Appendix C. Information Output for Audited Events

The following table lists the information output for audited events.

Table C-1 Information output for audited events

Audited eventInformation output for event
Item nameContents
OpenTP1 startupMessage ID (msgid)KFCA33400-I
Component (compid)adm
Event type (ctgry)StartStop
Event result (result)Success
Subject ID information (subj: (euid, pid))User name or ID of the user who executed the dcstart command.
Object (obj)Node identifier
Action information (op)Start
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)290 + 2*a
OpenTP1 standbyMessage ID (msgid)KFCA33401-I
Component (compid)adm
Event type (ctgry)StartStop
Event result (result)Success
Subject ID information (subj: (euid, pid))User name or ID of the superuser.
Object (obj)Node identifier
Action information (op)Start
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from: port)--
Request destination host (to: ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)326 + 2*a
Normal termination of OpenTP1Message ID (msgid)KFCA33402-I
Component (compid)adm
Event type (ctgry)StartStop
Event result (result)Success
Subject ID information (subj: (euid, pid))User name or ID of the user who executed the dcstop command
Object (obj)Node identifier
Action information (op)Stop
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)289 + 2*a
Abnormal termination of OpenTP1Message ID (msgid)KFCA33403-E
Component (compid)adm
Event type (ctgry)Failure
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))The PID associated with the process that led to the OpenTP1 system going down
(0 is output if the process is a process service.)
Object (obj)Node identifier
(**** is output if the node identifier cannot be acquired.)
Action information (op)Occur
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)321
Critical error in process serviceMessage ID (msgid)KFCA33404-E
Component (compid)prc
Event type (ctgry)Failure
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of process service
Object (obj)Node identifier
(**** is output if the node identifier cannot be acquired.)
Action information (op)Occur
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)331
User server startupMessage ID (msgid)KFCA33405-I
Component (compid)adm
Event type (ctgry)StartStop
Event result (result)Success
Subject ID information (subj: (euid, pid))User name or ID of the user who executed the dcsvstart command
Object (obj)User server name
Action information (op)Start
Object location information (objloc)Node identifier
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)285 + 2*(a + b)
RemarksThese items are also output at startup and termination of the following servers:
RAP-processing server, RAP-processing listener, RAP-processing client manager, TP1/EE, RTSSPP, RTSSUP, MQC gateway server, mqrspp, mqrsup
Normal termination of user serverMessage ID (msgid)KFCA33406-I
Component (compid)adm
Event type (ctgry)StartStop
Event result (result)Success
Subject ID information (subj: (euid, pid))User name or ID of the user who executed the dcsvstop command
Object (obj)User server name
Action information (op)Stop
Object location information (objloc)Node identifier
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)284 + 2*(a + b)
RemarksThese items are also output at startup and termination of the following servers:
RAP-processing server, RAP-processing listener, RAP-processing client manager, TP1/EE, RTSSPP, RTSSUP, MQC gateway server, mqrspp, mqrsup
Abnormal termination of user serverMessage ID (msgid)KFCA33407-E
Component (compid)adm
Event type (ctgry)Failure
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of the user server process that went down
Object (obj)User server name
Action information (op)Occur
Object location information (objloc)Node identifier
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)313 + 2*b
RemarksThese items are also output at startup and termination of the following servers:
RAP-processing server, RAP-processing listener, RAP-processing client manager, TP1/EE, RTSSPP, RTSSUP, MQC gateway server, mqrspp, mqrsup
User server shutdownMessage ID (msgid)KFCA33408-I
Component (compid)scd
Event type (ctgry)Failure
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of scheduler service
Object (obj)User server name
Action information (op)Occur
Object location information (objloc)Node identifier
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)348 + 2*b
Service shutdown on user serverMessage ID (msgid)KFCA33409-I
Component (compid)scd
Event type (ctgry)Failure
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of scheduler service
Object (obj)User server name, service name
Action information (op)Occur
Object location information (objloc)Node identifier
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)365 + 2*(b (user-server-name) + b (service-name))
Successful client user authenticationMessage ID (msgid)KFCA33410-I
Component (compid)nam
Event type (ctgry)Authentication
Event result (result)Success
Subject ID information (subj: (euid, pid))PID of name service
Object (obj)Received login name
Action information (op)Login
Object location information (objloc)Node identifier
