Domino Deletion Logging (SnTT) – Thoughts on Securing The Logs

Man… “SnTT” – who remembers that from the stone ages of Lotus blogging days? Show-n-Tell-Thursdays.

I had almost forgotten about it until I saw that this old post I was going to refer to today was also tagged with it. In this post from 2006 on my original blog, I discussed a method that I implemented for my company at the time. It was also something that I ended up expanding on a consulting gig to not only log deletions from a mail file in Notes but to also do it for web access to the mail file(s). It was rather slick with integration into multiple forms for not just deletions but reads by anyone other than the mail file owner.

But I digress. Let’s look at how the monitoring of deleted documents has now been added into the core server code. It is, of course, enabled for a database through a compact switch that is detailed in the documentation.

Using a compact -dl (for deletion logging) you enable it for a database or directory of databases along with up to four fields (such as SendTo, From, DeliveredDate, Subject, etc…) which would help you best identify that document. There are other values which are also logged by default (such as the date and time of deletion, database, user or server who deleted it, and some others). The logs are stored in a comma-separated delete.log file in IBM_TECHNICAL_SUPPORT folder and rotated upon server restarts.

Which now leads us to some general thoughts on security around the logs. I would advise keeping the following in mind – especially if you are concerned with specific users deleting documents in a specific database.

  • Physical security of the OS folder. Someone could delete documents and then wipe the deletion log entry from the log file.
  • Consider writing an agent to grab the deletions from the log file and store them in an NSF with high security. This would also make it easier to navigate and search.
  • A Domino Event Monitor which tracks all uses of “-dl” from the compact command which would come across the console. You’ll know if someone attempted to disable deletion logging, delete some documents, and then re-enable the logging.

Are there any other security-related thoughts which you have related to the new Domino Deletion Logging?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s