J.3 Output format of action logs

Information about audit events is output to the Performance Management action logs. A separate action log file is output for each host. An action log's output destination host is as follows:

When a service is executed

Action logs are output to the host where the service is running.
When a command is executed

Action logs are output to the host that executed the command.

The following describes the output format, output destination, and output items for action logs.

Organization of this subsection

(1) Output format
(2) Output destination
(3) Output items
(4) Output example

(1) Output format

CALFHM x.x,output-item-1=value-1,output-item-2=value-2,...,output-item-n=value-n

To Page Top

(2) Output destination

installation-folder\auditlog\

You can use the jpccomm.ini file to change the output destination of action logs. For details about how to set the jpccomm.ini file, see J.4 Action log output settings.

To Page Top

(3) Output items

There are two types of output items:

Common output items: Output items common to all JP1 products that output action logs
Fixed output items: Optional items that are output by JP1 products that output action logs

(a) Common output items

The table below lists and describes the common output items and their values, including the items that are output by PFM - Manager.

Table J‒2: Common output items for action logs
Output item		Value	Description
Item name	Output attribute	Value	Description
Common specification identifier	--	`CALFHM`	Identifier indicating that this is the action log format
Common specification revision number	--	`x.x`	Revision number used for managing action logs
Sequence number	`seqnum`	`sequence-number`	Sequence number of action log records
Message ID	`msgid`	`KAVExxxxx-x`	Message ID
Date and time	`date`	`YYYY-MM-DDThh:mm:ss.sssTZD`^#	Output date, time, and time zone of an action log
Generated program name	`progid`	`JP1PFM`	Name of the program where the event occurred
Generated component name	`compid`	`service-ID`	Name of the component where the event occurred
Generated process ID	`pid`	`process-ID`	Process ID of the process where the event occurred
Generated location	`ocp:host`	`host-name` `IP-address`	Location where the event occurred
Event type	`ctgry`	`StartStop` `Authentication` `ConfigurationAccess` `ExternalService` `AnomalyEvent` `ManagementAction`	Category names used to classify the events that are output to action logs
Event result	`result`	`Success` `Failure` `Occurrence`	Result of the event
Subject identification information	`subj:pid`	`process-ID`	One of the following: Process ID that is run by the user operation Process ID that caused the event User name that caused the event Identification information assigned to users on a 1:1 basis
	`subj:uid`	`account-identifier` (PFM user/JP1 user)
	`subj:euid`	`effective-user-ID` (OS user)

Legend:

--: None

#

T indicates a separator between date and time.

TZD is the time zone specifier. One of the following is output:

+hh:mm: Advanced from UTC by hh:mm

-hh:mm: Delayed from UTC by hh:mm

Z: Same as UTC.

(b) Fixed output items

The table below lists and describes the fixed output items and their values, including the items that are output by PFM - Manager.

Table J‒3: Fixed output items for action logs
Output item		Value	Description
Item name	Output attribute	Value	Description
Object information	`obj`	`service-ID-of-PFM-RM` `added-deleted-or-updated-user-name` (PFM user)	Operation target
	`obj:table`	`alarm-table-name`
	`obj:table`	`alarm-name`
Action information	`op`	`Start` `Stop` `Add` `Update` `Delete` `Change` `Password` `Activate` (enable) `Inactivate` (disable) `Bind` `Unbind`	Action that caused the event
Permissions information	`auth`	Administrator user `Management` General user `Ordinary` Windows `Administrator` UNIX `SuperUser`	Permissions of the user who performed the operation
Permissions information	`auth:mode`	PFM authentication mode `pfm` JP1 authentication mode `jp1` OS user `os`	Authentication mode of the user who performed the operation
Output source	`outp:host`	`name-of-PFM-Manager-host`	Host that output the action log
Instruction source	`subjp:host`	`name-of-logon-host` `name-of-executing-host` (only during execution of the `jpcalarm` command)	Host that issued the operation instruction
Free description	`msg`	`message`	Message that is output in the event of an alarm and execution of automatic action

Whether each fixed output item exists depends on the output timing. The following subsections describe the message ID and fixed output items for each output timing.

■ Startup and termination of PFM services (StartStop)

Output host

Host on which the corresponding service is running
Output component

Each service that starts and stops

A message ID and operation information are output when the PFM service starts and stops (StartStop). The following table lists and describes the message IDs and operation information that are output.

