Advanced Server for OpenVMS
Server Administrator's Guide


Previous Contents Index


Chapter 6
Monitoring Events and Troubleshooting

Advanced Server provides several ways for you to determine the specific cause of a server problem and to implement a solution.

This chapter describes the procedures you can use to monitor events and troubleshoot problems, including:

6.1 Monitoring Server Events

Advanced Server lets you monitor server events as they happen and capture events in log files. The following sections describe the tools you can use to monitor and evaluate server events.

6.1.1 ADMINISTER Commands

Advanced Server ADMINISTER commands let you display information about current server activity and status, as well as recorded events and error messages. In addition, you can use ADMINISTER commands to modify items in the server database to correct certain types of problems.

For example, the SHOW SESSIONS command displays current client sessions. To remove a session that is no longer being used, enter the CLOSE SESSION command.

Refer to the procedures described in Section 6.2.2, The Problem Analysis Process, for information about ADMINISTER commands you can use to help solve certain types of server problems.

6.1.2 Automatic Alerts

Advanced Server includes an Alerter service that sends automatic alert messages to specified clients and users when:

The Alerter service can also tell you when certain events occur, as specified by the data associated with the Alerter server configuration parameters in the OpenVMS Registry. You control when the Alerter service sends messages for these events by modifying the data for the appropriate value in the OpenVMS Registry, as described in Section 7.2, Managing Server Configuration Parameters.

Table 6-1, Alerter Configuration Parameters, lists the server configuration parameters you can modify to control the way the Alerter service works.

Table 6-1 Alerter Configuration Parameters
To specify... Use this Value Default Data
The total number of errors that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer. ErrorAlert 5
The total number of incorrect password attempts that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer. LogonAlert 5
The total number of resource access violations that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer. AccessAlert 5

The Alerter service runs automatically when the server starts, if the Alerter service is included in the data associated with the ServerServices server parameter in the OpenVMS Registry. The Alerter service is included in the initial configuration by default. To disable the Alerter service, remove the Alerter name from the list of data for the ServerServices value. See Section 2.3.3, Managing Services, for more information about services.

You can specify that Advanced Server users and clients are to receive alert messages. Include the names of these users and clients in the data field for the AlertNames value in OpenVMS Registry. See Appendix A, Server Configuration Parameters, for more information about OpenVMS Registry values and data.

Note

Client workstations must be running the Messenger service to receive alert messages. The Messenger service does not run on the OpenVMS system; therefore, users logged on from OpenVMS processes will not receive alert messages.

6.1.3 Event Logging

In the Advanced Server, an event is any significant occurrence in the system or in an application that requires user notification. For events that do not require immediate attention, the Advanced Server adds data to an event log file. This event logging service starts automatically every time you start the Advanced Server.

Event logs can provide valuable information about server activities. In addition to system operation event logging, you can:

  1. Establish an audit policy for event types on the server
  2. Set auditing for directories or files

You may select from several event types and, for each, whether successful or unsuccessful attempts at specific operations are to generate event messages.

Event messages are stored in event files in PWRK$LMROOT:[LANMAN.LOGS]. Each event type is maintained in a separate event log file, as shown in Table 6-2, Event Log Files.

Table 6-2 Event Log Files
Event Type Event Log File Name Description
Application events APPEVENT.EVT Application event messages are generated by applications. For example, distributed common object module (DCOM) applications may store messages in the application event log.
Security events SECEVENT.EVT Event messages are generated based on the audit policy specified for the server, including files or directories. (For more infomration, see Section 6.1.3.3, Enabling Auditing.)
System events SYSEVENT.EVT System event messages are generated by server components.

Table 6-3, Information in Event Files, lists the information shown in each line in an event file.

Table 6-3 Information in Event Files
Item Meaning
Source The server component that logged the message.
Category Classification of the message.
Message ID Unique number for the message.
User The user account name for the user who was logged on and working when the message was logged. N/A indicates that the entry does not specify a user.
Computer The name of the computer where the message was generated.

6.1.3.1 Displaying Events

You can display events recorded in the event log file in either of the following ways:

These methods are described below.

To display events when the Advanced Server is running:

Use the SHOW EVENTS command. Use the /TYPE qualifier to specify one of the types of events, as follows: SYSTEM (default), SECURITY, or APPLICATION. For example, to display System events, enter the following command:


LANDOFOZ\\TINMAN> SHOW EVENTS 
T Date     Time        Source    Category    Event  User    Computer 
- -------- ----------- -------   ----------- -----  ----    ----------- 
I 08/26/98 11:49:56 AM SYSTEM    None        528    N/A     TINMAN 
W 08/27/98 12:07:01 PM Eventlog  None        603    N/A     TINMAN 
I 08/27/98 12:15:31 PM Print     None        604    N/A     TINMAN 
W 08/27/98 12:46:31 PM BROWSER   None        605    N/A     TINMAN 
Total of 4 events 
 
LANDOFOZ\\TINMAN> 

To display events when the Advanced Server is not running:

Use the ELFREAD utility. The ELFREAD utility allows you to display records in the event file in the following ways:

You can view records in brief (default) or detail format.

