Trail? Update-in-place DATA step w/ MODIFY PROC SQL w/ INSERT PROC SQL w/ DELETE PROC APPEND PROC FSEDIT Yes Create output data sets DATA step w/ SET or MERGE DATA step w/ UPDATE PROC COPY PROC SORT PROC SQL w/ CREATE TABLE PROC SQL w/ CREATE VIEW No 21 Statements such as SET, MERGE, and UPDATE in the DATA step, and the CREATE TABLE or CREATE VIEW statements in PROC SQL create output data sets. That is, they do not perform an updatein-place. Therefore, they delete the audit trail. PROC COPY and PROC SORT are also examples of output data set operations that will not preserve the audit trail. 24 Creating and Using Audit Trails Audit Trail File Variables data file variables copy of the variables in the audited SAS data table _AT*_ variables automatically store modification data USER_VAR variables optional variables that you can define to collect modification data 22 The audit trail file replicates the variables in the data file and additionally stores two types of audit variables. For the audit trail variables, the modification data is automatically stored. The audit trail variable names follow the pattern _AT*_, where the asterisk is replaced by a specific string, such as _ATDateTime_ or _ATUserID_. The USER_VAR variables are optional. They can be used to supplement the information automatically recorded in the audit trail (_AT*_) variables. 1. Creating and Using Audit Trails _AT*_ Variables _AT*_ Variable Description _ATDateTime_ Date and time of a modification _ATUserID_ Logon user ID associated with a modification _ATObsNo_ Observation number affected by the modification unless REUSE=YES _ATReturnCode_ Event return code _ATMessage_ SAS log message at the time of the modification _ATOPCode_ Code describing the type of operation 23 Here you see the _AT*_ variables listed with a brief description. Let’s examine each. 25 26 Creating and Using Audit Trails _AT*_ Variables _AT*_ Variable Description _ATDateTime_ Date and time of a modification _ATUserID_ Logon user ID associated with a modification _ATObsNo_ Observation number affected by the modification unless REUSE=YES _ATReturnCode_ Event return code _ATMessage_ SAS log message at the time of the modification _ATOPCode_ Code describing the type of operation 24 The variable _ATDateTime_ records the date and time that a change was made to the data set. 1. Creating and Using Audit Trails _AT*_ Variables _AT*_ Variable Description _ATDateTime_ Date and time of a modification _ATUserID_ Logon user ID associated with a modification _ATObsNo_ Observation number affected by the modification unless REUSE=YES _ATReturnCode_ Event return code _ATMessage_ SAS log message at the time of the modification _ATOPCode_ Code describing the type of operation 25 The variable _ATUserID_ records the user ID associated with the system logon at the time that the change was made. 27 28 Creating and Using Audit Trails _AT*_ Variables _AT*_ Variable Description _ATDateTime_ Date and time of a modification _ATUserID_ Logon user ID associated with a modification _ATObsNo_ Observation number affected by the modification unless REUSE=YES _ATReturnCode_ Event return code _ATMessage_ SAS log message at the time of the modification _ATOPCode_ Code describing the type of operation 26 The variable _ATObsNo_ records the observation number that is affected by the modification unless, of course, the SAS system option is set to REUSE=YES. Because in that situtation, the observation number is always 0. Remember that the SAS system option REUSE=YES specifies to track free space. The free space is reused whenever observations are added to an existing compressed data set. 1. Creating and Using Audit Trails _AT*_ Variables _AT*_ Variable Description _ATDateTime_ Date and time of a modification _ATUserID_ Logon user ID associated with a modification _ATObsNo_ Observation number affected by the modification unless REUSE=YES _ATReturnCode_ Event return code _ATMessage_ SAS log message at the time of the modification _ATOPCode_ Code describing the type of operation 27 The variable _ATReturnCode_ holds the event return code. 29 30 Creating and Using Audit Trails _AT*_ Variables _AT*_ Variable Description _ATDateTime_ Date and time of a modification _ATUserID_ Logon user ID associated with a modification _ATObsNo_ Observation number affected by the modification unless REUSE=YES _ATReturnCode_ Event return code _ATMessage_ SAS log message at the time of the modification _ATOPCode_ Code describing the type of operation 28 The variable _ATMessage_ contains the SAS log message at the time of the modification. 