J.3 Action log output format

Information related to audit events is output to the Performance Management action log. One action log information file is output for one host (physical host and logical host). The action log file is output to either of the following hosts:

When a service is executed: The file is output to the host on which the service runs.
When a command is executed: The file is output to the host on which the command was executed.

The following describes the format of the action log, the output destination, and the items that are output.

Organization of this subsection

(1) Output format
(2) Output destination
(3) Output items
(4) Output example

(1) Output format

CALFHM x.x,output-item-1=value-1,output-item-2=value-2,...,output-item-n=value-n

To Page Top

(2) Output destination

On physical hosts: installation-folder\auditlog\
On logical hosts: environment-folder\jp1pc\auditlog\

The action log output destination can be changed in the jpccomm.ini file. For details about how to specify the jpccomm.ini file, see J.4 Settings for outputting action logs.

To Page Top

(3) Output items

There are two types of output items:

Common output item

An item that is always output by all JP1 products that output action logs
Fixed output item

An item that is optionally output by a JP1 product that outputs action logs

(a) Common output items

The following table lists and describes the common output items and their values. This table also includes the items and information output by PFM - Manager.

Table J‒2: Common output items in action logs
No.	Output item		Value	Explanation
No.	Item name	Output attribute name	Value	Explanation
1	Common specification identifier	--	`CALFHM`	Indicates the action log format.
2	Common specification revision number	--	`x.x`	Revision number for managing action logs
3	Serial number	`seqnum`	`serial-number`	Serial number of the action log record
4	Message ID	`msgid`	`KAVExxxxx-x`	Message ID of the product
5	Date and time	`date`	`YYYY-MM-DDThh:mm:ss.sssTZD`^#	Date, time, and time zone indication identifying when the action log was output
6	Program name	`progid`	`JP1PFM`	Name of the program for which the event occurred
7	Component name	`compid`	`service-ID`	Name of the component for which the event occurred
8	Process ID	`pid`	`process-ID`	Process ID of the process for which the event occurred
9	Location	`ocp:host`	`host-name` `IP-address`	Location where the event occurred
10	Event type	`ctgry`	`StartStop` `Authentication` `ConfigurationAccess` `ExternalService` `AnomalyEvent` `ManagementAction`	Category name used to classify the event output to the action log
11	Event result	`result`	`Success` `Failure` `Occurrence`	Result of the event
12	Subject identification information	`subj:pid`	`process-ID`	One of the following: Process ID of a process running as a user operation Process ID of the process that caused the event Name of the user who caused the event Identification information in a one-to-one correspondence with the user
		`subj:uid`	`account-identifier` (PFM user/JP1 user)
		`subj:euid`	`effective-user-ID` (OS user)

Legend:

--: None

#

T is a separator between the date and the time.

TZD is the time zone specifier. One of the following values is output.

+hh:mm: The time zone is hh:mm ahead of UTC.

-hh:mm: The time zone is hh:mm behind UTC.

z: The time zone is same as UTC.

(b) Fixed output items

The following table lists and describes the fixed output items and their values. This table also includes the items and information output by PFM - Manager.

Table J‒3: Fixed output items in action logs
No.	Output item		Value	Explanation
No.	Item name	Output attribute name	Value	Explanation
1	Object information	`obj`	`PFM - RM-service-ID` `added-deleted-or-updated-user-name` (PFM user)	Intended object for the operation
		`obj:table`	`alarm-table-name`
		`obj:alarm`	`alarm-name`
2	Action information	`op`	`Start` `Stop` `Add` `Update` `Delete` `Change Password` `Activate` `Inactivate` `Bind` `Unbind`	Information about the action that caused the event
3	Permissions information	`auth`	Administrator `Management` General user `Ordinary` Windows `Administrator` UNIX `SuperUser`	Permissions information of the user who executed the command or service
3	Permissions information	`auth:mode`	PFM authentication mode `pfm` JP1 authentication mode `jp1` OS user `os`	Authentication mode of the user who executed the command or service
4	Output source	`outp:host`	`PFM - Manager-host-name`	Host that output the action log
5	Instruction source	`subjp:host`	`login-host-name` `execution-host-name` (only when the `jpctool alarm` command is executed)	Host that issued the instruction for the operation
6	Free description	`msg`	`message`	Message that is output when an alarm occurs or when an automated action is executed

Whether the fixed output items are output and what they contain differ depending on when the action log is output. The following describes the message ID and output information for each case.

