Previous | Contents | Index |
Advanced Server provides several ways for you to determine the specific cause of a server problem and to implement a solution.
This chapter describes the procedures you can use to monitor events and troubleshoot problems, including:
Advanced Server lets you monitor server events as they happen and capture
events in log files. The following sections describe the tools you can
use to monitor and evaluate server events.
6.1.1 ADMINISTER Commands
Advanced Server ADMINISTER commands let you display information about current server activity and status, as well as recorded events and error messages. In addition, you can use ADMINISTER commands to modify items in the server database to correct certain types of problems.
For example, the SHOW SESSIONS command displays current client sessions. To remove a session that is no longer being used, enter the CLOSE SESSION command.
Refer to the procedures described in Section 6.2.2, The Problem Analysis Process, for information
about ADMINISTER commands you can use to help solve certain types of
server problems.
6.1.2 Automatic Alerts
Advanced Server includes an Alerter service that sends automatic alert messages to specified clients and users when:
The Alerter service can also tell you when certain events occur, as specified by the data associated with the Alerter server configuration parameters in the OpenVMS Registry. You control when the Alerter service sends messages for these events by modifying the data for the appropriate value in the OpenVMS Registry, as described in Section 7.2, Managing Server Configuration Parameters.
Table 6-1, Alerter Configuration Parameters, lists the server configuration parameters you can modify to control the way the Alerter service works.
To specify... | Use this Value | Default Data |
---|---|---|
The total number of errors that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer. | ErrorAlert | 5 |
The total number of incorrect password attempts that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer. | LogonAlert | 5 |
The total number of resource access violations that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer. | AccessAlert | 5 |
The Alerter service runs automatically when the server starts, if the Alerter service is included in the data associated with the ServerServices server parameter in the OpenVMS Registry. The Alerter service is included in the initial configuration by default. To disable the Alerter service, remove the Alerter name from the list of data for the ServerServices value. See Section 2.3.3, Managing Services, for more information about services.
You can specify that Advanced Server users and clients are to receive alert messages. Include the names of these users and clients in the data field for the AlertNames value in OpenVMS Registry. See Appendix A, Server Configuration Parameters, for more information about OpenVMS Registry values and data.
Client workstations must be running the Messenger service to receive alert messages. The Messenger service does not run on the OpenVMS system; therefore, users logged on from OpenVMS processes will not receive alert messages. |
In the Advanced Server, an event is any significant occurrence in the system or in an application that requires user notification. For events that do not require immediate attention, the Advanced Server adds data to an event log file. This event logging service starts automatically every time you start the Advanced Server.
Event logs can provide valuable information about server activities. In addition to system operation event logging, you can:
You may select from several event types and, for each, whether successful or unsuccessful attempts at specific operations are to generate event messages.
Event messages are stored in event files in PWRK$LMROOT:[LANMAN.LOGS]. Each event type is maintained in a separate event log file, as shown in Table 6-2, Event Log Files.
Event Type | Event Log File Name | Description |
---|---|---|
Application events | APPEVENT.EVT | Application event messages are generated by applications. For example, distributed common object module (DCOM) applications may store messages in the application event log. |
Security events | SECEVENT.EVT | Event messages are generated based on the audit policy specified for the server, including files or directories. (For more infomration, see Section 6.1.3.3, Enabling Auditing.) |
System events | SYSEVENT.EVT | System event messages are generated by server components. |
Table 6-3, Information in Event Files, lists the information shown in each line in an event file.
Item | Meaning |
---|---|
Source | The server component that logged the message. |
Category | Classification of the message. |
Message ID | Unique number for the message. |
User | The user account name for the user who was logged on and working when the message was logged. N/A indicates that the entry does not specify a user. |
Computer | The name of the computer where the message was generated. |
You can display events recorded in the event log file in either of the following ways:
These methods are described below.
