H.3 Format of output action log data
The action logs in Performance Management provide information related to system monitoring functions. Action logs are output to a single file on each host (physical host and logical host). The host to which the action log data is output depends on the action that was performed.
-
Event resulting from service execution: the action log data is output to the host where the service was executed
-
Event resulting from command execution: the action log data is output to the host where the command was executed
The following describes the output format, output destination, and output items of an action log.
- Organization of this subsection
(1) Output format
CALFHM x.x,output-item-1=value-1, output-item-2=value-2,...,output-item-n=value-n
(2) Output destination
- On physical hosts
-
-
In Windows
installation-folder\auditlog\
-
In UNIX
/opt/jp1pc/auditlog/
-
- On logical hosts
-
-
In Windows
environment-directory\jp1pc\auditlog\
-
In UNIX
environment-directory/jp1pc/auditlog/
-
You can change the output destination for action logs in the jpccomm.ini file. For details about how to change this setting in the jpccomm.ini file, see H.4 Settings for outputting action log data.
(3) Output items
The items in an action log fall into the following two categories:
-
Common output items
Items common to all JP1 products that output action log data.
-
Fixed output items
Optional items each JP1 product can output in action log data.
(a) Common output items
The following table lists the values output as common output items, and the content of each item.
No. |
Output item |
Value |
Description |
|
---|---|---|---|---|
Item name |
Output attribute name |
|||
1 |
Common specification identifier |
-- |
CALFHM |
An ID indicating that the information is formatted as an action log |
2 |
Common specification revision number |
-- |
x.x |
The revision number used to manage the action log |
3 |
Sequence number |
seqnum |
sequence-number |
The sequence number of the action log record |
4 |
Message ID |
msgid |
KAVExxxxx-x |
The message ID from the product |
5 |
Date and time |
date |
YYYY-MM-DDThh:mm:ss.sssTZD# |
The time (including time zone) when the action log was output |
6 |
Generated program name |
progid |
JP1PFM |
The name of the program where the event occurred |
7 |
Generated component name |
compid |
service-ID |
The name of the component where the event occurred |
8 |
Generated process ID |
pid |
process-ID |
The ID of the process associated with the event |
9 |
Generated location |
ocp:host |
|
The location where the event occurred |
10 |
Event type |
ctgry |
|
The name of the category to which the event output to the action log belongs |
11 |
Event result |
result |
|
The result of the event |
12 |
Subject identification information |
subj:pid |
process-ID |
Any of the following information:
|
subj:uid |
account-identifier (PFM user name or JP1 user name) |
|||
subj:euid |
execution-user-ID (OS user) |
- Legend:
-
--: None.
- #
-
T is used to separate the date and time.
TZD specifies the time zone. One of the following is output:
+hh:mm: Indicates a time zone hh:mm ahead of UTC.
-hh:mm: Indicates a time zone hh:mm behind UTC.
Z: Indicates a time zone equivalent to UTC.
(b) Fixed output items
The following table lists the values output as fixed output items, and the content of each item.
No. |
Output item |
Value |
Description |
|
---|---|---|---|---|
Item name |
Output attribute name |
|||
1 |
Object information |
obj |
|
The target of the operation. |
obj:table |
alarm-table-name |
|||
obj:alarm |
alarm-name |
|||
2 |
Action information |
op |
|
The action that generated the event. |
3 |
Permissions information |
auth |
|
The permission held by the user who performed the operation. |
auth:mode |
|
The authentication mode of the user who performed the operation. |
||
4 |
Location of output source |
dtp:host |
host-name-for-PFM-Agent-or-PFM-RM |
The host where the alarm was generated. |
5 |
Origin of instructions |
subjp:host |
|
The host where the instructions to perform the operation originated from. |
6 |
Free description |
msg |
message |
The message output at alarm generation or at automated action execution. |
The fixed output items output in an action log and the content of those fixed items depends on the type of event that caused the action log to be output. The following describes the message IDs and the content of the fixed output items in action logs for each event type.
