Hitachi

JP1 Version 12 JP1/Performance Management Planning and Configuration Guide


H.3 Format of output action log data

The action logs in Performance Management provide information related to system monitoring functions. Action logs are output to a single file on each host (physical host and logical host). The host to which the action log data is output depends on the action that was performed.

The following describes the output format, output destination, and output items of an action log.

Organization of this subsection

(1) Output format

CALFHM x.x,output-item-1=value-1, output-item-2=value-2,...,output-item-n=value-n

(2) Output destination

On physical hosts
  • In Windows

    installation-folder\auditlog\

  • In UNIX

    /opt/jp1pc/auditlog/

On logical hosts
  • In Windows

    environment-directory\jp1pc\auditlog\

  • In UNIX

    environment-directory/jp1pc/auditlog/

You can change the output destination for action logs in the jpccomm.ini file. For details about how to change this setting in the jpccomm.ini file, see H.4 Settings for outputting action log data.

(3) Output items

The items in an action log fall into the following two categories:

(a) Common output items

The following table lists the values output as common output items, and the content of each item.

Table H‒2: Common output items in action logs

No.

Output item

Value

Description

Item name

Output attribute name

1

Common specification identifier

--

CALFHM

An ID indicating that the information is formatted as an action log

2

Common specification revision number

--

x.x

The revision number used to manage the action log

3

Sequence number

seqnum

sequence-number

The sequence number of the action log record

4

Message ID

msgid

KAVExxxxx-x

The message ID from the product

5

Date and time

date

YYYY-MM-DDThh:mm:ss.sssTZD#

The time (including time zone) when the action log was output

6

Generated program name

progid

JP1PFM

The name of the program where the event occurred

7

Generated component name

compid

service-ID

The name of the component where the event occurred

8

Generated process ID

pid

process-ID

The ID of the process associated with the event

9

Generated location

ocp:host

  • host-name

  • IP-address

The location where the event occurred

10

Event type

ctgry

  • StartStop

  • Authentication

  • ConfigurationAccess

  • ExternalService

  • AnomalyEvent

  • ManagementAction

The name of the category to which the event output to the action log belongs

11

Event result

result

  • Success

  • Failure

  • Occurrence

The result of the event

12

Subject identification information

subj:pid

process-ID

Any of the following information:

  • The ID of the user-operated process

  • The ID of the process that generated the event

  • The username of the user who generated the event

  • Identification information unique to a particular user

subj:uid

account-identifier (PFM user name or JP1 user name)

subj:euid

execution-user-ID (OS user)

Legend:

--: None.

#

T is used to separate the date and time.

TZD specifies the time zone. One of the following is output:

+hh:mm: Indicates a time zone hh:mm ahead of UTC.

-hh:mm: Indicates a time zone hh:mm behind UTC.

Z: Indicates a time zone equivalent to UTC.

(b) Fixed output items

The following table lists the values output as fixed output items, and the content of each item.

Table H‒3: Fixed output items in action logs

No.

Output item

Value

Description

Item name

Output attribute name

1

Object information

obj

  • service-ID-for-PFM-Agent-or-PFM-RM

  • name-of- added-deleted-or-updated-user (PFM user)

The target of the operation.

obj:table

alarm-table-name

obj:alarm

alarm-name

2

Action information

op

  • Start

  • Stop

  • Add

  • Update

  • Delete

  • Change Password

  • Activate

  • Inactivate

  • Bind

  • Unbind

The action that generated the event.

3

Permissions information

auth

  • Administrator

    Management

  • Ordinary user

    Ordinary

  • Windows

    Administrator

  • UNIX

    SuperUser

The permission held by the user who performed the operation.

auth:mode

  • PFM authentication mode

    pfm

  • JP1 authentication mode

    jp1

  • OS user

    os

The authentication mode of the user who performed the operation.

4

Location of output source

dtp:host

host-name-for-PFM-Agent-or-PFM-RM

The host where the alarm was generated.

5

Origin of instructions

subjp:host

  • login-host-name

  • execution-host-name (when executing the jpctool alarm command)

The host where the instructions to perform the operation originated from.

6

Free description

msg

message

The message output at alarm generation or at automated action execution.

