Compaq Advanced Server for OpenVMS
Server Administrator's Guide


Previous Contents Index

6.1.3.1 Displaying Events

You can display events recorded in the event log file in either of the following ways:

These methods are described below.

6.1.3.1.1 Displaying Events When the Advanced Server Is Running

The following example shows how to display events while the Advanced Server is running, using the SHOW EVENTS command. Use the /TYPE qualifier to specify one of the types of events, as follows: SYSTEM (default), SECURITY, or APPLICATION. In this example, the SHOW EVENTS command displays the system events.


LANDOFOZ\\TINMAN> SHOW EVENTS 
T Date     Time        Source    Category    Event  User    Computer 
- -------- ----------- -------   ----------- -----  ----    ----------- 
I 08/26/98 11:49:56 AM SYSTEM    None        528    N/A     TINMAN 
W 08/27/98 12:07:01 PM Eventlog  None        603    N/A     TINMAN 
I 08/27/98 12:15:31 PM Print     None        604    N/A     TINMAN 
W 08/27/98 12:46:31 PM BROWSER   None        605    N/A     TINMAN 
Total of 4 events 
 
LANDOFOZ\\TINMAN> 

You can display detailed information for each event, as generated by the application that was the source of the event record, by specifying the SHOW EVENTS/FULL command. The information might include such additional information as the domain and system names. Not all sources or events generate event details. The following example shows a portion of the data that might be displayed with the SHOW EVENTS/FULL command:


E 06/17/00 12:13:50 PM NETLOGON  None            5513   N/A        TINMAN 
NET5513:   The computer DOROTHY tried to connect to the server TINMAN using 
 the trust relationship established by the LANDOFOZ domain. However, the 
 computer lost the correct security identifier (SID) 
 when the domain was reconfigured. Reestablish the trust 
 relationship. 
 
E 06/17/00 12:13:48 PM NETLOGON  None            5513   N/A        TINMAN 
NET5513:   The computer DOROTHY tried to connect to the server TINMAN using 
 the trust relationship established by the LANDOFOZ domain. However, the 
 computer lost the correct security identifier (SID) 
 when the domain was reconfigured. Reestablish the trust 
 relationship. 
 
E 06/17/00 12:13:48 PM NETLOGON  None            5513   N/A TINMAN 
NET5513:   The computer DOROTHY tried to connect to the server TINMAN using 
 the trust relationship established by the LANDOFOZ domain. However, 
 the computer lost the correct security identifier (SID) 
 when the domain was reconfigured. Reestablish the trust 
 relationship. 
   .
   .
   .

6.1.3.1.2 Displaying Events When the Advanced Server Is Not Running

To display events when the Advanced Server is not running, use the ELFREAD utility. The ELFREAD utility allows you to display records in the event file in the following ways:

You can view records in brief (default) or detail format.

The ELFREAD command is defined as part of the Advanced Server command set in the SYS$STARTUP:PWRK$DEFINE_COMMANDS.COM command procedure.

The syntax for the ELFREAD command is:

ELFREAD [-o] [-d] event-type

Use the optional parameters to control the ELFREAD output as described in Table 6-4, ELFREAD Command Options.

Table 6-4 ELFREAD Command Options
To display... Include:
Records in chronological order -o
Detail records -d
event-type The event log file specified, one of the following:
  • SYSTEM
  • SECURITY
  • APPLICATION

6.1.3.2 Saving and Clearing the Event Logs

You can display the event logs and, when necessary, clear the event logs. The Alerter service sends you a message advising you when an event log becomes 80% or more full. When an event file is full, no additional event logging will take place until the event file is cleared. Before clearing an event file, you should save it to a backup file for future reference. The maximum size of an event file is specified by server configuration parameters in the OpenVMS Registry. The server parameter controlling the event log file size is stored in the key associated with each event log and is called MaxSize. (See Appendix A, Server Configuration Parameters, for more information.)