1. Creating and Using Audit Trails _AT*_ Variables _AT*_ Variable Description _ATDateTime_ Date and time of a modification _ATUserID_ Logon user ID associated with a modification _ATObsNo_ Observation number affected by the modification unless REUSE=YES _ATReturnCode_ Event return code _ATMessage_ SAS log message at the time of the modification _ATOPCode_ Code describing the type of operation 29 And, last, the variable _ATOPCode_ describes the type of operation. By default, SAS logs all _ATOPCode_ values. You can change this behavior when you initiate an audit trail. Let’s take a look at the different values for the variable _ATOPCode_ and what they mean. 31 32 Creating and Using Audit Trails _ATOPCode_ Values Code Event AL Auditing resumed AS Auditing suspended DA Added data record image DD Deleted data record image DR Before-update record image DW After-update record image EA Observation add failed ED Observation delete failed EU Observation update failed 30 The A codes, AL and AS, indicate the auditing status: resumed and suspended, respectively. 1. Creating and Using Audit Trails _ATOPCode_ Values Code Event AL Auditing resumed AS Auditing suspended DA Added data record image DD Deleted data record image DR Before-update record image DW After-update record image EA Observation add failed ED Observation delete failed EU Observation update failed 31 The DA, DD, DW, and DR codes are related to data. They show the data set variable and its value. 33 34 Creating and Using Audit Trails _ATOPCode_ Values Code Event AL Auditing resumed AS Auditing suspended DA Added data record image DD Deleted data record image DR Before-update record image DW After-update record image EA Observation add failed ED Observation delete failed EU Observation update failed 32 The E codes are error codes. EA indicates that the attempt to add an observation failed. ED indicates that the attempt to delete an observation failed. EU indicates that the update to an observation failed. 1. Creating and Using Audit Trails LOG Statement The types of entries stored in the audit trail, along with their corresponding _ATOPCode_ values, are determined by the options specified in the LOG statement when the audit trail is initiated. The default is to log all images. LOG <ADMIN_IMAGE=YES|NO> <BEFORE_IMAGE=YES|NO> <DATA_IMAGE=YES|NO> <ERROR_IMAGE=YES|NO>; 33 Options specified in the LOG statement control the types of entries that are stored in the audit trail. The default is to log all images. 35 36 Creating and Using Audit Trails _ATOPCode_ Values Code Event AL Auditing resumed AS Auditing suspended DA Added data record image DD Deleted data record image DR Before-update record image DW After-update record image EA Observation add failed ED Observation delete failed EU Observation update failed 34 The A codes are controlled by the ADMIN_IMAGE option. ADMIN_IMAGE 1. Creating and Using Audit Trails _ATOPCode_ Values Code Event AL Auditing resumed AS Auditing suspended DA Added data record image DD Deleted data record image DR Before-update record image DW After-update record image EA Observation add failed ED Observation delete failed EU Observation update failed 35 The DR code is controlled by the BEFORE_IMAGE option. BEFORE_IMAGE 37 38 Creating and Using Audit Trails _ATOPCode_ Values Code Event AL Auditing resumed AS Auditing suspended DA Added data record image DD Deleted data record image DR Before-update record image DW After-update record image EA Observation add failed ED Observation delete failed EU Observation update failed 36 The DA, DD, and DW codes are controlled by the DATA_IMAGE option. DATA_IMAGE 1. Creating and Using Audit Trails _ATOPCode_ Values Code Event AL Auditing resumed AS Auditing suspended DA Added data record image DD Deleted data record image DR Before-update record image DW After-update record image EA Observation add failed ED Observation delete failed EU Observation update failed ERROR_IMAGE 37 The E codes are controlled by the ERROR_IMAGE option. If the LOG statement is omitted when the audit trail is initiated, the default behavior is to log all images. 