The fixed output items output in an action log and the content of those fixed items depends on the type of event that caused the action log to be output. The following describes the message IDs and the content of the fixed output items in action logs for each event type.

■ When a PFM service starts or stops (StartStop)

  • Output host: The host where the service runs

  • Output component: Each service that is started or stopped

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Starting service: KAVE03000-I

    Stopping service: KAVE03001-I

    Action information

    op

    Starting service: Start

    Stopping service: Stop

■ When a service enters or leaves stand-alone mode (StartStop)

  • Output host: PFM - Agent or PFM - RM host

  • Output component: Agent Collector and Agent Store services for PFM - Agent host. Remote Monitor Collector and Remote Monitor Store services for PFM - RM host.

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Beginning stand-alone mode: KAVE03002-I

    Ending stand-alone mode: KAVE03003-I

    Note 1: No fixed output items are output.

    Note 2: Each PFM - Agent or PFM - RM service connects to the PFM - Manager host at startup, and begins such tasks as registering node information and acquiring the latest alarm definition information. If the PFM - Agent service is unable to connect to the PFM - Manager host, its functionality will be restricted to certain functions such as collecting operating information. This is called stand-alone mode. In this case, the message KAVE03002-I is output to indicate that the PFM - Agent has entered stand-alone mode. While in stand-alone mode, PFM - Agent makes periodic attempts to connect to PFM - Manager and perform the intended tasks such as registering node information and acquiring definition information. When such an attempt is successful, PFM - Agent exits stand-alone mode and the message KAVE03003-I is output. By reviewing the action log, you can see that PFM - Agent or PFM - RM was running with limited functionality during the time between KAVE03002-I and KAVE03003-I were output.

■ When login authentication results are received from PFM - Web Console (Authentication)

  • Output host: The host where PFM - Manager (ViewServer) is running

  • Output component: ViewServer

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Successful login: KAVE03050-I

    Failed login: KAVE03051-W

    Permissions information

    auth

    Administrator: Management

    Ordinary user: Ordinary

    auth:mode

    PFM authentication mode: pfm

    JP1 authentication mode: jp1

    Origin of instruction

    subjp:host

    The host from which the login attempt was made (PFM - Web Console)

    Free description

    msg:skey

    Only when login is successful: Session key between ViewServer and PFM - Web Console

    Note: Not only at login, when you execute the following commands, a log that has the user specified by the jpcmkkey command as the subject information is also output.

    • jpcaspsv

    • jpcasrec

    • jpcmkkey

    • jpcrdef

    • jpcrpt

    • jpcprocdef

■ Logout from PFM - Web Console (Authentication)

  • Output host: The host where PFM - Manager (ViewServer) is running

  • Output component: ViewServer

    Item name

    Attribute name

    Value

    Message ID

    msgid

    KAVE03052-I

    Type of audit event

    ctgry

    Authentication

    Result of audit event

    result

    Occurrence (occurrence)

    Subject identification information

    subj:uid

    Account identifier (PFM user name or JP1 user name)

    Free description

    msg:skey

    Session key between ViewServer and PFM - Web Console

    Note 1: The user name for login is always set as the subject identification information. Therefore, there is no distinction between logout by user operation (clicking the logout button) and logout by system operation (such as session timeout).

    Note 2: When PFM - Web Console is forcibly terminated during login, logout for the associated login is not output.

    Note 3: When you execute the following commands, not only at logout, a log that has the user specified by the jpcmkkey command as the subject information is also output.

    • jpcaspsv

    • jpcasrec

    • jpcmkkey

    • jpcrdef

    • jpcrpt

    • jpcprocdef

■ When an alarm or action definition is created, updated, or deleted (ConfigurationAccess)

  • Output host: The host where PFM - Manager (ViewServer) is running or where the jpctool alarm command was executed

  • Output component: ViewServer / jpctool alarm command

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Create: KAVE03150-I

    Update: KAVE03151-I

    Delete: KAVE03152-I

    Enable: KAVE03153-I

    Disable: KAVE03154-I

    Object information

    obj:table

    The name of the alarm table that is the target of the operation

    obj:alarm

    The name of the alarm that is the target of the operation (omitted when not applicable)

