H.3 Format of output action log data

The action logs in Performance Management provide information related to system monitoring functions. Action logs are output to a single file on each host (physical host and logical host). The host to which the action log data is output depends on the action that was performed.

Event resulting from service execution: the action log data is output to the host where the service was executed
Event resulting from command execution: the action log data is output to the host where the command was executed

The following describes the output format, output destination, and output items of an action log.

Organization of this subsection

(1) Output format
(2) Output destination
(3) Output items
(4) Output example

(1) Output format

CALFHM x.x,output-item-1=value-1, output-item-2=value-2,...,output-item-n=value-n

To Page Top

(2) Output destination

On physical hosts

In Windows

installation-folder\auditlog\
In UNIX

/opt/jp1pc/auditlog/

On logical hosts

In Windows

environment-directory\jp1pc\auditlog\
In UNIX

environment-directory/jp1pc/auditlog/

You can change the output destination for action logs in the jpccomm.ini file. For details about how to change this setting in the jpccomm.ini file, see H.4 Settings for outputting action log data.

To Page Top

(3) Output items

The items in an action log fall into the following two categories:

Common output items

Items common to all JP1 products that output action log data.
Fixed output items

Optional items each JP1 product can output in action log data.

(a) Common output items

The following table lists the values output as common output items, and the content of each item.

Table H‒2: Common output items in action logs
No.	Output item		Value	Description
No.	Item name	Output attribute name	Value	Description
1	Common specification identifier	--	`CALFHM`	An ID indicating that the information is formatted as an action log
2	Common specification revision number	--	`x.x`	The revision number used to manage the action log
3	Sequence number	`seqnum`	`sequence-number`	The sequence number of the action log record
4	Message ID	`msgid`	`KAVExxxxx-x`	The message ID from the product
5	Date and time	`date`	`YYYY-MM-DDThh:mm:ss.sssTZD`^#	The time (including time zone) when the action log was output
6	Generated program name	`progid`	`JP1PFM`	The name of the program where the event occurred
7	Generated component name	`compid`	`service-ID`	The name of the component where the event occurred
8	Generated process ID	`pid`	`process-ID`	The ID of the process associated with the event
9	Generated location	`ocp:host`	`host-name` `IP-address`	The location where the event occurred
10	Event type	`ctgry`	`StartStop` `Authentication` `ConfigurationAccess` `ExternalService` `AnomalyEvent` `ManagementAction`	The name of the category to which the event output to the action log belongs
11	Event result	`result`	`Success` `Failure` `Occurrence`	The result of the event
12	Subject identification information	`subj:pid`	`process-ID`	Any of the following information: The ID of the user-operated process The ID of the process that generated the event The username of the user who generated the event Identification information unique to a particular user
		`subj:uid`	`account-identifier` (PFM user name or JP1 user name)
		`subj:euid`	`execution-user-ID` (OS user)

Legend:

--: None.

#

T is used to separate the date and time.

TZD specifies the time zone. One of the following is output:

+hh:mm: Indicates a time zone hh:mm ahead of UTC.

-hh:mm: Indicates a time zone hh:mm behind UTC.

Z: Indicates a time zone equivalent to UTC.

(b) Fixed output items

The following table lists the values output as fixed output items, and the content of each item.

Table H‒3: Fixed output items in action logs
No.	Output item		Value	Description
No.	Item name	Output attribute name	Value	Description
1	Object information	`obj`	`service-ID-for-PFM-Agent-or-PFM-RM` `name-of- added-deleted-or-updated-user` (PFM user)	The target of the operation.
		`obj:table`	`alarm-table-name`
		`obj:alarm`	`alarm-name`
2	Action information	`op`	`Start` `Stop` `Add` `Update` `Delete` `Change Password` `Activate` `Inactivate` `Bind` `Unbind`	The action that generated the event.
3	Permissions information	`auth`	Administrator `Management` Ordinary user `Ordinary` Windows `Administrator` UNIX `SuperUser`	The permission held by the user who performed the operation.
3	Permissions information	`auth:mode`	PFM authentication mode `pfm` JP1 authentication mode `jp1` OS user `os`	The authentication mode of the user who performed the operation.
4	Location of output source	`dtp:host`	`host-name-for-PFM-Agent-or-PFM-RM`	The host where the alarm was generated.
5	Origin of instructions	`subjp:host`	`login-host-name` `execution-host-name` (when executing the `jpctool` `alarm` command)	The host where the instructions to perform the operation originated from.
6	Free description	`msg`	`message`	The message output at alarm generation or at automated action execution.

The fixed output items output in an action log and the content of those fixed items depends on the type of event that caused the action log to be output. The following describes the message IDs and the content of the fixed output items in action logs for each event type.