39 40 Creating and Using Audit Trails User Variables User variables are Q defined as part of the audit trail specification Q displayed when the associated data file is opened for update Q edited as you would edit data values Q written to the audit trail as each row is saved Q not displayed when the associated data file is opened for browsing. 38 The user variables are variables that associate data values with the data file without making them part of the data file. The data values are stored in the audit file, but you update (or edit) a user variable like any other variable in the data file. The user variables are not displayed when the SAS data file is browsed. But they are displayed when you edit the SAS data file. You might define a user variable to enable those changing the data to enter a reason for each update. 1. Creating and Using Audit Trails 41 Initiating an Audit Trail with the USER_VAR Statement Example proc datasets lib=orion nolist; audit customer; initiate; user_var Why $20 label='Why the change was made'; run; quit; 39 This is an example of code to initiate an audit trail. In this example the code initiates an audit trail for the data file orion.customer. The audit trail records all events and stores a user variable, Why, for the user to enter a reason for the change. 42 Creating and Using Audit Trails Creating and Viewing an Audit Trail This demonstration illustrates creating an audit trail file and examining the columns in the file. The demonstration also shows the code with which the audit trail was created. 40 In the first step of this demonstration, we will initiate an audit trail for the customer data set. In the next program step, using PROC SQL, we insert one row into the customer table, then delete the rows in which the Country column contains a value of ZA, and then update a row of data. In the third step, we will suspend the audit trail so that you can see the action in the audit trail. In the fourth step, we will report on the audit trail using PROC PRINT and the data set option (TYPE=AUDIT). That will complete the demo, so the last step will be to terminate the audit trail. Let’s begin. 1. The first step is to initiate the audit trail. Examine the highlighted step in the code. PROC DATASETS is the procedure invoked. The AUDIT statement points to the customer data set. The INITIATE statement initiates the audit trail. The USER_VAR statement creates an additional character variable, Why, with the label “Why the Change was made”. There is no LOG statement, so we are accepting the default to record all images. Let’s examine the SAS log to verify that the audit trail was initiated. Yes, it has 14 variables, (7 from the customer data, plus the USER_VAR Why, and 6 audit trail variables). There are no observations. There is a Warning message regarding the lack of password protection. 2. Let’s return to the SAS Editor and examine the next step in our demonstration SAS program. In the SQL procedure, we are inserting a new row into the customer table. Note that we have specified a value for the variable Why. Although this variable exists in the audit trail, it is assigned a value while modifying the customer table. Let’s examine the SAS log to verify that a row has been inserted into the table. Now, let’s return to the SAS Editor. Next, we will delete all rows where the value of the column Country is ZA. Let’s examine the SAS 1. Creating and Using Audit Trails 43 log again to verify that rows have been deleted. Four rows met the criteria. Four rows were deleted. Let’s return to the SAS Editor. Next, we will update the row were the address value contains White House. Let’s examine the SAS log to verify that a row has been updated. Yes, it has been updated. Let’s return to the Editor. We have finished the SQL statement, so we quit the SQL procedure. 3. In the third step, we will suspend the audit trail. The purpose in suspending the audit trail is to capture this action in the audit trail. 