Note

Before changing the value of this parameter (or before restarting the server, once you have changed the parameter), you should rename or delete the current event log file to which the parameter applies. Table 6-2, Event Log Files lists the event log file names.

When an event log becomes full, you can save and clear the event log:

6.1.3.2.1 Saving an Event Log

To save an event log, use the SAVE EVENTS command. The event log is stored, using the file name and location that you specify in the command line. For example, to save the Security event log to the file SEVENTS.BKP, enter the following command:


LANDOFOZ\\TINMAN> SAVE EVENTS SEVENTS.BKP/TYPE=SECURITY 
%PWRK-S-ELFSAVE, Security Event Log from server "TINMAN" saved 
 
LANDOFOZ\\TINMAN> 

If you do not specify a path as part of the file name, the event file is created in the PWRK$LMLOGS: directory. You can save the event log file of a remote Advanced Server by specifying the server name with the /SERVER qualifier, as in the following example:


LANDOFOZ\\TINMAN> SAVE EVENTS SYSTEM.BKP/TYPE=SYSTEM/SERVER=DOROTHY 
%PWRK-S-ELFSAVE, System Event Log from server "DOROTHY" saved 

This saves the system event log file of server DOROTHY to the file PWRK$LMLOGS:SYSTEM.BKP on server DOROTHY.

You can display the saved event file by using the ADMINISTER SHOW EVENTS /TYPE command, specifying the event file name and location and the types of events to be viewed. See Section 6.1.3.1.1, Displaying Events When the Advanced Server Is Running.

6.1.3.2.2 Clearing an Event Log

To clear an event log, enter the CLEAR EVENTS command. The specified event log entries are deleted. For example:


LANDOFOZ\\TINMAN> CLEAR EVENTS/TYPE=SECURITY 
Clear the Security Event Log [YES or NO] (YES) : YES 
%PWRK-S-ELFCLEARED, Security Event Log on server "TINMAN" cleared 

If you do not specify the event log type, the default is to clear the system event log.

6.1.3.3 Auditing Security Events Domain-Wide

The Advanced Server can track selected activities of users by auditing security events and then placing entries in a server's security log. You must enable auditing in order for the server to record security events. By default, auditing is not enabled.

To enable auditing, you must use the SET AUDIT POLICY command, as documented in Section 6.1.3.3.1, Enabling Security Event Auditing. You can use the command to establish an audit policy for the entire domain. (The command affects the security logs of the domain controller and of all server domain controllers in the domain: they all share the same audit policy. Member servers maintain their own auditing policy.) You can select any of several types of security events to be logged in the domain. For example, you can log:

You can select whether successful or unsuccessful attempts at specific operations are to generate event messages.

For more information on setting an auditing policy, see Section 6.1.3.4, Establishing the Audit Policy.

6.1.3.3.1 Enabling Security Event Auditing

To enable auditing on the server, use the SET AUDIT POLICY command with the /AUDIT qualifier. For example:


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT 
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" 

6.1.3.3.2 Disabling Auditing

To disable auditing on the domain, use the SET AUDIT POLICY command with the /NOAUDIT qualifier.

6.1.3.4 Establishing the Audit Policy

The audit policy defines the types of events to be included in the Security event log. You can change the audit policy for the domain using the SET AUDIT POLICY command.

The SET AUDIT POLICY command lets you specify event results for which auditing is enabled, including both successful and failed attempts to perform certain functions. Include the /SUCCESS qualifier to specify successful completion of operations, and the /FAILURE qualifier to specify failed operations.

The following list shows the events you can specify:

For more information about using the SET AUDIT POLICY command, refer to the Compaq Advanced Server for OpenVMS Commands Reference Manual or the ADMINISTER command interface online help.

