The latest release of Metacoda Plug-ins, version 6.2, is now available and includes a new Activity Reviewer plug-in which can be used to review SAS® 9 platform log records from within SAS Management Console for the purposes of audit.
This blog post provides an overview of how it came to be, how it works, and what you can do with it.
I think the most requested queries we get about Metacoda Plug-ins are can it answer the audit type questions of “What does this person have access to?” and “Who has access to this object?”. Our Permissions Explorers can be used to answer those questions because the answers can be found in SAS 9 metadata. I think the next most common questions are “What has this person done?” and “What has been done to this object?”. These questions cannot be answered from metadata, you have to delve into the SAS server logs instead.
Our plug-ins have always been focused on answering current state questions from SAS metadata and so we have not been able to answer those history questions so far. We would always recommended people look at the Audit Performance Measurement (APM) part of the SAS Environment Manager Service Architecture Framework. However, we have never felt that was the very best answer because, rather than sending people off to another interface, it made more sense to be able to show them the answer inside SAS Management Console when they were already looking at the the person or object in question. Who wants to go somewhere else and start the query process again from scratch? For that primary reason, and a few other secondary ones, we decided to revisit this and build the Activity Reviewer plug-in.
- We wanted to be able to tightly integrate log queries within other existing Metacoda Plug-ins including:
- Being able to see user activity for a selected user in the User Reviewer
- Being able to see activity for a selected object in all of the other reviewers
- We wanted to be able to show log queries for the user very quickly, within seconds
- We wanted to be able to show very recent log entries i.e. within the last few minutes or seconds and not have to wait for an overnight batch job
- We wanted to help those customers who have not enabled SAS Environment Manager APM or have chosen not to do so for various reasons
- We wanted the ability to augment the log data with additional information as it was collected
Rather than start from scratch, it made sense to implement these features by using existing open source software that excels at collecting and making log records available. Additionally, people may already be using this software in their organizations and have existing skills for installing and maintaining it. The open source software we chose to integrate with was OpenSearch, for the purposes of storing log data and making it available for flexible queries via a REST API, and Fluentd (or td-agent), for watching log files, parsing and filtering log data and sending it to OpenSearch for storage and query. We provide some plug-in software for Fluentd to make it easier to watch and process SAS log files. Initially, this is only for SAS Metadata Server and SAS Object Spawner log files. The Activity Reviewer plug-in then targets OpenSearch with REST API queries to show the log records of interest.
This diagram shows a high level overview of how it all fits together. The blue components show additional 3rd party software components that needs to be installed. The orange items represent software plug-ins provided by Metacoda. The red arrows show the flow of log records from SAS logs into OpenSearch. The blue arrows represent the query of OpenSearch log records by the Metacoda Activity Reviewer plug-in.
Once everything has been setup, SAS logs are being watched, and the log records are being sent to OpenSearch, the Activity Review plug-in can be used to query those logs.
From the main interface, you can search for a SAS object and see logs records that relate to activity on that object. Alternatively, you could search for a SAS user and see logs records that relate to activity by that user. You can combine them and view log activity for a specific user on a specific object. There is also a search field where you can refine the results using OpenSearch query syntax. If you prefer you can also skip the user and object selection and just use the search field on its own.
The results can be exported into CSV or HTML format.
We have also integrated the Activity Reviewer into our other plug-ins. If you right mouse click on an object in another reviewer, such as the ACT Reviewer, you can choose to view log activity related to that specific object.
If you right mouse click on a user in the User Reviewer, you can choose to view log records related to activity by that specific user.
The Activity Reviewer plug-in is available to those Metacoda customers who license the enterprise package, where support for the initial setup and ongoing usage is included.
The static screenshots in this blog post only go some way to show the versatility and integration of the Activity Reviewer plug-in, so if you would like to see a live demo and ask some questions then please sign up for the SAS Ask the Expert webinar, on Tuesday 24 Oct 2023 at 4pm ET, where I will be presenting “How Do You Review Activity In SAS® Management Console?” You can register at https://www.sas.com/en_us/webinars/review-activity-sas-management-console.html
To test this plug-in, and any of the others with your own SAS 9 platform installation, you can register for a free 30 day evaluation.