4. Next, we will generate a report of the audit trail. We use PROC PRINT data in customer with the data set option (TYPE= AUDIT). In the listing window, we find the report. The first audit trail observation has the _ATOPCode_ of DA – Data Added. The next four observations show the _ATOPCode_ of DD – Data Deleted. The sixth observation is the record read, code DR , and the next observation as the code DW – Data written. These two observations record in the audit trail the modified observation before and after modification. The last observation is the Administration image, showing that the audit trail has been suspended. Take note that the date and time and each change to the audit trail has been recorded, as well as the user ID of the person making the changes to the data. This completes the demonstration. Let’s return one last time to the SAS Editor, and we will delete our audit trail using PROC DATASETS with the TERMINATE statement. 44 Creating and Using Audit Trails Initiating an Audit Trail with PROC DATASETS General form of the DATASETS procedure: PROC DATASETS LIB=libref; AUDIT SAS-file <SAS-password>; INITIATE <AUDIT_ALL=NO|YES>; <LOG <ADMIN_IMAGE=YES|NO> <BEFORE_IMAGE=YES|NO> <DATA_IMAGE=YES|NO> <ERROR_IMAGE=YES|NO>>; <USER_VAR variable-1 <... variable-n>>; RUN; QUIT; 41 This is the general syntax in the DATASETS procedure for initiating an audit trail. 1. Creating and Using Audit Trails 45 Initiating an Audit Trail with PROC DATASETS General form of the DATASETS procedure: PROC DATASETS LIB=libref; AUDIT SAS-file <SAS-password>; INITIATE <AUDIT_ALL=NO|YES>; <LOG <ADMIN_IMAGE=YES|NO> <BEFORE_IMAGE=YES|NO> <DATA_IMAGE=YES|NO> <ERROR_IMAGE=YES|NO>>; <USER_VAR variable-1 <... variable-n>>; RUN; QUIT; 42 The libref value is the library where the table to be audited resides. This is where the audit trail will reside also. 46 Creating and Using Audit Trails Initiating an Audit Trail with PROC DATASETS General form of the DATASETS procedure: PROC DATASETS LIB=libref; AUDIT SAS-file <SAS-password>; INITIATE <AUDIT_ALL=NO|YES>; <LOG <ADMIN_IMAGE=YES|NO> <BEFORE_IMAGE=YES|NO> <DATA_IMAGE=YES|NO> <ERROR_IMAGE=YES|NO>>; <USER_VAR variable-1 <... variable-n>>; RUN; QUIT; 43 SAS-file specifies the name of the table to be audited. SAS-password provides the SAS data file password, if one exists. The audit file uses the SAS password that is assigned to the parent data file; therefore, it is recommended that you alter the password for the parent data file. Use the ALTER= data set option to assign an alterpassword to a SAS file or to access a read-, write-, or alter-protected SAS file. If another password is used or no password is used, then the audit file is still created, but it is not protected. 1. Creating and Using Audit Trails 47 Initiating an Audit Trail with PROC DATASETS General form of the DATASETS procedure: PROC DATASETS LIB=libref; AUDIT SAS-file <SAS-password>; INITIATE <AUDIT_ALL=NO|YES>; <LOG <ADMIN_IMAGE=YES|NO> <BEFORE_IMAGE=YES|NO> <DATA_IMAGE=YES|NO> <ERROR_IMAGE=YES|NO>>; <USER_VAR variable-1 <... variable-n>>; RUN; QUIT; 44 The INITIATE statement creates the audit file. AUDIT_ALL=NO|YES specifies whether logging can be suspended and audit settings can be changed. AUDIT_ALL=YES specifies that all images are logged and cannot be suspended. That is, you cannot use the LOG statement to turn off logging of particular images, and you cannot suspend event logging by using the SUSPEND statement. To turn off logging, you must use the TERMINATE statement, which terminates event logging and deletes the audit file. 48 Creating and Using Audit Trails Initiating an Audit Trail with PROC DATASETS General form of the DATASETS procedure: PROC DATASETS LIB=libref; AUDIT SAS-file <SAS-password>; INITIATE <AUDIT_ALL=NO|YES>; <LOG <ADMIN_IMAGE=YES|NO> <BEFORE_IMAGE=YES|NO> <DATA_IMAGE=YES|NO> <ERROR_IMAGE=YES|NO>>; <USER_VAR variable-1 <... variable-n>>; RUN; QUIT; 45 The LOG statement specifies the images (events) to be logged on the audit file. If you omit the LOG statement, all images are recorded. The images can be controlled with the image options: • ADMIN_IMAGE=YES|NO controls whether the administrative events are logged to the audit file (that is, the suspend and resume actions). • BEFORE_IMAGE=YES|NO controls storage of before-update record images (for example, the DR operation). • DATA_IMAGE=YES|NO controls storage of after-update record images (for example, other operations starting with D). • ERROR_IMAGE=YES|NO controls storage of unsuccessful update record images (for example, operations starting with E). 