The ELFREAD command is defined as part of the Advanced Server command set in the SYS$STARTUP:PWRK$DEFINE_COMMANDS.COM command procedure.

The syntax for the ELFREAD command is:

ELFREAD [-o] [-d] event-type

Use the optional parameters to control the ELFREAD output as described in Table 6-4, ELFREAD Command Options.

Table 6-4 ELFREAD Command Options
To display... Include:
Records in chronological order -o
Detail records -d
event-type The event log file specified, one of the following:
  • SYSTEM
  • SECURITY
  • APPLICATION

6.1.3.2 Saving and Clearing the Event Logs

You can display the event logs and, when necessary, clear the event log. The Alerter service sends you a message advising you when the event log becomes 80% or more full. When the event file is full, no additional event logging will take place until the event file is clear. Before clearing the event file, you should save it to a backup file for future reference. The maximum size of an event file is specified by server configuration parameters in the OpenVMS Registry. The server parameter controlling the event log file size is stored in the key associated with each event log and is called MaxSize. (See Appendix A, Server Configuration Parameters, for more information.)

When an event log becomes full, you can save and clear the event log.

The default location of the event log is PWRK$LMROOT:[LANMAN.LOGS].

To save the event log:

Use the SAVE EVENTS command. The current event log is stored using the file name and location that you specify in the command line. For example, to save the Security event log to the file SEVENTS.BKP, enter the following command:


LANDOFOZ\\TINMAN> SAVE EVENTS SEVENTS.BKP/TYPE=SECURITY 
%PWRK-S-ELFSAVE, Security Event Log from server "TINMAN" saved 
 
LANDOFOZ\\TINMAN> 

If you do not specify a path as part of the file name, the event file is created in the PWRK$LMLOGS: directory.

To clear the event log:

Enter the CLEAR EVENTS command. The current Security event log messages are deleted. For example:


LANDOFOZ\\TINMAN> CLEAR EVENTS/TYPE=SECURITY 
Clear the Security Event Log [YES or NO] (YES) : YES 
%PWRK-S-ELFCLEARED, Security Event Log on server "TINMAN" cleared 

If you do not specify the event log type, the default is to save and clear the SYSTEM event log.

6.1.3.3 Enabling Auditing

By default, auditing is not enabled. You must enable auditing in order for the server to record security events.

To enable auditing on the server:

Use the SET AUDIT POLICY command with the /AUDIT qualifier. For example:


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT 
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" 

To disable auditing:

Use the SET AUDIT POLICY command with the /NOAUDIT qualifier.

To display the audit policy:

Enter the SHOW AUDIT POLICY command. This displays the audit policy currently established for the server. For example:


LANDOFOZ\\TINMAN> SHOW AUDIT POLICY 
 
Audit Policy for domain "LANDOFOZ": 
 
Auditing is currently Enabled. 
 
Audit Event states: 
 
Audit Event         Success   Failure 
------------------  --------  -------- 
ACCESS              Disabled  Disabled 
ACCOUNT_MANAGEMENT  Disabled  Disabled 
LOGONOFF            Disabled  Enabled 
POLICY_CHANGE       Disabled  Disabled 
PROCESS             Disabled  Disabled 
SYSTEM              Disabled  Disabled 
USER_RIGHTS         Disabled  Disabled 
 
LANDOFOZ\\TINMAN> 

6.1.3.4 Establishing the Audit Policy

The audit policy defines the types of events to be included in the Security event log. You can change the audit policy for the server using the SET AUDIT POLICY command.

The SET AUDIT POLICY command lets you specify event results for which auditing is enabled, including both successful and failed attempts to perform certain functions. Include the /SUCCESS qualifier to specify successful completion of operations, and the /FAILURE qualifier to specify failed operations.

The following list shows the events you can specify.

For more information about using the SET AUDIT POLICY command, refer to Advanced Server for OpenVMS Commands Reference Manual.