6.1.3.4.1 Example: Setting the Audit Policy

The following example shows how to use the SET AUDIT POLICY command to log all failures of logon and logoff attempts:


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=(LOGONOFF) 
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

6.1.3.5 Displaying the Audit Policy

To display the audit policy, enter the SHOW AUDIT POLICY command. This displays the audit policy currently established for the server. For example:


LANDOFOZ\\TINMAN> SHOW AUDIT POLICY 
 
Audit Policy for domain "LANDOFOZ": 
 
Auditing is currently Enabled. 
 
Audit Event states: 
 
Audit Event         Success   Failure 
------------------  --------  -------- 
ACCESS              Disabled  Disabled 
ACCOUNT_MANAGEMENT  Disabled  Disabled 
LOGONOFF            Disabled  Enabled 
POLICY_CHANGE       Disabled  Disabled 
PROCESS             Disabled  Disabled 
SYSTEM              Disabled  Disabled 
USER_RIGHTS         Disabled  Disabled 
 
LANDOFOZ\\TINMAN> 

6.1.3.6 Setting and Displaying Security Event Auditing for Files and Directories

You can set and display the audit trail for a specific file or directory using the SET FILE and SHOW FILE commands.

Use the SET FILE command with the /AUDIT qualifier to specify the events to audit.

The following list shows the types of operations you can audit for files and directories:

For more information about using the SET FILE command, refer to the Compaq Advanced Server for OpenVMS Commands Reference Manual or the ADMINISTER command interface online help.

For example, to set auditing of operations on the user file SIMIANS.DAT, enter the following command:


LANDOFOZ\\TINMAN> SET FILE \WITCH\MKEY\SIMIANS.DAT- 
_LANDOFOZ\\TINMAN>/AUDIT=(SUCCESS=ALL,FAILURE=ALL) 
%PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified 
%PWRK-S-FILESMODIFIED, total of 1 file modified 
 
LANDOFOZ\\TINMAN> 

6.1.3.6.1 Example: Displaying the Audit Settings for a File

The following example shows how to display the audit settings for a file, using the SHOW FILES /AUDIT command:


LANDOFOZ\\TINMAN> SHOW FILES \WITCH\MKEY\SIMIANS.DAT/AUDIT 
\\TINMAN \WITCH\MKEY\SIMIANS.DAT 
    SIMIANS.DAT 
        Audit Events:                   Success         Failure 
           LION                         RWXDPO          RWXDPO 
 
Total of 1 file 
 
LANDOFOZ\\TINMAN> 

6.1.4 Advanced Server Log Files

The Advanced Server records several types of messages in log files in the following locations:

Table 6-5, Log File Names, lists the log files kept in the PWRK$LOGS and PWRK$LMLOGS areas. In each case, nodename refers to the name of the server node.

Table 6-5 Log File Names
Log File Name Message Type
In PWRK$LOGS:
NETBIOS_ nodename.LOG NetBIOS protocol over DECnet
NETBIOS_ERROR.LOG NetBIOS protocol over DECnet error
NETBIOS_OUTPUT.LOG NetBIOS protocol over DECnet output
PWRK$CONFIG_INFO_ nodename.LOG Configuration information
PWRK$CONFIG_ERROR_ nodename.LOG Configuration errors
PWRK$KNBDAEMON_ nodename.LOG NetBIOS protocol over TCP/IP
PWRK$LICENSE_R_ nodename.LOG License Registrar
PWRK$LICENSE_REGISTRAR_ nodename.LOG License Registrar
PWRK$LICENSE_S_ nodename.LOG License Server
PWRK$LICENSE_SERVER_ nodename.LOG License Server
PWRK$MASTER_ nodename.LOG Master process (process start and shutdown)
PWRK$NBDAEMON_ nodename.LOG NetBIOS protocol over NetBEUI
In PWRK$LMLOGS:
PWRK$ADMIN_ n _ nodename .LOG Remote task command
PWRK$LMMCP_ nodename. LOG Master control process
PWRK$LMSRV_ nodename.LOG File server process
PWRK$LMBROWSER_ nodename.LOG Browser
PWRK$UPGRADE.LOG Upgrade utility

