AMT Audit Log ... Let it Roll

By Lance Atencio (Intel) (16 posts) on March 24, 2009 at 2:52 pm

When the Access Monitor (a.k.a. Audit Log) feature was added to AMT back in release 4.0 (see original blog here) there was concern expressed about the behaviour when the log became full.

To ensure the Auditor had a chance to see all the events flagged as "critical", these events would not be allowed to run when the log was full. This was a security feature to ensure that a sneaky admin (or other user with sufficient privilege) would not be able to perform some improper activity and slip it by the Auditor because the log was full.

However, this also created a situation where systems could be prevented from getting managed properly due to events being blocked by a full audit log.  If something happened to the Auditor (or group of people with Auditor permissions) that prevented them from cleaning the log, it could easily become full and block critical events.

So starting with AMT 5.1, this feature has been updated to provide choice to users on how to configure their implementation of Access Monitor to allow the log to roll over when full. The following policies can now be set by the Auditor:

To find out more, download the latest version of the SDK and look at the Access Monitor/Audit Log documentation and sample code.

Categories: Manageability

Comments (0)

Trackbacks (0)


Leave a comment  

To obtain technical support, please go to Software Support.
Name (required)*

Email (required; will not be displayed on this page)*

Your URL (optional)


Comment*