■ When a PFM service starts or stops (StartStop)
-
Output host: The host where the service runs
-
Output component: Each service that is started or stopped
Item name
Attribute name
Value
Message ID
msgid
Starting service: KAVE03000-I
Stopping service: KAVE03001-I
Action information
op
Starting service: Start
Stopping service: Stop
■ When a service enters or leaves stand-alone mode (StartStop)
-
Output host: PFM - Agent or PFM - RM host
-
Output component: Agent Collector and Agent Store services for PFM - Agent host. Remote Monitor Collector and Remote Monitor Store services for PFM - RM host.
Item name
Attribute name
Value
Message ID
msgid
Beginning stand-alone mode: KAVE03002-I
Ending stand-alone mode: KAVE03003-I
■ When login authentication results are received from PFM - Web Console (Authentication)
-
Output host: The host where PFM - Manager (ViewServer) is running
-
Output component: ViewServer
Item name
Attribute name
Value
Message ID
msgid
Successful login: KAVE03050-I
Failed login: KAVE03051-W
Permissions information
auth
Administrator: Management
Ordinary user: Ordinary
auth:mode
PFM authentication mode: pfm
JP1 authentication mode: jp1
Origin of instruction
subjp:host
The host from which the login attempt was made (PFM - Web Console)
Free description
msg:skey
Only when login is successful: Session key between ViewServer and PFM - Web Console
■ Logout from PFM - Web Console (Authentication)
-
Output host: The host where PFM - Manager (ViewServer) is running
-
Output component: ViewServer
Item name
Attribute name
Value
Message ID
msgid
KAVE03052-I
Type of audit event
ctgry
Authentication
Result of audit event
result
Occurrence (occurrence)
Subject identification information
subj:uid
Account identifier (PFM user name or JP1 user name)
Free description
msg:skey
Session key between ViewServer and PFM - Web Console
■ When an alarm or action definition is created, updated, or deleted (ConfigurationAccess)
-
Output host: The host where PFM - Manager (ViewServer) is running or where the jpctool alarm command was executed
-
Output component: ViewServer / jpctool alarm command
Item name
Attribute name
Value
Message ID
msgid
Create: KAVE03150-I
Update: KAVE03151-I
Delete: KAVE03152-I
Enable: KAVE03153-I
Disable: KAVE03154-I
Object information
obj:table
The name of the alarm table that is the target of the operation
obj:alarm
The name of the alarm that is the target of the operation (omitted when not applicable)
Action information
op
Create: Add
Update: Update
Delete: Delete
Activate: Activate
Deactivate: Inactivate
Permissions information
auth
Administrator: Management
auth:mode
PFM authentication mode: pfm
JP1 authentication mode: jp1
OS user: os
Origin of instruction
subjp:ipv4
For ViewServer only: IP address from which the user logged in (PFM - Web Console)
subjp:host
Execution host name (for jpctool alarm command execution only)
■ When an alarm is bound or unbound (ConfigurationAccess)
-
Output host: The host where PFM - Manager is running or where the jpctool alarm command was executed
-
Output component: ViewServer / Master Manager / jpctool alarm command
Item name
Attribute name
Value
Message ID
msgid
Bind / Auto alarm bind: KAVE03155-I
Unbind: KAVE03156-I
Object information
obj
Service ID for PFM - Agent or PFM - RM
obj:table
The name of the alarm table
Action information
op
Bind: Bind
Unbind: Unbind
op:mode
Only for when the functionality for binding multiple alarm tables is enabled, and you have not unbound the alarm tables: Add
Permissions information
auth
Administrator: Management
auth:mode
PFM authentication mode: pfm
JP1 authentication mode: jp1
OS user: os
Origin of instruction
subjp:ipv4
For ViewServer only: IP address from which the user logged in (PFM - Web Console)
subjp:host
Only for the jpctool alarm command and Master Manager: execution host name
Free description
msg
Only when the functionality for binding multiple alarm tables is disabled, and Master Manager has unbound the alarm tables: ext=auto-unbind
Only when alarms are automatically bound to monitoring agents: text=auto-bind
■ When a PFM user is added, deleted, or updated (ConfigurationAccess)