1. Creating and Using Audit Trails 49 PROC DATASETS USER_VAR Statement PROC DATASETS LIB=libref; AUDIT SAS-file <SAS-password>; INITIATE; <LOG <BEFORE_IMAGE=YES|NO> <DATA_IMAGE=YES|NO> <ERROR_IMAGE=YES|NO>>; <USER_VAR specification-1 <specification-n>>; RUN; QUIT; 46 USER_VAR variables are unique in SAS in that they are stored in one file (the audit file) and opened for update in another (the data file). When the data file is opened for update, the USER_VAR variables appear, and you can edit them as though they were part of the data file. 50 Creating and Using Audit Trails Initiating an Audit Trail with a LOG Statement Example proc datasets lib=orion; audit customer; initiate; log admin_image=no before_image=no data_image=yes error_image=yes; run; quit; 47 This is an example of program code to initiate an audit trail with the LOG statement. Here we would not record the suspension or the resumption of the audit trail. Nor would we record the row image before the update. The default for each image is YES. It is not necessary to specify them as we did here for DATA_IMAGE and ERROR_IMAGE if you are using the default value. 1. Creating and Using Audit Trails 51 Controlling the Audit Trail After you initiate the audit trail, use PROC DATASETS to do the following: suspend logging resume logging terminate (delete) the audit file PROC DATASETS LIB=libref; AUDIT SAS-file; SUSPEND|RESUME|TERMINATE; RUN; QUIT; 48 When the audit trail is active, you can suspend and resume logging, and terminate (delete) the audit trail. Note that replacing the associated data file also deletes the audit trail. 52 Creating and Using Audit Trails Report on an Audit Trail File proc print data=work.customer (type=audit); title 'Audit Trail for Customer'; run; Audit Trail for Customer Obs Customer_ Customer_ID Country FirstName 1 2 3 4 5 6 7 Obs 49 1 2 3 4 5 6 7 101 2550 2618 2806 3959 101 101 Customer_ Type_ID 1050 2010 1030 1030 2030 1050 1050 US ZA ZA ZA ZA US US Andrew Sanelisiwe Theunis Raedene Rita Andrew Andrew Customer_ LastName Birth_ Date Customer_Address Jackson 15MAR1767 White House, Washington, DC Collier 07JUL1988 Bryanston Drive 122 Brazier 21MAR1949 Arnold Road 2 Van Den Berg 16SEP1988 Quinn Street 11 Lotz 24FEB1964 Moerbei Avenue 120 Jackson 15MAR1767 White House, Washington, DC Jackson 15MAR1767 1600 Pennsylvania Ave, Washington, DC _ATDATETIME_ _ATOBSNO_ _ATRETURNCODE_ _ATUSERID_ _ATOPCODE_ _ATMESSAGE_ 26FEB2009:10:25:10 26FEB2009:10:25:10 26FEB2009:10:25:10 26FEB2009:10:25:10 26FEB2009:10:25:10 26FEB2009:10:25:10 26FEB2009:10:25:10 78 53 54 56 57 78 78 . . . . . . . sasmgl sasmgl sasmgl sasmgl sasmgl sasmgl sasmgl DA DD DD DD DD DR DW Procedures such as PRINT, TABULATE, and FREQ can read audit trail files using the TYPE= data set option. Shown here is an example of PROC PRINT. 1. Creating and Using Audit Trails Report on an Audit Trail File proc freq data=work.customer (type=audit); title 'Audit Trail for Customer'; table _atopcode_ / nocum; run; Audit Trail for Customer The FREQ Procedure _ATOPCODE_ Frequency Percent ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ DA 1 14.29 DD 4 57.14 DR 1 14.29 DW 1 14.29 50 Shown here is a report on the audit trail produced with PROC FREQ. 53 54 Creating and Using Audit Trails Report on an Audit Trail File proc tabulate data=work.customer (type=audit); title 'Audit Trail for Customer'; class _atopcode_; table _atopcode_=' ',N*f=3. pctn*f=6.2/box='ATOPCode'; run; Audit Trail for Customer 51 „ƒƒƒƒƒƒƒƒƒƒƒƒƒƒ…ƒƒƒ…ƒƒƒƒƒƒ† ‚ATOPCode ‚ N ‚ PctN ‚ ‡ƒƒƒƒƒƒƒƒƒƒƒƒƒƒˆƒƒƒˆƒƒƒƒƒƒ‰ ‚DA ‚ 1‚ 14.29‚ ‡ƒƒƒƒƒƒƒƒƒƒƒƒƒƒˆƒƒƒˆƒƒƒƒƒƒ‰ ‚DD ‚ 4‚ 57.14‚ ‡ƒƒƒƒƒƒƒƒƒƒƒƒƒƒˆƒƒƒˆƒƒƒƒƒƒ‰ ‚DR ‚ 1‚ 14.29‚ ‡ƒƒƒƒƒƒƒƒƒƒƒƒƒƒˆƒƒƒˆƒƒƒƒƒƒ‰ ‚DW ‚ 1‚ 14.29‚ Šƒƒƒƒƒƒƒƒƒƒƒƒƒƒ‹ƒƒƒ‹ƒƒƒƒƒƒŒ This is a report generated with PROC TABULATE. 1. Creating and Using Audit Trails 55 In a Shared Environment The time that the transaction is logged depends on the user’s session time. 52 The audit trail operates similarily in local and remote environments. The only difference for applications and users networking with SAS/CONNECT and SAS/SHARE is that the audit trail logs events when the observation is written to permanent storage – that is, when the data is written to the remote SAS session or server. Therefore, the time that the transaction is logged might be different from the user’s SAS session. 