To display events when the Advanced Server is running:
Use the SHOW EVENTS command. Use the /TYPE qualifier to specify one of the types of events, as follows: SYSTEM (default), SECURITY, or APPLICATION. For example, to display System events, enter the following command:
LANDOFOZ\\TINMAN> SHOW EVENTS T Date Time Source Category Event User Computer - -------- ----------- ------- ----------- ----- ---- ----------- I 08/26/98 11:49:56 AM SYSTEM None 528 N/A TINMAN W 08/27/98 12:07:01 PM Eventlog None 603 N/A TINMAN I 08/27/98 12:15:31 PM Print None 604 N/A TINMAN W 08/27/98 12:46:31 PM BROWSER None 605 N/A TINMAN Total of 4 events LANDOFOZ\\TINMAN> |
To display events when the Advanced Server is not running:
Use the ELFREAD utility. The ELFREAD utility allows you to display records in the event file in the following ways:
You can view records in brief (default) or detail format.
The ELFREAD command is defined as part of the Advanced Server command set in the SYS$STARTUP:PWRK$DEFINE_COMMANDS.COM command procedure.
The syntax for the ELFREAD command is:
ELFREAD [-o] [-d] event-type
Use the optional parameters to control the ELFREAD output as described in Table 6-4, ELFREAD Command Options.
To display... | Include: |
---|---|
Records in chronological order | -o |
Detail records | -d |
event-type |
The event log file specified, one of the following:
|
You can display the event logs and, when necessary, clear the event log. The Alerter service sends you a message advising you when the event log becomes 80% or more full. When the event file is full, no additional event logging will take place until the event file is clear. Before clearing the event file, you should save it to a backup file for future reference. The maximum size of an event file is specified by server configuration parameters in the OpenVMS Registry. The server parameter controlling the event log file size is stored in the key associated with each event log and is called MaxSize. (See Appendix A, Server Configuration Parameters, for more information.)
When an event log becomes full, you can save and clear the event log.
The default location of the event log is PWRK$LMROOT:[LANMAN.LOGS].
Use the SAVE EVENTS command. The current event log is stored using the file name and location that you specify in the command line. For example, to save the Security event log to the file SEVENTS.BKP, enter the following command:
LANDOFOZ\\TINMAN> SAVE EVENTS SEVENTS.BKP/TYPE=SECURITY %PWRK-S-ELFSAVE, Security Event Log from server "TINMAN" saved LANDOFOZ\\TINMAN> |
If you do not specify a path as part of the file name, the event file is created in the PWRK$LMLOGS: directory.
Enter the CLEAR EVENTS command. The current Security event log messages are deleted. For example:
LANDOFOZ\\TINMAN> CLEAR EVENTS/TYPE=SECURITY Clear the Security Event Log [YES or NO] (YES) : YES %PWRK-S-ELFCLEARED, Security Event Log on server "TINMAN" cleared |
If you do not specify the event log type, the default is to save and
clear the SYSTEM event log.
6.1.3.3 Enabling Auditing
By default, auditing is not enabled. You must enable auditing in order for the server to record security events.
To enable auditing on the server:
Use the SET AUDIT POLICY command with the /AUDIT qualifier. For example:
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" |
Use the SET AUDIT POLICY command with the /NOAUDIT qualifier.
Enter the SHOW AUDIT POLICY command. This displays the audit policy currently established for the server. For example:
LANDOFOZ\\TINMAN> SHOW AUDIT POLICY Audit Policy for domain "LANDOFOZ": Auditing is currently Enabled. Audit Event states: Audit Event Success Failure ------------------ -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Disabled Enabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN> |
The audit policy defines the types of events to be included in the Security event log. You can change the audit policy for the server using the SET AUDIT POLICY command.
The SET AUDIT POLICY command lets you specify event results for which auditing is enabled, including both successful and failed attempts to perform certain functions. Include the /SUCCESS qualifier to specify successful completion of operations, and the /FAILURE qualifier to specify failed operations.
The following list shows the events you can specify.
For more information about using the SET AUDIT POLICY command, refer to Advanced Server for OpenVMS Commands Reference Manual.
Use the SET AUDIT POLICY command. For example, to log all failures of logon and logoff attempts, use the SET AUDIT POLICY command with the /AUDIT/FAILURE=(LOGONOFF) qualifiers, as shown in the following example:
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=(LOGONOFF) %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
You can set and display the audit trail for a specific file or directory using the SET FILE and SHOW FILE commands.