■ When a PFM service starts or stops (StartStop)

Output host: The host where the service runs

Output component: Each service that is started or stopped

Item name	Attribute name	Value
Message ID	`msgid`	Starting service: `KAVE03000-I` Stopping service: `KAVE03001-I`
Action information	`op`	Starting service: `Start` Stopping service: `Stop`

Item name

Attribute name

Value

Message ID

msgid

Starting service: KAVE03000-I

Stopping service: KAVE03001-I

Action information

op

Starting service: Start

Stopping service: Stop

■ When a service enters or leaves stand-alone mode (StartStop)

Output host: PFM - Agent or PFM - RM host

Output component: Agent Collector and Agent Store services for PFM - Agent host. Remote Monitor Collector and Remote Monitor Store services for PFM - RM host.

Item name	Attribute name	Value
Message ID	`msgid`	Beginning stand-alone mode: `KAVE03002-I` Ending stand-alone mode: `KAVE03003-I`

Item name

Attribute name

Value

Message ID

msgid

Beginning stand-alone mode: KAVE03002-I

Ending stand-alone mode: KAVE03003-I

Note 1: No fixed output items are output.

Note 2: Each PFM - Agent or PFM - RM service connects to the PFM - Manager host at startup, and begins such tasks as registering node information and acquiring the latest alarm definition information. If the PFM - Agent service is unable to connect to the PFM - Manager host, its functionality will be restricted to certain functions such as collecting operating information. This is called stand-alone mode. In this case, the message KAVE03002-I is output to indicate that the PFM - Agent has entered stand-alone mode. While in stand-alone mode, PFM - Agent makes periodic attempts to connect to PFM - Manager and perform the intended tasks such as registering node information and acquiring definition information. When such an attempt is successful, PFM - Agent exits stand-alone mode and the message KAVE03003-I is output. By reviewing the action log, you can see that PFM - Agent or PFM - RM was running with limited functionality during the time between KAVE03002-I and KAVE03003-I were output.

■ When login authentication results are received from PFM - Web Console (Authentication)

Output host: The host where PFM - Manager (ViewServer) is running

Output component: ViewServer

Item name	Attribute name	Value
Message ID	`msgid`	Successful login: `KAVE03050-I` Failed login: `KAVE03051-W`
Permissions information	`auth`	Administrator: `Management` Ordinary user: `Ordinary`
Permissions information	`auth:mode`	PFM authentication mode: `pfm` JP1 authentication mode: `jp1`
Origin of instruction	`subjp:host`	The host from which the login attempt was made (PFM - Web Console)
Free description	`msg:skey`	Only when login is successful: Session key between ViewServer and PFM - Web Console

Note: Not only at login, when you execute the following commands, a log that has the user specified by the jpcmkkey command as the subject information is also output.

jpcaspsv
jpcasrec
jpcmkkey
jpcrdef
jpcrpt
jpcprocdef

■ Logout from PFM - Web Console (Authentication)

Output host: The host where PFM - Manager (ViewServer) is running

Output component: ViewServer

Item name	Attribute name	Value
Message ID	`msgid`	KAVE03052-I
Type of audit event	`ctgry`	`Authentication`
Result of audit event	`result`	`Occurrence` (occurrence)
Subject identification information	`subj:uid`	Account identifier (PFM user name or JP1 user name)
Free description	`msg:skey`	Session key between ViewServer and PFM - Web Console

Note 1: The user name for login is always set as the subject identification information. Therefore, there is no distinction between logout by user operation (clicking the logout button) and logout by system operation (such as session timeout).

Note 2: When PFM - Web Console is forcibly terminated during login, logout for the associated login is not output.

Note 3: When you execute the following commands, not only at logout, a log that has the user specified by the jpcmkkey command as the subject information is also output.

jpcaspsv
jpcasrec
jpcmkkey
jpcrdef
jpcrpt
jpcprocdef

■ When an alarm or action definition is created, updated, or deleted (ConfigurationAccess)

Output host: The host where PFM - Manager (ViewServer) is running or where the jpctool alarm command was executed

Output component: ViewServer / jpctool alarm command

Item name	Attribute name	Value
Message ID	`msgid`	Create: `KAVE03150-I` Update: `KAVE03151-I` Delete: `KAVE03152-I` Enable: `KAVE03153-I` Disable: `KAVE03154-I`
Object information	`obj:table`	The name of the alarm table that is the target of the operation
Object information	`obj:alarm`	The name of the alarm that is the target of the operation (omitted when not applicable)
Action information	`op`	Create: `Add` Update: `Update` Delete: `Delete` Activate: `Activate` Deactivate: `Inactivate`
Permissions information	`auth`	Administrator: `Management`
Permissions information	`auth:mode`	PFM authentication mode: `pfm` JP1 authentication mode: `jp1` OS user: `os`
Origin of instruction	`subjp:ipv4`	For ViewServer only: IP address from which the user logged in (PFM - Web Console)
Origin of instruction	`subjp:host`	Execution host name (for `jpctool` `alarm` command execution only)

Note 1: When an alarm definition is created from PFM - Web Console in an environment where PFM - Manager or PFM - Web Console version 10-00 or earlier is used, KAVE03151-I (op=Update) is output instead of KAVE03150-I (op=Add).