56 Creating and Using Audit Trails Performance Suspend the audit trail for large batch updates. Data file Audit trail 53 Because each update to the data file is also written to the audit file, the audit trail can negatively impact system performance. You might want to consider suspending the audit trail for large, regularly scheduled batch updates. Note that the audit variables are unavailable when the audit trail is suspended. 1. Creating and Using Audit Trails 57 Preserving an Audit Trail The audit trail is not recommended for data files that are copied, moved, sorted in place, replaced, or transferred to another operating environment. Moved Copied Transferred to another operating system Sorted in place Replaced 54 The audit trail is not recommended for data files that are copied, moved, sorted in place, replaced, or transferred to another operating environment, because those operations do not preserve the audit trail. Note that in a copy operation on the same host, you can preserve the data file and audit trail by renaming them using the generation data sets feature. However, logging stops because neither the auditing process nor the generation data sets feature saves the source program that caused the replacement. 58 Creating and Using Audit Trails Summary Q An audit trail is an associated file in which a historical trail of modifications to a SAS data file can be kept. Q Not all processes preserve the audit trail, and not all files are appropriate for audit trails. Q Audit trails can be initiated, suspended, or resumed with the DATASETS procedure. Q When an audit trail is initiated, the columns of information to be recorded can be determined. Q An audit trail (file TYPE=AUDIT) can be reported when you use the PRINT, TABULATE, and FREQ procedures. 55 Let’s summarize what we have discussed. An audit trail is an associated file in which changes to a SAS data file are recorded. Only change-in-place processes will preserve the audit trail. The DATASETS procedure can initiate, suspend, or resume the audit trail. The structure of the audit trail is determined at initiation. The audit trail can be analyzed and reported on with the PRINT, TABULATE, and FREQ procedures. 1. Creating and Using Audit Trails Additional Resources The DATASETS Procedure: AUDIT Statement support.sas.com/documentation/cdl/en/proc/59565/HTML/default/ a001124621.htm SAS Component Language Dictionary: EXIST support.sas.com/documentation/cdl/en/sclref/59578/HTML/default/ a000143484.htm Programming with the SQL Procedure: Accessing SAS System Information Using DICTIONARY Tables support.sas.com/documentation/cdl/en/sqlproc/59727/HTML/default/ a001385596.htm SAS Data Files: Understanding an Audit Trail support.sas.com/documentation/cdl/en/lrcon/59522/HTML/default/ a001224397.htm 56 Integrity Constraints and Audit Trails Working Together ctsweb.na.sas.com/ctp/SQA/Reg/audit%20trails.pdf Here are links to additional documentation and papers that you can peruse if you have additional questions. 59 60 Creating and Using Audit Trails Additional Resources Additional white papers and documentation can be found by searching for audit trails at support.sas.com/ . 57 You can find additional information and documentation for SAS audit trails by searching at http://support.sas.com/ for audit trails. 1. Creating and Using Audit Trails Credits Creating and Using Audit Trails was developed by Marjorie Lampton. Additional contributions were made by Kay Alden, Davetta Dunlap, Linda Jolley, Ginny Piechota, and Jane Stroupe. 58 This concludes the SAS e-Lecture Creating and Using Audit Trails. I hope you found the material to be helpful for your work. Thank you to everyone who contributed to the creation of this e-lecture. 61 62 Creating and Using Audit Trails Comments? We would like to hear what you think. Do you have any comments about this lecture? Did you find the information in this lecture useful? What other e-lectures would you like SAS to develop in the future? Please e-mail your comments to [email protected] Or you can fill out the short evaluation form at the end of this lecture. 59 If you have any comments about this lecture or e-lectures in general, we would appreciate receiving your input. You can use the e-mail address listed here to provide that feedback, or you can complete the short evaluation form available at the end of this lecture. 1. Creating and Using Audit Trails Copyright SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright © 2009 by SAS Institute Inc., Cary, NC 27513, USA. All rights reserved. 