6.1.4.1 Displaying Log Files

You can use any ASCII text editor to look at log files, so long as the log files are not open (that is, in use by the Advanced Server). Even if open, most log files can be read using the TYPE command. A convenient way to view the end of most log files is to include the /TAIL and /PAGE qualifiers with the TYPE command, as in the following example, where nodename is the name of the server node:


$ TYPE/TAIL=50/PAGE PWRK$LMLOGS:PWRK$LMSRV_nodename.LOG 

The log files record messages that have occurred during server operation. Not all the messages in the log need your attention. Many messages are caused by communication problems from which the server recovers automatically. If the server fails to recover from a problem, log files can provide you with information about the cause of the problem.

You can examine messages recorded in any log file. Each line in a log file provides information about logged entries, including a date and time stamp. For example, the PWRK$LMSRV_nodename.LOG file might contain information about cache exhaustion conditions.

To examine log files that are in use, use the OpenVMS DCL command BACKUP/IGNORE=INTERLOCK to back them up to a text file, as in the following example:


$ BACKUP/IGNORE=INTERLOCK PWRK$LOGS:NETBIOS_DOROTHY.LOG;- 
_$ PWRK$LOGS:NETBIOS_DOROTHY.TXT 

6.1.4.2 The Advanced Server Common Event Log

The Advanced Server provides its own common event log for recording events that cannot be recorded in the System, Security, or Application event logs. These events include process startup and shutdown, autoshare errors, problems caused by underlying OpenVMS errors (such as disk quota exceeded), and failed attempts to connect because of licensing problems.

The Advanced Server provides the ADMIN/ANALYZE utility for viewing events in Advanced Server common event log files. The events are logged in the file PWRK$COMMON:EVTLOG.DAT on each server.

To view output or to purge the EVTLOG.DAT file, enter the following command:


$ ADMINISTER/ANALYZE 

Table 6-6, Event Logger Command Qualifiers, lists the qualifiers you can use with the ADMINISTER/ANALYZE command.

Table 6-6 Event Logger Command Qualifiers
Qualifier Description
/AFTER= dd-mmm-yy hh:mm:ss.cc Restricts the report or the purge operation to events after the specified time.
/BEFORE= dd-mmm-yy hh:mm:ss.cc Restricts the report or the purge operation to events before the specified time.
/CLASS= event_class Filters the logged events that are written to the report or purged from the EVTLOG.DAT file. The available classes are:
  • ALL---all events; the default
  • ERROR---events that affect server operation, but are not necessarily fatal
  • WARNING---events that do not directly affect server operation; informational
/FULL or /BRIEF The /FULL qualifier generates a report that includes all information logged for each event. The /BRIEF qualifier outputs only the event header and is the default.
/INPUT= event_log_file Specifies the name of the event log file. The default file is:
SYS$SYSDEVICE:[PWRK$ROOT]EVTLOG.DAT
/OUTPUT= report_file Specifies the name of the output file you want the report written to. The default output is written to SYS$OUTPUT.
/PID= pid Specifies the process ID whose events you want to display.
/PURGE Purges entries from the EVTLOG.DAT file on the local server.

If you use the /PURGE qualifier without other qualifiers, all entries are purged and EVTLOG.DAT file is empty. You can use /PURGE with other qualifiers to specify which entries you want to purge. For example, to purge all events in the EVTLOG.DAT file on the server that are classed as ERROR and written to the file before October 1, 2000, enter the following command:

$ ADMIN/ANALYZE/PURGE/CLASS=ERROR/BEFORE=01-OCT-2000

/SOURCE= event_source Filters the logged events that are written to the report or purged from the EVTLOG.DAT file. The available sources are:
  • ALL---includes events from all sources; this is the default
  • COMMON_SERVICES---events originating from common components, such as the PATHWORKS lock manager and PATHWORKS file system
  • LAN_MANAGER---events originating from LAN Manager
  • LICENSE_MANAGER---events originating from the license management utility
  • MANAGEMENT---events originating from the Monitor process or Configurator
  • MASTER_PROCESS---events originating from the master process, PWRK$MASTER
  • TRANSPORT---events originating from any of the transports

Example 6-1, ADMINISTER/ANALYZE Command and Display, shows a sample report from the Event logger generated by the following command executed on the server TINMAN.