    Action information

    op

    Create: Add

    Update: Update

    Delete: Delete

    Activate: Activate

    Deactivate: Inactivate

    Permissions information

    auth

    Administrator: Management

    auth:mode

    PFM authentication mode: pfm

    JP1 authentication mode: jp1

    OS user: os

    Origin of instruction

    subjp:ipv4

    For ViewServer only: IP address from which the user logged in (PFM - Web Console)

    subjp:host

    Execution host name (for jpctool alarm command execution only)

    Note 1: When an alarm definition is created from PFM - Web Console in an environment where PFM - Manager or PFM - Web Console version 10-00 or earlier is used, KAVE03151-I (op=Update) is output instead of KAVE03150-I (op=Add).

    Note 2: When an alarm definition is activated from PFM - Web Console, KAVE03151-I (op=Update) is output instead of KAVE03153-I (op=Activate).

    Note 3: When an alarm definition is deactivated from PFM - Web Console, KAVE03151-I (op=Update) is output instead of KAVE03154-I (op=Inactivate).

    Note 4: When an alarm definition is updated from PFM - Web Console, KAVE03151-I (op=Update) or KAVE03152-I (op=Delete) is output.

    Note 5: When an alarm definition is copied, KAVE03150-I (op=Add) is output. This is common to PFM - Web Console, and the jpctool alarm command.

■ When an alarm is bound or unbound (ConfigurationAccess)

  • Output host: The host where PFM - Manager is running or where the jpctool alarm command was executed

  • Output component: ViewServer / Master Manager / jpctool alarm command

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Bind / Auto alarm bind: KAVE03155-I

    Unbind: KAVE03156-I

    Object information

    obj

    Service ID for PFM - Agent or PFM - RM

    obj:table

    The name of the alarm table

    Action information

    op

    Bind: Bind

    Unbind: Unbind

    op:mode

    Only for when the functionality for binding multiple alarm tables is enabled, and you have not unbound the alarm tables: Add

    Permissions information

    auth

    Administrator: Management

    auth:mode

    PFM authentication mode: pfm

    JP1 authentication mode: jp1

    OS user: os

    Origin of instruction

    subjp:ipv4

    For ViewServer only: IP address from which the user logged in (PFM - Web Console)

    subjp:host

    Only for the jpctool alarm command and Master Manager: execution host name

    Free description

    msg

    Only when the functionality for binding multiple alarm tables is disabled, and Master Manager has unbound the alarm tables: ext=auto-unbind

    Only when alarms are automatically bound to monitoring agents: text=auto-bind

■ When a PFM user is added, deleted, or updated (ConfigurationAccess)

  • Output host: The host where PFM - Manager (ViewServer) is running

  • Output component: ViewServer

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Add: KAVE03157-I

    Delete: KAVE03158-I

    Update: KAVE03159-I

    Change password: KAVE03160-I

    Object information

    obj

    Name of added, deleted, or updated user (PFM user)

    Action information

    op

    Create: Add

    Delete: Delete

    Update: Update

    Change password: Change Password

    Permissions information

    auth

    Administrator: Management

    auth:mode

    PFM authentication mode: pfm

    Origin of instruction

    subjp:ipv4

    IP address from which the user logged in (PFM - Web Console)

■ When a multiple-monitoring definition is imported (ConfigurationAccess)

  • Output host: The PFM - Manager host that imports the definition

  • Output component: jpctool config mgrimport command

    Item name

    Attribute name

    Value

    Message ID

    msgid

    When the definition does not match: KAVE03550-E

    When import is successful: KAVE03551-I

    Start of each definition: KAVE03552-I

    End of each definition: KAVE03553-I

    When import failed: KAVE03554-E

    Free description

    exhost

    Host name of the host installed with PFM - Manager that exported the definition

■ When monitoring is suspended or resumed (ConfigurationAccess)

  • Output host: The host where PFM - Manager (ViewServer) is running

  • Output component: Master Manager

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Suspension of monitoring: KAVE03600-I

    Resumption of monitoring: KAVE03601-I

    Object information

    obj:serv

    Only when the change of status for a service is indicated: Service ID of the target service

    obj:host

    Only when the change of status for a host is indicated: Target host name (hosts, jpchosts, alias)

    Action information

    op

    Suspension of monitoring: Suspend

    Resumption of monitoring: Resume

    op:mode

    Only when operating information is stored and monitoring is suspended: log

    Origin of instruction

    subjp:host

    For Master Manager only: Execution host name

    Note: When a host is specified, log data is output to the specified host. When an agent is specified, log data is output to the specified agent.