Note 2: When an alarm definition is activated from PFM - Web Console, KAVE03151-I (op=Update) is output instead of KAVE03153-I (op=Activate).

Note 3: When an alarm definition is deactivated from PFM - Web Console, KAVE03151-I (op=Update) is output instead of KAVE03154-I (op=Inactivate).

Note 4: When an alarm definition is updated from PFM - Web Console, KAVE03151-I (op=Update) or KAVE03152-I (op=Delete) is output.

Note 5: When an alarm definition is copied, KAVE03150-I (op=Add) is output. This is common to PFM - Web Console, and the jpctool alarm command.

■ When an alarm is bound or unbound (ConfigurationAccess)

Output host: The host where PFM - Manager is running or where the jpctool alarm command was executed

Output component: ViewServer / Master Manager / jpctool alarm command

Item name	Attribute name	Value
Message ID	`msgid`	Bind / Auto alarm bind: `KAVE03155-I` Unbind: `KAVE03156-I`
Object information	`obj`	Service ID for PFM - Agent or PFM - RM
Object information	`obj:table`	The name of the alarm table
Action information	`op`	Bind: `Bind` Unbind: `Unbind`
Action information	`op:mode`	Only for when the functionality for binding multiple alarm tables is enabled, and you have not unbound the alarm tables: `Add`
Permissions information	`auth`	Administrator: `Management`
Permissions information	`auth:mode`	PFM authentication mode: `pfm` JP1 authentication mode: `jp1` OS user: `os`
Origin of instruction	`subjp:ipv4`	For ViewServer only: IP address from which the user logged in (PFM - Web Console)
Origin of instruction	`subjp:host`	Only for the `jpctool alarm` command and Master Manager: execution host name
Free description	`msg`	Only when the functionality for binding multiple alarm tables is disabled, and Master Manager has unbound the alarm tables: `ext=auto-unbind` Only when alarms are automatically bound to monitoring agents: `text=auto-bind`

■ When a PFM user is added, deleted, or updated (ConfigurationAccess)

Output host: The host where PFM - Manager (ViewServer) is running

Output component: ViewServer

Item name	Attribute name	Value
Message ID	`msgid`	Add: `KAVE03157-I` Delete: `KAVE03158-I` Update: `KAVE03159-I` Change password: `KAVE03160-I`
Object information	`obj`	Name of added, deleted, or updated user (PFM user)
Action information	`op`	Create: `Add` Delete: `Delete` Update: `Update` Change password: `Change` `Password`
Permissions information	`auth`	Administrator: `Management`
Permissions information	`auth:mode`	PFM authentication mode: `pfm`
Origin of instruction	`subjp:ipv4`	IP address from which the user logged in (PFM - Web Console)

■ When a multiple-monitoring definition is imported (ConfigurationAccess)

Output host: The PFM - Manager host that imports the definition

Output component: jpctool config mgrimport command

Item name	Attribute name	Value
Message ID	`msgid`	When the definition does not match: `KAVE03550-E` When import is successful: `KAVE03551-I` Start of each definition: `KAVE03552-I` End of each definition: `KAVE03553-I` When import failed: `KAVE03554-E`
Free description	`exhost`	Host name of the host installed with PFM - Manager that exported the definition

Item name

Attribute name

Value

Message ID

msgid

When the definition does not match: KAVE03550-E

When import is successful: KAVE03551-I

Start of each definition: KAVE03552-I

End of each definition: KAVE03553-I

When import failed: KAVE03554-E

Free description

exhost

Host name of the host installed with PFM - Manager that exported the definition

■ When monitoring is suspended or resumed (ConfigurationAccess)

Output host: The host where PFM - Manager (ViewServer) is running

Output component: Master Manager

Item name	Attribute name	Value
Message ID	`msgid`	Suspension of monitoring: `KAVE03600-I` Resumption of monitoring: `KAVE03601-I`
Object information	`obj:serv`	Only when the change of status for a service is indicated: Service ID of the target service
Object information	`obj:host`	Only when the change of status for a host is indicated: Target host name (`hosts`, `jpchosts`, alias)
Action information	`op`	Suspension of monitoring: `Suspend` Resumption of monitoring: `Resume`
Action information	`op:mode`	Only when operating information is stored and monitoring is suspended: `log`
Origin of instruction	`subjp:host`	For Master Manager only: Execution host name

Note: When a host is specified, log data is output to the specified host. When an agent is specified, log data is output to the specified agent.