Request source host (from:ipv4)Y
Request source port number (from:port)Y
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)364 + 2*b
RemarksOutput when Y is specified for the client_uid_check operand in the system common definition.
Unsuccessful client user authenticationMessage ID (msgid)KFCA33411-W
Component (compid)nam
Event type (ctgry)Authentication
Event result (result)Failure
Subject ID information (subj: (euid, pid))PID of name service
Object (obj)Received login name
Action information (op)Login
Object location information (objloc)Node identifier
Request source host (from:ipv4)Y
Request source port number (from:port)Y
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)360 + 2*b
RemarksOutput when Y is specified for the client_uid_check operand in the system common definition.
Service function started executionMessage ID (msgid)KFCA33412-I
Component (compid)rpc
Event type (ctgry)AccessControl
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of the user server that received the service function request
Object (obj)Name of requested service
Action information (op)Enforce
Object location information (objloc)Name of the requested service group
Request source host (from:ipv4)Y
Request source port number (from:port)Y
(Outputs the reception port number of the request source.)
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)552 + 2*(b + c) + FSV + FSVG
Remarks
  • Not acquired for SPP of XATMI, and SPP.NET.
  • May also be output for the following servers, depending on the product versions used:
    Client extended service, RAP-processing server, RAP-processing listener, PAR-processing client manager, TP1/EE, MQC gateway server, mqrspp, mqrsup
Service function completed executionMessage ID (msgid)KFCA33413-I
Component (compid)rpc
Event type (ctgry)AccessControl
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of the user server that received the service function request
Object (obj)Name of requested service
Action information (op)Enforce
Object location information (objloc)Name of the requested service group
Request source host (from:ipv4)Y
Request source port number (from:port)Y
(Outputs the reception port number of the request source.)
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)553 + 2*(b + c) + FSV + FSVG
Remarks
  • Not acquired for SPP of XATMI, and SPP.NET.
  • May also be output for the following servers, depending on the product versions used:
    Client extended service, RAP-processing server, RAP-processing listener, PAR-processing client manager, TP1/EE, MQC gateway server, mqrspp, mqrsup
Invalid message discardedMessage ID (msgid)KFCA33414-W
Component (compid)rpc
Event type (ctgry)AnomalyEvent
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of the process that detected the invalid message
Object (obj)Reception port number
Action information (op)Occur
Object location information (objloc)Node identifier
(**** is output if the node identifier cannot be acquired.)
Request source host (from:ipv4)Y
Request source port number (from:port)Y
(0 is output for UNIX domain communication.)
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)542
RPC call completedMessage ID (msgid)KFCA33415-I
Component (compid)rpc
Event type (ctgry)AccessControl
Event result (result)Success/Failure
Subject ID information (subj: (euid, pid))PID of the user server that issued the request
Object (obj)Destination service of RPC request
Action information (op)Enforce
Object location information (objloc)Name of the service group comprising the requested service
Request source host (from:ipv4)Y
Request source port number (from:port)Y
(Outputs the reception port number of the call source.)
Request destination host (to:ipv4)Y
(Not output if an error is detected before the destination of the RPC request can be established.)
Request destination port number (to:port)Y
(Not output if an error is detected before the destination of the RPC request can be established.)
Log message size (Units: bytes)709 + 2*(b + c) + FSV + FSVG
Remarks
  • An entry is not output to the audit log for this event if the return value of dc_rpc_call is DCRPCER_PROTO or DCRPCER_INVALID_ARGS.
  • May also be output for the following servers, depending on the product versions used:
    Client extended service, RAP-processing server, RAP-processing listener, PAR-processing client manager, TP1/EE, MQC gateway server, mqrspp, mqrsup
RPC response received
(when using the dc_rpc_poll_any_replies function)
Message ID (msgid)KFCA33416-I
Component (compid)rpc
Event type (ctgry)AccessControl
Event result (result)Success/Failure
Subject ID information (subj: (euid, pid))PID of the user server that issued dc_rpc_poll_any_replies()
Object (obj)Destination service of RPC request
(******** is output if an error is detected when using asynchronous-response RPC, before a response is received.)
Action information (op)Enforce
Object location information (objloc)Name of the service group comprising the requested service
(******** is output if an error is detected when using asynchronous-response RPC, before a response is received.)
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)538 + 2*(b + c) + FSV + FSVG
