J.3 Format of output action log data
Information about audit events is output to the Performance Management action logs. For action logs, one file is output for each host (physical and logical hosts). An action log's output destination host is as follows:
-
When a service is executed: Action logs are output to the host where the service is running.
-
When a command is executed: Action logs are output to the host that executed the command.
The following describes the output format, output destination, and output items for action logs.
- Organization of this subsection
(1) Output format
CALFHM x.x,output-item-1=value-1,output-item-2=value-2,...,output-item-n=value-n
(2) Output destination
|
OS environment |
Host environment |
Default output directory |
|---|---|---|
|
Windows |
Physical host |
installation-folder\auditlog\ |
|
Logical host |
environment-directory#\jp1pc\auditlog\ |
|
|
Linux |
Physical host |
/opt/jp1pc/auditlog/ |
|
Logical host |
environment-directory#/jp1pc/auditlog/ |
- #
-
The environment directory is on the shared disk that was specified when the logical host was created.
You can use the jpccomm.ini file to change the output destination of action logs. For details about how to make settings in the jpccomm.ini file, see J.4 Settings for outputting action log data.
(3) Output items
There are two types of output items:
-
Common output items
Output items common to all JP1 products that output action logs
-
Fixed output items
Optional items that are output by the individual JP1 products that output action logs
(a) Common output items
The table below lists and describes the common output items and their values, including the items that are output by PFM - Manager.
|
No. |
Output item |
Value |
Description |
|
|---|---|---|---|---|
|
Item name |
Output attribute name |
|||
|
1 |
Common specification identifier |
-- |
CALFHM |
Identifier indicating that this is the action log format |
|
2 |
Common specification revision number |
-- |
x.x |
Revision number used for managing action logs |
|
3 |
Sequence number |
seqnum |
sequence-number |
Sequence number of action log records |
|
4 |
Message ID |
msgid |
KAVExxxxx-x |
Product's message ID |
|
5 |
Date and time |
date |
YYYY-MM-DDThh:mm:ss.sssTZD# |
Output date, time, and time zone of the action log |
|
6 |
Generated program name |
progid |
JP1PFM |
Name of the program where the event occurred |
|
7 |
Generated component name |
compid |
service-ID |
Name of the component where the event occurred |
|
8 |
Generated process ID |
pid |
process-ID |
Process ID of the process where the event occurred |
|
9 |
Generated location |
ocp:host |
|
Location where the event occurred |
|
10 |
Event type |
ctgry |
|
Category names used to classify the events that are output to action logs |
|
11 |
Event result |
result |
|
Result of the event |
|
12 |
Subject identification information |
subj:pid |
process-ID |
One of the following:
|
|
subj:uid |
account-identifier (PFM user/JP1 user) |
|||
|
subj:euid |
effective-user-ID (OS user) |
|||
- Legend:
-
--: None
- #
-
T indicates a separator in a date and time string.
ZD represents the time zone specifier. One of the following is output:
+hh:mm: Advanced from UTC by hh:mm
-hh:mm: Delayed from UTC by hh:mm
Z: Same as UTC
(b) Fixed output items
The table below lists and describes the fixed output items and their values, including the items that are output by PFM - Manager.
|
No. |
Output item |
Value |
Description |
|
|---|---|---|---|---|
|
Item name |
Output attribute name |
|||
|
1 |
Object information |
obj |
|
Operation target |
|
obj:table |
alarm-table-name |
|||
|
obj:alarm |
alarm-name |
|||
|
2 |
Action information |
op |
|
Action that caused the event |
|
3 |
Permissions information |
auth |
|
Permissions of the user who performed the operation |
|
auth:mode |
|
Authentication mode of the user who performed the operation |
||
|
4 |
Output source |
outp:host |
Host name of PFM - Manager |
Host that output the action log |
|
5 |
Instruction source |
subjp:host |
|
Host that issued the operation instruction |
|
6 |
Free description |
msg |
message |
Message that is output in the event of an alarm and execution of automatic action |
For the fixed output items, whether each output item exists depends on the output timing. The following subsections describe the message ID and fixed output items for each output timing.
■ Start and end of PFM services (StartStop)
-
Output host: Host on which the corresponding service is running
-
Output component: Each service that starts and stops
Item name
Attribute name
Value
Message ID
msgid
Start: KAVE03000-I
Stop: KAVE03001-I
Action information
op
Start: Start
Stop: Stop
■ Start and end of the stand-alone mode (StartStop)
-
Output host: PFM - Agent host
-
Output components: Agent Collector and Agent Store services
Item name
Attribute name
Value
Message ID
msgid
Start of the stand-alone mode: KAVE03002-I
End of the stand-alone mode: KAVE03003-I
- Note 1
-
Fixed output items are not output.
- Note 2
-
When each service of PFM - Agent starts, it connects to the PFM - Manager host to perform tasks, such as registering node information and acquiring the most recent alarm definition information. If the service cannot connect to the PFM - Manager host, it starts (in the stand-alone mode) with only some of the functions enabled, such as collection of operation information. KAVE03002-I is then issued to notify the user that the service has started in the stand-alone mode. The service attempts repeatedly at a specified interval to connect to the PFM - Manager host. When the service successfully registers node information and acquires definition information, it ends the stand-alone mode and issues KAVE03003-I. Output of KAVE03002-I and KAVE03003-I in the action logs indicates that PFM - Agent was running in an incomplete status.
■ Change in the status of connection to PFM - Manager (ExternalService)
-
Output host: PFM - Agent host
-
Output component: Agent Collector and Agent Store services
Item name
Attribute name
Value
Message ID
msgid
Transmission of an event to PFM - Manager failed (queuing started): KAVE03300-I
Re-transmission of an event to PFM - Manager was completed: KAVE03301-I
- Note 1
-
Fixed output items are not output.
- Note 2
-
If transmission of an event to PFM - Manager fails, the Agent Store service starts queuing events. Events are then queued until three events have been queued. KAVE03300-I is output when event transmission first fails and queuing starts. When connection with PFM - Manager is restored and transmission of queued events is completed, KAVE03301-I is output. Output of KAVE03300-I and KAVE03301-I in action logs indicates the period during which events were not transmitted in real-time to PFM - Manager.
- Note 3
-
The Agent Collector service normally sends events to PFM - Manager via the Agent Store service. If the Agent Store service is stopped for some reason, the Agent Collector service sends events to PFM - Manager directly. When transmission of events to PFM - Manager fails, KAVE03300-I is output (KAVE03301-I is not output because queuing is not started). This action log indicates that there are events that were not sent to PFM - Manager.
■ Execution of automatic action (ManagementAction)
-
Output host: Host that executed the action
-
Output component: Action Handler service
Item name
Attribute name
Value
Message ID
msgid
Creation of a command execution process was successful: KAVE03500-I
Creation of a command execution process failed: KAVE03501-W
Email transmission was successful: KAVE03502-I
Email transmission failed: KAVE03503-W
Free description
msg
Command execution cmd=executed-command-line is output.
Email transmission mailto=destination-email-address is output.
- Note
-
KAVE03500-I is output when a command execution process is created successfully. Once this occurs, the results of checking command execution and the execution results are not output to the action logs.
(4) Output example
The following shows an output example of action logs:
CALFHM 1.0, seqnum=1, msgid=KAVE03000-I, date=2007-01-18T22:46:49.682+09:00, progid=JP1PFM, compid=TA1host01, pid=2076, ocp:host=host01, ctgry=StartStop, result=Occurrence, subj:pid=2076,op=Start