Example 6-1 ADMINISTER/ANALYZE Command and Display

$ ADMINISTER/ANALYZE/INPUT=EVTLOG.DAT 
 
  :::::::::: PATHWORKS Error Log Report :::::::::: 
           DATE: 25-OCT-2000 15:52:06.88 
 
   ================= EVENT #1 ================== 
 
Event Time:   18-OCT-2000 17:14:09.04       Node:  TINMAN 
Process Id:   000001DB 
Event:        Master Process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000001DB(X) 
 
 
   ================= EVENT #2 ================== 
 
Event Time:   18-OCT-2000 17:14:19.57       Node:  TINMAN 
Process Id:   000001DB 
Event:        NetBEUI Daemon process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000002DE(X) 
 
 
   ================= EVENT #3 ================== 
 
Event Time:   18-OCT-2000 17:14:23.26       Node:  TINMAN 
Process Id:   000001DB 
Event:        NetBEUI Daemon process shutting down 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000002DE(X) 
      Status:       SYSTEM-S-NORMAL, normal successful completion 
 
   ================= EVENT #4 ================== 
 
Event Time:   18-OCT-2000 17:14:29.04       Node:  TINMAN 
Process Id:   000001DB 
Event:        NetBIOS transport process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   00000262(X) 
 
 
   ================= EVENT #5 ================== 
 
Event Time:   18-OCT-2000 17:14:37.19       Node:  TINMAN 
Process Id:   000001DB 
Event:        LANman Controller process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   00000282(X) 
 
 
   ================= EVENT #6 ================== 
 
Event Time:   18-OCT-2000 17:14:50.93       Node:  TINMAN 
Process Id:   000001DB 
Event:        License Registrar process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000002D1(X) 
 
 
                  . 
                  . 
                  . 
 
   ================= EVENT #19 ================== 
 
Event Time:   19-OCT-2000 09:23:34.63       Node:  TINMAN 
Process Id:   000003DE 
Event:        No license for client - access denied 
Event Source: LAN Manager Server 
Event Class:  Warning 
 
      Client:   PCGURU 
 
                  . 
                  . 
                  . 
 
=============== EVENT #25 =================== 
 
Event Time:  19-OCT-2000 10:38:11.85       Node:  TINMAN 
Process Id:  555749340 
Event:        Unexpected System Error Encountered 
Event Source: PATHWORKS Printing Services 
Event Class:  Error 
 

Example 6-2, ADMINISTER/ANALYZE/FULL Command and Display, shows a portion of the more detailed report generated when you use the /FULL qualifier.

Example 6-2 ADMINISTER/ANALYZE/FULL Command and Display

$ ADMINISTER/ANALYZE/FULL/INPUT=EVTLOG.DAT 
 
  :::::::::: PATHWORKS Error Log Report :::::::::: 
           DATE: 25-OCT-2000 15:52:06.88 
 
================= EVENT #1 ================== 
 
Event Time:   18-OCT-2000 17:14:09.04       Node:  TINMAN 
Process Id:  555749340 
Event:        PATHWORKS Lock Database is 90% full 
Event Source: Common Services PLM 
Event Class:  Warning 
 
0x00000032     Total Database Resources:   50 
0x0000002D     Current Resources in Use:   45 
0x00000019       Currently open Streams:   25 
0x00000017       Currently unique Opens:   23 
0x00000004      Currently Locked Ranges:   4 
 
Decode information unavailable (Hex. output): 
0x62426141 
0x64446343 
0x66466545 
0x68486747 
0x00006949 
   .
   .
   .


Previous Next Contents Index