RemarksMay also be output for the following servers, depending on the product versions used:
Client extended service, RAP-processing server, RAP-processing listener, PAR-processing client manager, TP1/EE, MQC gateway server, mqrspp, mqrsup
Invalid RAP message discardedMessage ID (msgid)KFCA33417-W
Component (compid)scs
Event type (ctgry)AnomalyEvent
Event result (result)Occurrence
Subject ID information (subj: (euid, pid))PID of the process that detected the invalid message
Object (obj)Reception port number
Action information (op)Occur
Object location information (objloc)Node identifier
Request source host (from:ipv4)Y
Request source port number (from:port)Y
Request destination host (to:ipv4)Y
Request destination port number (to:port)Y
Log message size (Units: bytes)535
Error accessing the OpenTP1 file systemMessage ID (msgid)KFCA33418-W
Component (compid)fil
Event type (ctgry)ContentAccess
Event result (result)Failure
Subject ID information (subj: (euid, pid))User name or ID of the process that requested access to the file
Object (obj)Name of the OpenTP1 file
(If the name of the OpenTP1 file system cannot be acquired, this item is not output.)
Action information (op)Refer/Add/Update/Delete
Object location information (objloc)Name of the OpenTP1 file system
(If the name of the OpenTP1 file system cannot be acquired, this item is not output.)
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)345 + 2*a + b + c
Command executionMessage ID (msgid)KFCA33419-I
Component (compid)cmd
Event type (ctgry)Maintenance
Event result (result)Success/Failure/Occurrence
Subject ID information (subj: (euid, pid))User name or ID of the user who executed the command.
Object (obj)Command name
Action information (op)Maintain
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)306 + 2*(a + b) + CPARM
Startup of OpenTP1 serviceMessage ID (msgid)KFCA33420-I
Component (compid)nts
Event type (ctgry)StartStop
Event result (result)Success
Subject ID information (subj: (euid, pid))Service logon account
Object (obj)Service name (Windows service name)
Action information (op)Start
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)268 + 2*(a + b)
RemarksOutput only in the Windows version
Termination of OpenTP1 serviceMessage ID (msgid)KFCA33421-I
Component (compid)nts
Event type (ctgry)StartStop
Event result (result)Success
Subject ID information (subj: (euid, pid))Service logon account
Object (obj)Service name (Windows service name)
Action information (op)Stop
Object location information (objloc)--
Request source host (from:ipv4)--
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)259 + 2*(a + b)
Log message size (Units: bytes)Output only in the Windows version
User-specific information acquired from a UAPMessage ID (msgid)KFCA34000-x to KFCA34999-x
Component (compid)User-specified value.
(Output in the format *AA, where AA is the value specified by the audit log output API.)
Event type (ctgry)User-specified value
Event result (result)Success/Failure/Occurrence
Subject ID information (subj: (euid, pid))User name or ID of the user server that called the audit log output API
Object (obj)Service name
Action information (op)User-specified value
Object location information (objloc)User server name
Request source host (from:ipv4)Y
Request source port number (from:port)--
Request destination host (to:ipv4)--
Request destination port number (to:port)--
Log message size (Units: bytes)290 + a + b + c + msg
Legend:
Y: This item is output.
--: N/A
Explanation of variables used in equations for calculating log message size
To calculate the log message size, replace the variables in the equation with the values for those items. The variables FSV, FSVG, CPARM, and msg refer to data output in comment (msg) format. The following table gives the meaning of each variable:
VariableDescription
aThe number of characters output as subject ID information
bThe number of characters output as object information
cThe number of characters output as object location information
FSVThe number of characters in the name of the requesting service
FSVGThe number of characters in the name of the service group that issued the request
CPARMThe number of characters in the command parameters
msgThe number of characters in the comment
Calculating the log message size
Calculate the log message size by using the equation particular to the event. To the result of the equation, add the number of characters in the value of the DCDIR environment variable. The result is the log message size for that event.
Example:
The following is an example of calculating the log message size for an OpenTP1 startup event (associated with message ID KFCA33400-I). The name of the user who executed the dcstart command is tp1user. The value of environment variable DCDIR is /usr/OpenTP1, adding 12 to the result.

Equation    = 290+2*a
           = 290+2*7
           = 304

Chars in DCDIR = 12

Log size = 304 + 12

= 316
Note on log message sizes
The equations for calculating log message size are meant to provide a certain amount of leeway. For this reason, the actual size of the log data may be smaller than the estimate.