OpenTP1 Version 7 Operation

[Contents][Index][Back][Next]

3.7.4 Information output to audit logs

Organization of this subsection
(1) Audit log output format
(2) Output example and output items

(1) Audit log output format

Entries are output to an audit log in the following format:

CALFHM 1.0,output-item-1=value-1, output-item-2=value-2, ... output-item-n=value-n

The string CALFHM 1.0 serves as header information, and is output for all audit log entries.

(2) Output example and output items

The following is an example of audit log output:

CALFHM 1.0, seqnum=1, msgid=KFCA33400-I,
date=2007-10-30T16:09:59.884+09:00, progid=OpenTP1, compid=adm, pid=11600,
ocp:ipv4=192.112.100.10, ctgry=StartStop, result=Success,
subj:euid="tp1user", obj="smpl", op=Start, loc="/OpenTP1", msg="User tp1user
started OpenTP1(smpl)."

The following table lists the items entered in an audit log file.

Table 3-12 Items output to audit log file

Item name Meaning Content Common or program-specific#1
seqnum Sequence number A process-specific sequence number assigned to audit logs Common information
msgid Message ID The message ID
date Date and time The date and time when the message was output, in the following format: YYYY-MM-DDThh:mm:ss.sssTZD
YYYY: Year
MM: Month
DD: Day
T: delimiter between date and time
hh: Hours
mm: Minutes
ss: Seconds
sss: Milliseconds
TZD: Timezone#2
progid Source program The character string OpenTP1
compid Source component The name of the component where the event occurred. Audit logs acquired from a UAP by an API which outputs audit logs have the format *AA, where AA is the value specified in the API. Audit logs that do not begin with * are output by OpenTP1.
pid Process ID The ID of the process associated with the event
ocp:host Source location The host name or IP address of the server where the event occurred
ocp:ipv4
ctgry Event category The event category, as one of the following:
  • StartStop: Indicates that a server or service has started or stopped.
  • Authentication: Indicates that user authentication was attempted.
  • ConfigurationAccess: Indicates that a setting or aspect of system configuration has been changed.
  • AccessControl: Indicates that a user has attempted to access a managed resource, and the attempt failed or was successful.
  • Failure: Indicates a software error.
  • LinkStatus#3: Indicates the link status between devices.
  • ExternalService#3: Indicates the result of communication with an external service.
  • ContentAccess: Indicates that a user has attempted to access critical data, and whether the attempt failed.
  • Maintenance: Indicates that a maintenance-related operation was executed, and whether the operation failed.
  • AnomalyEvent: Indicates that a communication error occurred.
  • ManagementAction#3: Indicates execution of a critical action by a program, or an action triggered by another event.
result Event result The result of the event, as one of the following:
  • Success: The event was successful.
  • Failure: The event was a failure.
  • Occurrence: There is no distinction between success or failure for the event.
subj:euid Subject ID information The user or process that caused the event, as one of the following:
  • User name (the user ID of the OS account)
  • Process ID
subj:pid
obj Object information Information identifying the target of the operation that generated the event Program-specific information
op Action information The type of action that generated the event, as one of the following:
  • Start: A program started.
  • Stop: A program stopped.
  • Login: Login occurred.
  • Logout#3: Logout occurred.
  • Logon#3: Logon occurred.
  • Logoff#3: Logoff occurred.
  • Refer: A setting was referenced.
  • Add#3: A setting was added.
  • Update#3: A setting was updated.
  • Delete: A setting was deleted.
  • Occur: An error or the like occurred.
  • Enforce: Processing was enforced.
  • Up#3: A link became active.
  • Down#3: A link became inactive.
  • Request#3: A request was issued.
  • Response#3: A response was issued.
  • Send#3: Information was sent.
  • Receive#3: Information was received.
  • Install#3: A program was installed.
  • Uninstall#3: A program was uninstalled.
  • Backup#3: A backup was taken.
  • Maintain: A maintenance task was performed.
  • Invoke#3: A system administrator or the like called a function.
  • Notify#3: A system administrator or the like was issued a notification.
objloc Object location information Information about the location of the object
from:host Request source host When the event involves multiple programs, the host name or IP address where the request originated
from:ipv4
from:port Request source port When the event involves multiple programs, the port number where the request originated
to:host Request destination host When the event involves multiple programs, the host name or IP address where the request was directed
to:ipv4
to:port Request destination port When the event involves multiple programs, the port number where the request was directed
loc Location information The information set in the DCDIR environment variable
msg Message A message describing the nature of the event

#1
All the output items categorized as common information are output to the audit log. Items categorized as program-specific information may or may not be output depending on the particular circumstances.

#2
The time zone is expressed as an offset from UTC. The following explains how to interpret the time zone:
+hh:mm
Indicates a time zone hh:mm ahead of UTC.
-hh:mm
Indicates a time zone hh:mm behind UTC.
Z
Indicates a time zone equivalent to UTC.
Japan Standard Time appears as +09:00.

#3
This information is output only when an API that outputs audit logs is used to acquire audit log information from a UAP.

For details about which items are output for each type of event, see C. Information Output for Audited Events.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2006, 2010, Hitachi, Ltd.