-
Output host: The host where PFM - Manager (ViewServer) is running
-
Output component: ViewServer
Item name
Attribute name
Value
Message ID
msgid
Add: KAVE03157-I
Delete: KAVE03158-I
Update: KAVE03159-I
Change password: KAVE03160-I
Object information
obj
Name of added, deleted, or updated user (PFM user)
Action information
op
Create: Add
Delete: Delete
Update: Update
Change password: Change Password
Permissions information
auth
Administrator: Management
auth:mode
PFM authentication mode: pfm
Origin of instruction
subjp:ipv4
IP address from which the user logged in (PFM - Web Console)
■ When a multiple-monitoring definition is imported (ConfigurationAccess)
-
Output host: The PFM - Manager host that imports the definition
-
Output component: jpctool config mgrimport command
Item name
Attribute name
Value
Message ID
msgid
When the definition does not match: KAVE03550-E
When import is successful: KAVE03551-I
Start of each definition: KAVE03552-I
End of each definition: KAVE03553-I
When import failed: KAVE03554-E
Free description
exhost
Host name of the host installed with PFM - Manager that exported the definition
■ When monitoring is suspended or resumed (ConfigurationAccess)
-
Output host: The host where PFM - Manager (ViewServer) is running
-
Output component: Master Manager
Item name
Attribute name
Value
Message ID
msgid
Suspension of monitoring: KAVE03600-I
Resumption of monitoring: KAVE03601-I
Object information
obj:serv
Only when the change of status for a service is indicated: Service ID of the target service
obj:host
Only when the change of status for a host is indicated: Target host name (hosts, jpchosts, alias)
Action information
op
Suspension of monitoring: Suspend
Resumption of monitoring: Resume
op:mode
Only when operating information is stored and monitoring is suspended: log
Origin of instruction
subjp:host
For Master Manager only: Execution host name
■ When the status of the connection to PFM - Manager changes (ExternalService)
-
Output host: PFM - Agent or PFM - RM host
-
Output component: Agent Collector and Agent Store services for PFM - Agent host. Remote Monitor Collector and Remote Monitor Store services for PFM - RM host.
Item name
Attribute name
Value
Message ID
msgid
When an attempt to send an event to PFM - Manager fails (and queuing begins): KAVE03300-I
When an event was resent to PFM - Manager: KAVE03301-I
■ When PFM - Agent or PFM - RM connects or disconnects (ExternalService)
-
Output host: PFM - Manager host
-
Output component: Name Server service (only applies to connection and disconnection with the Agent Connector and Remote Monitor Collector, as well as Agent Store and Remote Monitor Store)
Item name
Attribute name
Value
Message ID
msgid
Connection with PFM - Agent or PFM - RM established: KAVE03304-I
Connection with PFM - Agent or PFM - RM released: KAVE03305-I
Object information
obj
service-ID-for-PFM-Agent-or-PFM-RM
■ When an alarm is generated (AnomalyEvent)
-
Output host: PFM - Manager host
-
Output component: Correlator service
Item name
Attribute name
Value
Message ID
msgid
KAVE03450-I
Location where event was detected
dtp:host
host-name-for-PFM-Agent-or-PFM-RM
Free description
msg
serviceid=service-ID-for-PFM-Agent-or-PFM-RM,severity={E|W|I}, date=alarm-generation-date,text=message-text
■ When an automated action is executed (ManagementAction)
-
Output host: The host that executed the action
-
Output component: Action Handler service
Item name
Attribute name
Value
Message ID
msgid
When generation of the command execution process was successful: KAVE03500-I
When generation of the command execution process failed: KAVE03501-W
When E-mail transmission was successful: KAVE03502-I
When E-mail transmission failed: KAVE03503-W
Free description
msg
Command execution: cmd=executed-command-line
E-mail transmission: mailto=destination-email-address
(4) Output example
The following shows an example of action log output.
CALFHM 1.0, seqnum=1, msgid=KAVE03000-I, date=2007-01-18T22:46:49.682+09:00, progid=JP1PFM, compid=TA1host01, pid=2076, ocp:host=host01, ctgry=StartStop, result=Occurrence, subj:pid=2076,op=Start