Use the SET FILE command with the /AUDIT qualifier to specify the events to audit.
The following list shows the types of operations you can audit for files and directories:
For more information about using the SET FILE command, refer to Advanced Server for OpenVMS Commands Reference Manual.
For example, to set auditing of operations on the user file SIMIANS.DATA, enter following command:
LANDOFOZ\\TINMAN> SET FILE \WITCH\MKEY\SIMIANS.DAT- _LANDOFOZ\\TINMAN>/AUDIT=(SUCCESS=ALL,FAILURE=ALL) %PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified %PWRK-S-FILESMODIFIED, total of 1 file modified LANDOFOZ\\TINMAN> |
To display the audit settings for a file:
Use the SHOW FILES /AUDIT command. For example:
LANDOFOZ\\TINMAN> SHOW FILES \WITCH\MKEY\SIMIANS.DAT/AUDIT \\TINMAN \WITCH\MKEY\SIMIANS.DAT LANMAN.INI Audit Events: Success Failure LION RWXDPO RWXDPO Owner: Administrator Total of 1 file LANDOFOZ\\TINMAN> |
The Advanced Server records several types of messages in log files in the following locations:
Table 6-5, Log File Names, lists the log files kept in the PWRK$LOGS and PWRK$LMLOGS areas.
Log File Name | Message Type |
---|---|
In PWRK$LOGS: | |
NETBIOS_ nodename.LOG | NetBIOS protocol over DECnet |
NETBIOS_ERROR.LOG | NetBIOS protocol over DECnet error |
NETBIOS_OUTPUT.LOG | NetBIOS protocol over DECnet output |
PWRK$CONFIG_INFO_ nodename.LOG | Configuration information |
PWRK$CONFIG_ERROR_ nodename.LOG | Configuration errors |
PWRK$KNBDAEMON_ nodename.LOG | NetBIOS protocol over TCP/IP |
PWRK$LICENSE_R_ nodename.LOG | License registrar |
PWRK$LICENSE_REGISTRAR_ nodename.LOG | License registrar |
PWRK$LICENSE_S_ nodename.LOG | License server |
PWRK$LICENSE_SERVER_ nodename.LOG | License server |
PWRK$MASTER_ nodename.LOG | Master process (process start and shutdown) |
PWRK$MONITOR_ nodename.LOG | Monitor process |
PWRK$NBDAEMON_ nodename.LOG | NetBIOS protocol over NetBEUI |
In PWRK$LMLOGS: | |
PWRK$ADMIN_ n _ nodename .LOG | Remote task command |
PWRK$LMDMN_ nodename.LOG | LAN Manager daemon |
PWRK$LMMCP_ nodename. LOG | Master control process |
PWRK$LMSRV_ nodename.LOG | File server process |
PWRK$LMBROWSER_ nodename.LOG | Browser |
PWRK$UPGRADE.LOG | Upgrade utility |
You can use any ASCII text editor to look at log files, so long as the log files are not open (that is, in use).
The log files store records of the messages that have occurred during server operation. Not all the messages in the log need your attention. Many messages are caused by communication problems from which the server recovers automatically. If the server fails to recover from a problem, log files can provide you with information about the cause of the problem.
You can examine messages recorded in any log file. Each line in a log
file provides information about logged entries, including a date and
time stamp. For example, the PWRK$LMSRV_nodename.LOG file
provides information about cache exhaustion messages.
6.1.4.2 Using the Event Logger to View Event Log Files
The Advanced Server provides the ADMIN/ANALYZE utility for viewing events in log files. The events are logged in the file PWRK$COMMON:EVTLOG.DAT on each server.
To view output or to purge the EVTLOG.DAT file, enter the following command:
$ ADMINISTRATE/ANALYZE |
Table 6-6, Event Logger Command Qualifiers, lists the qualifiers you can use with the ADMINISTRATE/ANALYZE command.