■ A PFM service is started or stopped (StartStop)

Output host: The host on which the service is running

Output component: The service that was started or stopped

Item name	Attribute name	Value
Message ID	`msgid`	Started: `KAVE03000-I` Stopped: `KAVE03001-I`
Action information	`op`	Started: `Start` Stopped: `Stop`

Item name

Attribute name

Value

Message ID

msgid

Started: KAVE03000-I

Stopped: KAVE03001-I

Action information

op

Started: Start

Stopped: Stop

■ Stand-alone mode is started or terminated (StartStop)

Output host: PFM - RM host

Output component: Remote Monitor Collector service and Remote Monitor Store service

Item name	Attribute name	Value
Message ID	`msgid`	Stand-alone mode has started: `KAVE03002-I` Stand-alone mode has terminated: `KAVE03003-I`

Item name

Attribute name

Value

Message ID

msgid

Stand-alone mode has started: KAVE03002-I

Stand-alone mode has terminated: KAVE03003-I

#1: No fixed output items are output.
#2: When PFM - RM for Microsoft SQL Server is started, PFM - RM for Microsoft SQL Server services connect to the PFM - Manager host, register node information, and obtain the latest alarm definition information. If a connection with the PFM - Manager host cannot be established, PFM - RM for Microsoft SQL Server starts in stand-alone mode, in which only part of its functionality, such as collection of operating information, is enabled. In addition, KAVE03002-I is output to indicate that PFM - RM for Microsoft SQL Server has started in stand-alone mode. From this point, the PFM - RM for Microsoft SQL Server services periodically attempt to connect to PFM - Manager. When the services are able to successfully register node information or obtain definition information, PFM - RM for Microsoft SQL Server leaves stand-alone mode and KAVE03003-I is output. In this way, the action log enables you to understand that PFM - RM for Microsoft SQL Server was running in an imperfect condition for the period from the output of KAVE03002-I to the output of KAVE03003-I.

■ The status of the connection with PFM - Manager changes (ExternalService)

Output host: PFM - RM host

Output component: Remote Monitor Collector service and Remote Monitor Store service

Item name	Attribute name	Value
Message ID	`msgid`	Sending of an event to PFM - Manager failed (queuing was started): KAVE03300-I An event was resent to PFM - Manager: KAVE03301-I

Item name

Attribute name

Value

Message ID

msgid

Sending of an event to PFM - Manager failed (queuing was started): KAVE03300-I

An event was resent to PFM - Manager: KAVE03301-I

#1: No fixed output items are output.
#2: When sending of an event to PFM - Manager fails, Remote Monitor Store service starts queuing events. The maximum capacity of the queue is 3 events. KAVE03300-I is output when sending of an event to PFM - Manager fails and queuing starts. After the connection with PFM - Manager restores and the queued events are resent, KAVE03301-I is output. From this sequence of the log, you can judge that the period when an event-sending to PFM - Manager is not real time is specifiable.
#3: The Remote Monitor Collector service normally sends events to PFM - Manager via the Remote Monitor Store service. The Remote Monitor Collector service directly sends events to PFM - Manager only when the Remote Monitor Store service stops for any reason. If the Remote Monitor Collector service fails to send events directly to PFM - Manager, KAVE03300-I is output. In this case, KAVE03301-I is no output because the queuing does not start. From this sequence of the log, you can judge that there are events that are not sent to PFM - Manager.

■ An automated action is executed (ManagementAction)

Output host: The host on which the action was executed

Output component: Action Handler service

Item name	Attribute name	Value
Message ID	`msgid`	The command execution process was created successfully: `KAVE03500-I`. An attempt to create a command execution process failed: `KAVE03501-W`. E-mail was send successfully: `KAVE03502-I`. Sending of e-mail failed: `KAVE03503-W`
Free description	`msg`	Command execution: `cmd=executed-command-line`. E-mail sending: `mailto=destination-email-address`.

Item name

Attribute name

Value

Message ID

msgid

The command execution process was created successfully: KAVE03500-I.

An attempt to create a command execution process failed: KAVE03501-W.

E-mail was send successfully: KAVE03502-I.

Sending of e-mail failed: KAVE03503-W

Free description

msg

Command execution: cmd=executed-command-line.

E-mail sending: mailto=destination-email-address.

Note:: KAVE03500-I is output when the command execution process is successfully created. After KAVE03500-I is output, whether the command is successfully executed or not and the execution result are not output to the action log.

To Page Top

(4) Output example

The following is an example of action log output.

CALFHM 1.0, seqnum=1, msgid=KAVE03000-I, date=2007-01-18T22:46:49.682+09:00,
progid=JP1PFM, compid=OA1host01, pid=2076,
ocp:host=host01, ctgry=StartStop, result=Occurrence,
subj:pid=2076,op=Start,

To Page Top