■ When the status of the connection to PFM - Manager changes (ExternalService)

  • Output host: PFM - Agent or PFM - RM host

  • Output component: Agent Collector and Agent Store services for PFM - Agent host. Remote Monitor Collector and Remote Monitor Store services for PFM - RM host.

    Item name

    Attribute name

    Value

    Message ID

    msgid

    When an attempt to send an event to PFM - Manager fails (and queuing begins): KAVE03300-I

    When an event was resent to PFM - Manager: KAVE03301-I

    Note 1: No fixed output items are output.

    Note 2: If the Agent Store and Remote Monitor Store services fail in an attempt to send an event to PFM - Manager, it begins to queue events, storing up to three occurrences of each event in the queue. The message KAVE03300-I is output at the point when queuing begins after a failed attempt at event transmission. When the connection to PFM - Manager is restored, the message KAVE03301-I is output once the service has finished sending the queued events. By reviewing the action log, you can learn that events were not being sent to PFM - Manager in real time during the time between when KAVE03300-I and KAVE03301-I were output.

    Note 3: Under normal circumstances, the Agent Collector or Remote Monitor Collector service sends events to PFM - Manager through the Agent Store or Remote Monitor Store service. If the Agent Store or Remote Monitor Store service is unavailable for some reason, the Agent Collector or Remote Monitor Collector service sends events directly to PFM - Manager. If this fails, the message KAVE03300-I is output. In this case, the message KAVE03301-I is not output because queuing is not started. By reviewing the action log, you can learn that some events occurred that were never sent to PFM - Manager.

■ When PFM - Agent or PFM - RM connects or disconnects (ExternalService)

  • Output host: PFM - Manager host

  • Output component: Name Server service (only applies to connection and disconnection with the Agent Connector and Remote Monitor Collector, as well as Agent Store and Remote Monitor Store)

    Item name

    Attribute name

    Value

    Message ID

    msgid

    Connection with PFM - Agent or PFM - RM established: KAVE03304-I

    Connection with PFM - Agent or PFM - RM released: KAVE03305-I

    Object information

    obj

    service-ID-for-PFM-Agent-or-PFM-RM

■ When an alarm is generated (AnomalyEvent)

  • Output host: PFM - Manager host

  • Output component: Correlator service

    Item name

    Attribute name

    Value

    Message ID

    msgid

    KAVE03450-I

    Location where event was detected

    dtp:host

    host-name-for-PFM-Agent-or-PFM-RM

    Free description

    msg

    serviceid=service-ID-for-PFM-Agent-or-PFM-RM,severity={E|W|I}, date=alarm-generation-date,text=message-text

■ When an automated action is executed (ManagementAction)

  • Output host: The host that executed the action

  • Output component: Action Handler service

    Item name

    Attribute name

    Value

    Message ID

    msgid

    When generation of the command execution process was successful: KAVE03500-I

    When generation of the command execution process failed: KAVE03501-W

    When E-mail transmission was successful: KAVE03502-I

    When E-mail transmission failed: KAVE03503-W

    Free description

    msg

    Command execution: cmd=executed-command-line

    E-mail transmission: mailto=destination-email-address

    Note: The message KAVE03500-I is output at the point when the command execution process is successfully generated. Subsequent information such as logs indicating whether command execution took place and the execution results is not output to the action log.

(4) Output example

The following shows an example of action log output.

CALFHM 1.0, seqnum=1, msgid=KAVE03000-I, date=2007-01-18T22:46:49.682+09:00,
progid=JP1PFM, compid=TA1host01, pid=2076,
ocp:host=host01, ctgry=StartStop, result=Occurrence,
subj:pid=2076,op=Start