Qualifier | Description |
---|---|
/AFTER= dd-mmm-yy hh:mm:ss.cc | Restricts the report or the purge operation to events after the specified time. |
/BEFORE= dd-mmm-yy hh:mm:ss.cc | Restricts the report or the purge operation to events before the specified time. |
/CLASS= event_class |
Filters the logged events that are written to the report or purged from
the EVTLOG.DAT file. The available classes are:
|
/FULL or /BRIEF | The /FULL qualifier generates a report that includes all information logged for each event. The /BRIEF qualifier outputs only the event header and is the default. |
/INPUT= event_log_file |
Specifies the name of the event log file. The default file is:
SYS$SYSDEVICE:[PWRK$ROOT]EVTLOG.DAT |
/OUTPUT= report_file | Specifies the name of the output file you want the report written to. The default output is written to SYS$DEVICE. |
/PID= pid | Specifies the process ID whose events you want to display. |
/PURGE= server |
Purges entries from the EVTLOG.DAT file on the specified server. If no
server is specified, entries in the current file are purged.
If you use the /PURGE qualifier with other qualifiers, all entries are purged and EVTLOG.DAT file is empty. You can use /PURGE with other qualifiers to specify which entries you want to purge. For example, to purge all events in the EVTLOG.DAT file on server TINMAN that are classed as ERROR and written to the file before November 1, 1997, enter the following command: |
$ ADMINISTRATE/ANALYZE/PURGE=TINMAN/CLASS=ERROR/BEFORE=01-NOV-1997 |
|
/SOURCE= event_source |
Filters the logged events that are written to the report or purged from
the EVTLOG.DAT file. The available sources are:
|
Example 6-1, ADMINISTRATE/ANALYZE Command and Display, shows a sample report from the Event logger generated by the following command executed on the server TINMAN.
Example 6-1 ADMINISTRATE/ANALYZE Command and Display |
---|
$ ADMINISTRATE/ANALYZE/INPUT=EVTLOG.DAT/OUTPUT=EVTLOG_RPT.TXT :::::::::: PATHWORKS Error Log Report :::::::::: DATE: 25-OCT-1998 15:52:06.88 ================= EVENT #1 ================== Event Time: 18-OCT-1998 17:14:09.04 Node: TINMAN Process Id: 000001DB Event: Master Process starting Event Source: Master Process Event Class: Audit Process Id: 000001DB(X) ================= EVENT #2 ================== Event Time: 18-OCT-1998 17:14:19.57 Node: TINMAN Process Id: 000001DB Event: NetBEUI Daemon process starting Event Source: Master Process Event Class: Audit Process Id: 000002DE(X) ================= EVENT #3 ================== Event Time: 18-OCT-1998 17:14:23.26 Node: TINMAN Process Id: 000001DB Event: NetBEUI Daemon process shutting down Event Source: Master Process Event Class: Audit Process Id: 000002DE(X) Status: SYSTEM-S-NORMAL, normal successful completion ================= EVENT #4 ================== Event Time: 18-OCT-1998 17:14:29.04 Node: TINMAN Process Id: 000001DB Event: NetBIOS transport process starting Event Source: Master Process Event Class: Audit Process Id: 00000262(X) ================= EVENT #5 ================== Event Time: 18-OCT-1998 17:14:37.19 Node: TINMAN Process Id: 000001DB Event: LANman Controller process starting Event Source: Master Process Event Class: Audit Process Id: 00000282(X) ================= EVENT #6 ================== Event Time: 18-OCT-1998 17:14:50.93 Node: TINMAN Process Id: 000001DB Event: License Registrar process starting Event Source: Master Process Event Class: Audit Process Id: 000002D1(X) . . . ================= EVENT #19 ================== Event Time: 19-OCT-1998 09:23:34.63 Node: TINMAN Process Id: 000003DE Event: No license for client - access denied Event Source: LAN Manager Server Event Class: Warning Client: PCGURU . . . =============== EVENT #25 =================== Event Time: 19-OCT-1998 10:38:11.85 Node: TINMAN Process Id: 555749340 Event: Unexpected System Error Encountered Event Source: PATHWORKS Printing Services Event Class: Error |
Previous | Next | Contents | Index |