Table J‒4: Message IDs and operation information that are output when a PFM service starts and stops (StartStop)
Item name	Attribute name	Value
Message ID	`msgid`	Start: `KAVE03000-I` is output. Stop: `KAVE03001-I` is output.
Operation information	`op`	Start: `Star`t is output. Stop: `Stop` is output.

■ Startup and termination of the stand-alone mode (StartStop)

Output host

PFM - RM host
Output component

Remote Monitor Collector and Remote Monitor Store services

A message ID is output when the stand-alone mode starts and ends (StartStop). The following table lists and describes the message IDs that are output.

Table J‒5: Message IDs that are output when the stand-alone mode starts and ends (StartStop)
Item name	Attribute name	Value
Message ID	`msgid`	Start of the stand-alone mode: `KAVE03002-I` is output. End of the stand-alone mode: `KAVE03003-I` is output.

Note 1

Fixed output items are not output.

Note 2

When each service of PFM - RM for Platform starts, it connects to the PFM - Manager host to register node information and to acquire the most recent alarm definition information.

If the service cannot connect to the PFM - Manager host, it starts (in the stand-alone mode) with only some of the functions enabled (such as collection of operation information). KAVE03002-I is then issued in order to indicate that the service has started in the stand-alone mode.

Thereafter, the service continues to attempt to connect to the PFM - Manager host at specific intervals. When the service successfully registers node information and acquires definition information, it ends the stand-alone mode and KAVE03003-I is issued.

Output of KAVE03002-I and KAVE03003-I in the action logs indicates that PFM - RM for Platform was running in incomplete status.

■ Change to the status of the connection to PFM - Manager (ExternalService)

Output host

PFM - RM host
Output component

Remote Monitor Collector and Remote Monitor Store services

A message ID is output when the status of the connection to PFM - Manager changes (ExternalService). The following table lists and describes the message IDs that are output.

Table J‒6: Message IDs that are output when the status of the connection to PFM - Manager changes (ExternalService)
Item name	Attribute name	Value
Message ID	`msgid`	Transmission of an event to PFM - Manager failed (queuing started): `KAVE03300-I` is output. Re-transmission of an event to PFM - Manager was completed: `KAVE03301-I` is output.

Note 1

Fixed output items are not output.

Note 2

If transmission of an event to PFM - Manager fails, the Remote Monitor Collector service starts queuing events. Thereafter, each event is queued until the number of queued events reaches 3.

KAVE03300-I is output when event transmission fails and queuing starts. KAVE03301-I is output when connection with PFM - Manager is restored and transmission of queued events is completed.

Output of KAVE03300-I and KAVE03301-I in action logs brackets the period during which events were not transmitted to PFM - Manager in real time.

Note 3

The Remote Monitor Collector service normally sends events to PFM - Manager via the Remote Monitor Store service. If the Remote Monitor Store service is stopped for some reason, the Remote Monitor Collector service sends events to PFM - Manager directly.

KAVE03300-I is output when transmission of events to PFM - Manager fails. At this point, KAVE03301-I is not output because queuing has not started.

This action log indicates the events that were not sent to PFM - Manager.

■ Execution of automatic action (ManagementAction)

Output host

Host that executed the action
Output component

Action Handler service

When an automatic action is executed (ManagementAction), a message ID and free description item are output. The following table lists and describes the message IDs and free description items that are output.

Table J‒7: Message IDs and free description items that are output during execution of an automatic action (ManagementAction)
Item name	Attribute name	Value
Message ID	`msgid`	Creation of a command execution process was successful: `KAVE03500-I` is output. Creation of a command execution process failed: `KAVE03501-W` is output. Email transmission was successful: `KAVE03502-I` is output. Email transmission failed: `KAVE03503-W` is output.
Free description	`msg`	Command execution: `cmd=executed-command-line` is output. Email transmission: `mailto=destination-email-address` is output.

Note: KAVE03500-I is output when a command execution process is created successfully. Thereafter, the result of checking for command execution and the execution results are not output to the action logs.

To Page Top

(4) Output example

The following shows an output example of action logs:

CALFHM 1.0, seqnum=1, msgid=KAVE03000-I, date=2007-01-18T22:46:49.682+09:00,
progid=JP1PFM, compid=7A1host01, pid=2076,
ocp:host=host01, ctgry=StartStop, result=Occurrence,
subj:pid=2076,op=Start

To Page Top