■ When the status of the connection to PFM - Manager changes (ExternalService)

Output host: PFM - Agent or PFM - RM host

Output component: Agent Collector and Agent Store services for PFM - Agent host. Remote Monitor Collector and Remote Monitor Store services for PFM - RM host.

Item name	Attribute name	Value
Message ID	`msgid`	When an attempt to send an event to PFM - Manager fails (and queuing begins): `KAVE03300-I` When an event was resent to PFM - Manager: `KAVE03301-I`

Item name

Attribute name

Value

Message ID

msgid

When an attempt to send an event to PFM - Manager fails (and queuing begins): KAVE03300-I

When an event was resent to PFM - Manager: KAVE03301-I

Note 1: No fixed output items are output.

Note 2: If the Agent Store and Remote Monitor Store services fail in an attempt to send an event to PFM - Manager, it begins to queue events, storing up to three occurrences of each event in the queue. The message KAVE03300-I is output at the point when queuing begins after a failed attempt at event transmission. When the connection to PFM - Manager is restored, the message KAVE03301-I is output once the service has finished sending the queued events. By reviewing the action log, you can learn that events were not being sent to PFM - Manager in real time during the time between when KAVE03300-I and KAVE03301-I were output.

Note 3: Under normal circumstances, the Agent Collector or Remote Monitor Collector service sends events to PFM - Manager through the Agent Store or Remote Monitor Store service. If the Agent Store or Remote Monitor Store service is unavailable for some reason, the Agent Collector or Remote Monitor Collector service sends events directly to PFM - Manager. If this fails, the message KAVE03300-I is output. In this case, the message KAVE03301-I is not output because queuing is not started. By reviewing the action log, you can learn that some events occurred that were never sent to PFM - Manager.

■ When PFM - Agent or PFM - RM connects or disconnects (ExternalService)

Output host: PFM - Manager host

Output component: Name Server service (only applies to connection and disconnection with the Agent Connector and Remote Monitor Collector, as well as Agent Store and Remote Monitor Store)

Item name	Attribute name	Value
Message ID	`msgid`	Connection with PFM - Agent or PFM - RM established: `KAVE03304-I` Connection with PFM - Agent or PFM - RM released: `KAVE03305-I`
Object information	`obj`	`service-ID-for-PFM-Agent-or-PFM-RM`

Item name

Attribute name

Value

Message ID

msgid

Connection with PFM - Agent or PFM - RM established: KAVE03304-I

Connection with PFM - Agent or PFM - RM released: KAVE03305-I

Object information

obj

service-ID-for-PFM-Agent-or-PFM-RM

■ When an alarm is generated (AnomalyEvent)

Output host: PFM - Manager host

Output component: Correlator service

Item name	Attribute name	Value
Message ID	`msgid`	`KAVE03450-I`
Location where event was detected	`dtp:host`	`host-name-for-PFM-Agent-or-PFM-RM`
Free description	`msg`	`serviceid=service-ID-for-PFM-Agent-or-PFM-RM,severity={E\|W\|I}, date=alarm-generation-date,text=message-text`

■ When an automated action is executed (ManagementAction)

Output host: The host that executed the action

Output component: Action Handler service

Item name	Attribute name	Value
Message ID	`msgid`	When generation of the command execution process was successful: `KAVE03500-I` When generation of the command execution process failed: `KAVE03501-W` When E-mail transmission was successful: `KAVE03502-I` When E-mail transmission failed: `KAVE03503-W`
Free description	`msg`	Command execution: `cmd=executed-command-line` E-mail transmission: `mailto=destination-email-address`

Item name

Attribute name

Value

Message ID

msgid

When generation of the command execution process was successful: KAVE03500-I

When generation of the command execution process failed: KAVE03501-W

When E-mail transmission was successful: KAVE03502-I

When E-mail transmission failed: KAVE03503-W

Free description

msg

Command execution: cmd=executed-command-line

E-mail transmission: mailto=destination-email-address

Note: The message KAVE03500-I is output at the point when the command execution process is successfully generated. Subsequent information such as logs indicating whether command execution took place and the execution results is not output to the action log.

To Page Top

(4) Output example

The following shows an example of action log output.

CALFHM 1.0, seqnum=1, msgid=KAVE03000-I, date=2007-01-18T22:46:49.682+09:00,
progid=JP1PFM, compid=TA1host01, pid=2076,
ocp:host=host01, ctgry=StartStop, result=Occurrence,
subj:pid=2076,op=Start

To Page Top