HP OpenVMS Systems
HP Advanced Server for OpenVMS
In the Advanced Server, an event is any significant occurrence in the system or in an application that requires user notification. For events that do not require immediate attention, the Advanced Server adds data to an event log file. This event logging service starts automatically every time you start the Advanced Server.
Event logs can provide valuable information about server activities.
Event messages are stored in event files in PWRK$LMROOT:[LANMAN.LOGS]. Each event type is maintained in a separate event log file, as shown in Table 6-2, Event Log Files.
|Event Type||Event Log File Name||Description|
|Application events||APPEVENT.EVT||Application event messages are generated by applications. For example, user-written applications may store messages in the application event log.|
|Security events||SECEVENT.EVT||Event messages are generated based on the audit policy specified for the server, including files or directories. (For more information, see Section 188.8.131.52, Auditing Security Events Domainwide.)|
|System events||SYSEVENT.EVT||System event messages are generated by server components.|
Table 6-3, Information in Event Files, lists the information shown in each line of an event file.
|Source||The server component that logged the message.|
|Class||The event class, either information, warning, error, success audit, or failure audit.|
|Time||The date and time of the event.|
|Category||Classification of the message.|
|Message ID||Unique number for the message.|
|User||The user account name for the user who was logged on and working when the message was logged. N/A indicates that the entry does not specify a user.|
|Computer||The name of the computer where the message was generated.|
These methods are described in the following sections.
184.108.40.206.1 Displaying Events When the Advanced Server Is Running
The following example shows how use the SHOW EVENTS command to display events while the Advanced Server is running. Use the /TYPE qualifier to specify one of the types of events, as follows: SYSTEM (default), SECURITY, or APPLICATION. In this example, the SHOW EVENTS command displays the system events.
LANDOFOZ\\TINMAN> SHOW EVENTS T Date Time Source Category Event User Computer - -------- ----------- ------- ----------- ----- ---- ----------- I 08/26/98 11:49:56 AM SYSTEM None 528 N/A TINMAN W 08/27/98 12:07:01 PM Eventlog None 603 N/A TINMAN I 08/27/98 12:15:31 PM Print None 604 N/A TINMAN W 08/27/98 12:46:31 PM BROWSER None 605 N/A TINMAN Total of 4 events LANDOFOZ\\TINMAN>
You can display detailed information for each event, as generated by the application that was the source of the event record, by specifying the SHOW EVENTS/FULL command. The information might include such additional information as the domain and system names. Not all sources or events generate event details. The following example shows a portion of the data that might be displayed with the SHOW EVENTS/FULL command:
E 06/05/01 04:13:50 PM NETLOGON None 5513 N/A TINMAN NET5513: The computer DOROTHY tried to connect to the server TINMAN using the trust relationship established by the LANDOFOZ domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship. I 06/05/01 03:52:17 PM NETLOGON None 5715 N/A TINMAN NET5715: The partial synchronization replication of the LSA database from the domain controller \\WOODMAN completed successfully. 1 delta(s) is(are) applied to the database. I 06/05/01 03:36:38 PM NETLOGON None 5715 N/A TINMAN NET5715: The partial synchronization replication of the SAM database from the domain controller \\WOODMAN completed successfully. 1 delta(s) is(are) applied to the database. . . .
To display events when the Advanced Server is not running, use the ELFREAD utility. The ELFREAD utility allows you to display records in the event file in the following ways:
You can view records in brief (default) or detailed format.
The ELFREAD command is defined as part of the Advanced Server command set in the SYS$MANAGER:PWRK$DEFINE_COMMANDS.COM command procedure.