60 Thank you for your time. 63 64 Creating and Using Audit Trails Appendix A Appendix A: Demonstration Programs 1. Creating and Viewing an Audit Trail ............................................................................ A-3 A-2 Appendix A Appendix A: Demonstration Programs 1. Creating and Viewing an Audit Trail 1. A-3 Creating and Viewing an Audit Trail Slide 40 In this demonstration, we will create an audit trail for the customer data. We will change the customer data by inserting an observation, deleting a group of observations, and updating an observation. Next we will suspend the audit trail. We will examine the audit trail using PROC PRINT. Last, we will delete the audit trail. First, we will create the audit trail using the DATASETS procedure. We are accepting the defaults, so we are creating all _AT*_ variables and recording all _ATOPCode_ values. /* Initiate an audit trail */ proc datasets lib=work nolist; audit customer; initiate; user_var Why $20 label='Why the change was made'; run; quit; Next, we will insert a row into the customer table, update a row, and delete a row. proc sql; /* Insert a new row into the customer table */ insert into work.customer set Customer_ID=101, Customer_Type_ID= 1050, Customer_LastName = 'Jackson' , Customer_FirstName = 'Andrew', Birth_Date= '15mar1767'd , Customer_Address='White House,Washington, DC' , Country= 'US', Why='New Customer' ; /*Delete several rows */ delete from work.customer where Country='ZA'; /* Update a row */ update work.customer set customer_address='1600 Pennsylvania Ave, Washington, DC', why='Address update' where customer_address ? 'White House'; quit; /* Suspend the audit trail */ proc datasets library=work nolist; audit customer; suspend; run; quit; Now, let peruse the audit trail. A-4 Appendix A Appendix A: Demonstration Programs /* Review the Audit Trail and note the _*AT_ variables, _ATOPCodes_ ,and User_Var */ proc print data=work.customer (type = audit); title 'Audit Trail for Customer'; run; Our demonstration is finished, so let’s delete the audit trail. /* To terminate the audit trail */ proc datasets library=work nolist; audit customer; terminate; run; quit; SAS Log 559 proc datasets lib=Work nolist; 560 audit customer; 561 initiate; WARNING: The audited data file WORK.CUSTOMER.DATA is not password protected. Apply an ALTER password to prevent accidental deletion or replacement of it and any associated audit files. 562 user_var Why $20 label = 'Why the change was made'; 563 run; NOTE: The data set WORK.CUSTOMER.AUDIT has 0 observations and 14 variables. 564 quit; NOTE: PROCEDURE DATASETS used (Total process time): real time 0.04 seconds cpu time 0.06 seconds 565 proc sql; 566 insert into work.customer 567 set Customer_ID=101, 568 Customer_Type_ID= 1050, 569 Customer_LastName = 'Jackson' , 570 Customer_FirstName = 'Andrew', 571 Birth_Date= '15mar1767'd , 572 Customer_Address='White House, Washington, DC' , 573 Country= 'US', 574 Why='New Customer' 575 ; NOTE: 1 row was inserted into WORK.CUSTOMER. 576 delete from work.customer 577 where Country='ZA'; NOTE: 4 rows were deleted from WORK.CUSTOMER. 578 579 update work.customer set customer_address='1600 Pennsylvania Ave, Washington, DC', 1. Creating and Viewing an Audit Trail 580 why='Address update' 581 where customer_address ? 'White House'; NOTE: 1 row was updated in WORK.CUSTOMER. NOTE: PROCEDURE SQL used (Total process time): real time 1:06.55 cpu time 2.26 seconds 582 583 584 585 proc datasets library = Work nolist; audit customer; suspend; run; 586 Quit; NOTE: PROCEDURE DATASETS used (Total process time): real time 0.01 seconds cpu time 0.03 seconds 587 588 589 proc print data = work.customer (type = audit); title 'Audit Trail for Customer'; run; NOTE: Access by observation number not available. Observation numbers will be counted by PROC PRINT. NOTE: There were 8 observations read from the data set WORK.CUSTOMER.AUDIT. NOTE: PROCEDURE PRINT used (Total process time): real time 0.00 seconds cpu time 0.00 seconds 590 proc datasets library = Work nolist; 591 audit customer; 592 terminate; NOTE: Deleting WORK.CUSTOMER (memtype=AUDIT). 593 run; 594 Quit; NOTE: PROCEDURE DATASETS used (Total process time): real time 0.04 seconds cpu time 0.03 seconds A-5 A-6 Appendix A Appendix A: Demonstration Programs
© Copyright 2026 Paperzz