首先别盲目排查,先确认档案管理系统(以下简称“档管系统”)必须记录的安全日志字段,一般可直接参考国家档案局《数字档案馆安全管理规范》DA/T 78-2019:
然后用档管系统自带的日志查询功能,随机抽选3天、10个不同用户的操作行为,对比必填字段缺失率,以及是否存在“登录后直接跳过重操作记录”“高权限操作(如批量删除)被截断”的问题。
这是80%以上中小型档管系统的问题,快速排查步骤:

如果档管系统配置没问题,就查存储服务(以最常用的MySQL存储、rsyslog转发为例):
systemctl status mysqld CentOS/RHEL
sudo systemctl status mysql Ubuntu/Debiansystemctl restart mysqld CentOS/RHEL
sudo systemctl restart mysql Ubuntu/Debianmysql -u root -p
USE dms_database; 替换为档管系统的实际数据库名
SHOW TABLE STATUS LIKE 'dms_security_log'; 替换为实际日志表名CREATE TABLE dms_security_log_bak_202X0X0X LIKE dms_security_log; 替换备份日期
INSERT INTO dms_security_log_bak_202X0X0X SELECT FROM dms_security_log WHERE create_time < '202X-0X-01'; 替换保留的最早日期
DELETE FROM dms_security_log WHERE create_time < '202X-0X-01';systemctl status rsyslog
sudo systemctl status rsyslogsystemctl restart rsyslog
sudo systemctl restart rsyslog检查方法:
vim /etc/my.cnf CentOS/RHEL
sudo vim /etc/mysql/mysql.conf.d/mysqld.cnf Ubuntu/Debiangeneral_log = 1
general_log_file = /var/log/mysql/mysql-general.log如果是中小型商业档管系统(如泛微OA内置档管、致远互联档管),直接按第一步的配置菜单操作;如果是开源档管系统(如Mayan EDMS),补全配置文件:
sudo vim /etc/mayan/settings/local.pyfrom mayan.settings.production import
启用所有安全日志
LOGGING['loggers']['mayan.apps.acls'] = {'handlers': ['console', 'file'], 'level': 'INFO', 'propagate': False}
LOGGING['loggers']['mayan.apps.documents'] = {'handlers': ['console', 'file'], 'level': 'INFO', 'propagate': False}
LOGGING['loggers']['mayan.apps.permissions'] = {'handlers': ['console', 'file'], 'level': 'INFO', 'propagate': False}
LOGGING['loggers']['mayan.apps.user_management'] = {'handlers': ['console', 'file'], 'level': 'INFO', 'propagate': False}
设置本地日志存储路径和大小限制
LOGGING['handlers']['file'] = {'level': 'INFO', 'class': 'logging.handlers.RotatingFileHandler', 'filename': '/var/log/mayan/mayan-security.log', 'maxBytes': 10485760, 'backupCount': 30, 'formatter': 'verbose'}
启用数据库日志记录高权限操作
DOCUMENT_INDEXING_REBUILD_LOG_LEVEL = 'INFO'
DOCUMENT_DELETE_LOG_LEVEL = 'INFO'
USER_CREATE_LOG_LEVEL = 'INFO'
PERMISSION_GRANT_LOG_LEVEL = 'INFO'sudo systemctl restart mayanUSE dms_database;
ALTER TABLE dms_security_log MODIFY COLUMN log_content TEXT; 之前如果是VARCHAR,改成TEXT
SET GLOBAL max_allowed_packet = 104857600; 单条日志最大100MB
SET GLOBAL innodb_buffer_pool_size = 4294967296; 如果服务器内存≥8GB,设置为4GBsudo vim /etc/logrotate.d/mayan-security/var/log/mayan/mayan-security.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0640 mayan mayan
sharedscripts
postrotate
systemctl reload mayan 2>/dev/null || true
endscript
}USE dms_database;
REVOKE ALL PRIVILEGES ON dms_security_log FROM 'dms_user'@'%'; 替换档管系统专用账号和IP
GRANT INSERT, SELECT ON dms_security_log TO 'dms_user'@'%';sudo touch /var/log/mayan/mayan-security.log
sudo chown mayan:mayan /var/log/mayan/mayan-security.log
sudo chattr +a /var/log/mayan/mayan-security.log每周一用第一步的判定标准抽选1天、5个高权限用户的操作验证,每月做一次本地日志+数据库日志+设备原始访问日志的三方比对。