The syntax for the ELFREAD command is:
ELFREAD [-o] [-d] event-type
Use the optional parameters to control the ELFREAD output as described in Table 6-4, ELFREAD Command Options.
|Desired Output||Parameters to Use|
|Records in chronological order||-o|
The event log file specified:
You can display the event logs and, when necessary, clear the event logs. The Alerter service sends you a message advising you when an event log becomes 80% or more full. When an event file is full, no additional event logging will take place until the event file is cleared. Before clearing an event file, you should save it to a backup file for future reference. The maximum size of an event file is specified by server configuration parameters in the OpenVMS Registry. The server parameter controlling the event log file size is stored in the key associated with each event log and is called MaxSize. (See Appendix A, Server Configuration Parameters, for more information.)
Before changing the value of this parameter (or before restarting the server, once you have changed the parameter), you should rename or delete the current event log file to which the parameter applies. Table 6-2, Event Log Files, lists the event log file names.
When an event log becomes full, you can save and clear the event log:
To save an event log, use the SAVE EVENTS command. The event log is stored, using the file name and location that you specify in the command line. For example, to save the Security event log to the file SEVENTS.BKP, enter the following command:
LANDOFOZ\\TINMAN> SAVE EVENTS SEVENTS.BKP/TYPE=SECURITY %PWRK-S-ELFSAVE, Security Event Log from server "TINMAN" saved LANDOFOZ\\TINMAN>
If you do not specify a path as part of the file name, the event file is created in the PWRK$LMLOGS: directory. You can save the event log file of a remote HP OpenVMS Advanced Server by specifying the server name with the /SERVER qualifier, as in the following example:
LANDOFOZ\\TINMAN> SAVE EVENTS SYSTEM.BKP/TYPE=SYSTEM/SERVER=DOROTHY %PWRK-S-ELFSAVE, System Event Log from server "DOROTHY" saved
This saves the system event log file of server DOROTHY to the file PWRK$LMLOGS:SYSTEM.BKP on server DOROTHY.
You can display the saved event file by using the ADMINISTER SHOW
EVENTS /TYPE command, specifying the event file name and location and
the types of events to be viewed. See Section 220.127.116.11.1, Displaying Events When the Advanced Server Is Running.
18.104.22.168.2 Clearing an Event Log
LANDOFOZ\\TINMAN> CLEAR EVENTS/TYPE=SECURITY Clear the Security Event Log [YES or NO] (YES) : YES %PWRK-S-ELFCLEARED, Security Event Log on server "TINMAN" cleared
If you do not specify the event log type, the default is to clear the
system event log.
22.214.171.124 Auditing Security Events Domainwide
The Advanced Server can track selected activities of users by auditing security events and then placing entries in a server's security log. You must enable auditing in order for the server to record security events. By default, auditing is not enabled.
To enable auditing, you must use the SET AUDIT POLICY command, as documented in Section 126.96.36.199.1, Enabling Security Event Auditing. You can use the command to establish an audit policy for the entire domain. (The command affects the security logs of the domain controller and of all server domain controllers in the domain: they all share the same audit policy. Member servers maintain their own auditing policy.) You can select any of several types of security events to be logged in the domain. For example, you can log:
You can select whether successful or unsuccessful attempts at specific operations are to generate event messages.
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"
To disable auditing on the domain, use the SET AUDIT POLICY command
with the /NOAUDIT qualifier.
188.8.131.52 Establishing the Audit Policy
The SET AUDIT POLICY command lets you specify event results for which auditing is enabled, including both successful and failed attempts to perform certain functions. Include the /SUCCESS qualifier to specify successful completion of operations, and the /FAILURE qualifier to specify failed operations.
The following list shows the events you can specify:
For more information about using the SET AUDIT POLICY command, refer to
the HP Advanced Server for OpenVMS Commands Reference Manual or the ADMINISTER command interface online help.
184.108.40.206.1 Example: Setting the Audit Policy
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=(LOGONOFF) %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN>
LANDOFOZ\\TINMAN> SHOW AUDIT POLICY Audit Policy for domain "LANDOFOZ": Auditing is currently Enabled. Audit Event states: Audit Event Success Failure ------------------ -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Disabled Enabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN>
You can set and display the audit trail for a specific file or directory using the SET FILE and SHOW FILE commands.
The following list shows the types of operations you can audit for files and directories:
For more information about using the SET FILE command, refer to the HP Advanced Server for OpenVMS Commands Reference Manual or the ADMINISTER command interface online help.
For example, to set auditing of operations on the user file SIMIANS.DAT, enter the following command:
LANDOFOZ\\TINMAN> SET FILE \WITCH\MKEY\SIMIANS.DAT- _LANDOFOZ\\TINMAN>/AUDIT=(SUCCESS=ALL,FAILURE=ALL) %PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified %PWRK-S-FILESMODIFIED, total of 1 file modified LANDOFOZ\\TINMAN>
LANDOFOZ\\TINMAN> SHOW FILES \WITCH\MKEY\SIMIANS.DAT/AUDIT \\TINMAN \WITCH\MKEY\SIMIANS.DAT SIMIANS.DAT Audit Events: Success Failure LION RWXDPO RWXDPO Total of 1 file LANDOFOZ\\TINMAN>
Table 6-5, Log File Names, lists the log files kept in the PWRK$LOGS and PWRK$LMLOGS areas. In each case, nodename refers to the name of the server node.
|Log File Name||Message Type|
|NETBIOS_ nodename.LOG||NetBIOS protocol over DECnet|
|NETBIOS_ERROR.LOG||NetBIOS protocol over DECnet error|
|NETBIOS_OUTPUT.LOG||NetBIOS protocol over DECnet output|
|PWRK$CONFIG_INFO_ nodename.LOG||Configuration information|
|PWRK$CONFIG_ERROR_ nodename.LOG||Configuration errors|
|PWRK$KNBDAEMON_ nodename.LOG||NetBIOS protocol over TCP/IP|
|PWRK$LICENSE_R_ nodename.LOG||License Registrar|
|PWRK$LICENSE_REGISTRAR_ nodename.LOG||License Registrar|
|PWRK$LICENSE_S_ nodename.LOG||License Server|
|PWRK$LICENSE_SERVER_ nodename.LOG||License Server|
|PWRK$MASTER_ nodename.LOG||Master process (process start and shutdown)|
|PWRK$NBDAEMON_ nodename.LOG||NetBIOS protocol over NetBEUI|
|PWRK$ADMIN_ n _ nodename .LOG||Remote task command|
|PWRK$LMMCP_ nodename. LOG||Master control process|
|PWRK$LMSRV_ nodename.LOG||File server process|
You can use any ASCII text editor to look at log files, so long as the log files are not open (that is, in use by the Advanced Server). Even if open, most log files can be read using the TYPE command. A convenient way to view the end of most log files is to include the /TAIL and /PAGE qualifiers with the TYPE command, as in the following example, where nodename is the name of the server node:
$ TYPE/TAIL=50/PAGE PWRK$LMLOGS:PWRK$LMSRV_nodename.LOG
The log files record messages that have occurred during server operation. Not all the messages in the log need your attention. Many messages are caused by communication problems from which the server recovers automatically. If the server fails to recover from a problem, log files can provide you with information about the cause of the problem.
You can examine messages recorded in any log file. Each line in a log file provides information about logged entries, including a date and time stamp. For example, the PWRK$LMSRV_nodename.LOG file might contain information about cache exhaustion conditions.
To examine log files that are in use, use the OpenVMS DCL command BACKUP/IGNORE=INTERLOCK to back them up to a text file, as in the following example:
$ BACKUP/IGNORE=INTERLOCK PWRK$LOGS:NETBIOS_DOROTHY.LOG; - _$ PWRK$LOGS:NETBIOS_DOROTHY.TXT
The Advanced Server provides its own common event log for recording events that cannot be recorded in the System, Security, or Application event logs. These events include process startup and shutdown, autoshare errors, problems caused by underlying OpenVMS errors (such as disk quota exceeded), and failed attempts to connect because of licensing problems.
To view output or to purge the EVTLOG.DAT file, enter the following command:
Table 6-6, Event Logger Command Qualifiers, lists the qualifiers you can use with the ADMINISTER/ANALYZE command.
|/AFTER= dd-mmm-yy hh:mm:ss.cc||Restricts the report or the purge operation to events after the specified time.|
|/BEFORE= dd-mmm-yy hh:mm:ss.cc||Restricts the report or the purge operation to events before the specified time.|
Filters the logged events that are written to the report or purged from
the EVTLOG.DAT file. The available classes are:
|/FULL or /BRIEF||The /FULL qualifier generates a report that includes all information logged for each event. The /BRIEF qualifier outputs only the event header and is the default.|
Specifies the name of the event log file. The default file is:
|/OUTPUT= report_file||Specifies the name of the output file you want the report written to. The default output is written to SYS$OUTPUT.|
|/PID= pid||Specifies the process ID whose events you want to display.|
Purges entries from the EVTLOG.DAT file on the local server.
If you use the /PURGE qualifier without other qualifiers, all
entries are purged and EVTLOG.DAT file is empty. You can use /PURGE
with other qualifiers to specify which entries you want to purge. For
example, to purge all events in the EVTLOG.DAT file on the server that
are classed as ERROR and written to the file before October 1, 2000,
enter the following command:
Filters the logged events that are written to the report or purged from
the EVTLOG.DAT file. The available sources are:
Example 6-1, ADMINISTER/ANALYZE Command and Display, shows a sample report from the Event logger generated by the following command executed on the server TINMAN.
|Example 6-1 ADMINISTER/ANALYZE Command and Display|
$ ADMINISTER/ANALYZE/INPUT=EVTLOG.DAT :::::::::: PATHWORKS Error Log Report :::::::::: DATE: 25-OCT-2000 15:52:06.88 ================= EVENT #1 ================== Event Time: 18-OCT-2000 17:14:09.04 Node: TINMAN Process Id: 000001DB Event: Master Process starting Event Source: Master Process Event Class: Audit Process Id: 000001DB(X) ================= EVENT #2 ================== Event Time: 18-OCT-2000 17:14:19.57 Node: TINMAN Process Id: 000001DB Event: NetBEUI Daemon process starting Event Source: Master Process Event Class: Audit Process Id: 000002DE(X) ================= EVENT #3 ================== Event Time: 18-OCT-2000 17:14:23.26 Node: TINMAN Process Id: 000001DB Event: NetBEUI Daemon process shutting down Event Source: Master Process Event Class: Audit Process Id: 000002DE(X) Status: SYSTEM-S-NORMAL, normal successful completion ================= EVENT #4 ================== Event Time: 18-OCT-2000 17:14:29.04 Node: TINMAN Process Id: 000001DB Event: NetBIOS transport process starting Event Source: Master Process Event Class: Audit Process Id: 00000262(X) ================= EVENT #5 ================== Event Time: 18-OCT-2000 17:14:37.19 Node: TINMAN Process Id: 000001DB Event: LANman Controller process starting Event Source: Master Process Event Class: Audit Process Id: 00000282(X) ================= EVENT #6 ================== Event Time: 18-OCT-2000 17:14:50.93 Node: TINMAN Process Id: 000001DB Event: License Registrar process starting Event Source: Master Process Event Class: Audit Process Id: 000002D1(X) . . . ================= EVENT #19 ================== Event Time: 19-OCT-2000 09:23:34.63 Node: TINMAN Process Id: 000003DE Event: No license for client - access denied Event Source: LAN Manager Server Event Class: Warning Client: PCGURU . . . =============== EVENT #25 =================== Event Time: 19-OCT-2000 10:38:11.85 Node: TINMAN Process Id: 555749340 Event: Unexpected System Error Encountered Event Source: PATHWORKS Printing Services Event Class: Error