To set the audit policy:

Use the SET AUDIT POLICY command. For example, to log all failures of logon and logoff attempts, use the SET AUDIT POLICY command with the /AUDIT/FAILURE=(LOGONOFF) qualifiers, as shown in the following example:


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=(LOGONOFF) 
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

6.1.3.5 Setting and Displaying Auditing for Files and Directories

You can set and display the audit trail for a specific file or directory using the SET FILE and SHOW FILE commands.

Use the SET FILE command with the /AUDIT qualifier to specify the events to audit.

The following list shows the types of operations you can audit for files and directories:

For more information about using the SET FILE command, refer to Advanced Server for OpenVMS Commands Reference Manual.

For example, to set auditing of operations on the user file SIMIANS.DATA, enter following command:


LANDOFOZ\\TINMAN> SET FILE \WITCH\MKEY\SIMIANS.DAT- 
_LANDOFOZ\\TINMAN>/AUDIT=(SUCCESS=ALL,FAILURE=ALL) 
%PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified 
%PWRK-S-FILESMODIFIED, total of 1 file modified 
 
LANDOFOZ\\TINMAN> 

To display the audit settings for a file:

Use the SHOW FILES /AUDIT command. For example:


LANDOFOZ\\TINMAN> SHOW FILES \WITCH\MKEY\SIMIANS.DAT/AUDIT 
\\TINMAN \WITCH\MKEY\SIMIANS.DAT 
    LANMAN.INI 
        Audit Events:                   Success         Failure 
           LION                         RWXDPO          RWXDPO 
  Owner: Administrator 
 
Total of 1 file 
 
LANDOFOZ\\TINMAN> 

6.1.4 Advanced Server Log Files

The Advanced Server records several types of messages in log files in the following locations:

Table 6-5, Log File Names, lists the log files kept in the PWRK$LOGS and PWRK$LMLOGS areas.

Table 6-5 Log File Names
Log File Name Message Type
In PWRK$LOGS:
NETBIOS_ nodename.LOG NetBIOS protocol over DECnet
NETBIOS_ERROR.LOG NetBIOS protocol over DECnet error
NETBIOS_OUTPUT.LOG NetBIOS protocol over DECnet output
PWRK$CONFIG_INFO_ nodename.LOG Configuration information
PWRK$CONFIG_ERROR_ nodename.LOG Configuration errors
PWRK$KNBDAEMON_ nodename.LOG NetBIOS protocol over TCP/IP
PWRK$LICENSE_R_ nodename.LOG License registrar
PWRK$LICENSE_REGISTRAR_ nodename.LOG License registrar
PWRK$LICENSE_S_ nodename.LOG License server
PWRK$LICENSE_SERVER_ nodename.LOG License server
PWRK$MASTER_ nodename.LOG Master process (process start and shutdown)
PWRK$MONITOR_ nodename.LOG Monitor process
PWRK$NBDAEMON_ nodename.LOG NetBIOS protocol over NetBEUI
In PWRK$LMLOGS:
PWRK$ADMIN_ n _ nodename .LOG Remote task command
PWRK$LMDMN_ nodename.LOG LAN Manager daemon
PWRK$LMMCP_ nodename. LOG Master control process
PWRK$LMSRV_ nodename.LOG File server process
PWRK$LMBROWSER_ nodename.LOG Browser
PWRK$UPGRADE.LOG Upgrade utility

6.1.4.1 Displaying Log Files

You can use any ASCII text editor to look at log files, so long as the log files are not open (that is, in use).

The log files store records of the messages that have occurred during server operation. Not all the messages in the log need your attention. Many messages are caused by communication problems from which the server recovers automatically. If the server fails to recover from a problem, log files can provide you with information about the cause of the problem.

You can examine messages recorded in any log file. Each line in a log file provides information about logged entries, including a date and time stamp. For example, the PWRK$LMSRV_nodename.LOG file provides information about cache exhaustion messages.

6.1.4.2 Using the Event Logger to View Event Log Files

The Advanced Server provides the ADMIN/ANALYZE utility for viewing events in log files. The events are logged in the file PWRK$COMMON:EVTLOG.DAT on each server.

To view output or to purge the EVTLOG.DAT file, enter the following command:


$ ADMINISTRATE/ANALYZE 

Table 6-6, Event Logger Command Qualifiers, lists the qualifiers you can use with the ADMINISTRATE/ANALYZE command.

Table 6-6 Event Logger Command Qualifiers
Qualifier Description
/AFTER= dd-mmm-yy hh:mm:ss.cc Restricts the report or the purge operation to events after the specified time.
/BEFORE= dd-mmm-yy hh:mm:ss.cc Restricts the report or the purge operation to events before the specified time.
/CLASS= event_class Filters the logged events that are written to the report or purged from the EVTLOG.DAT file. The available classes are:
  • ALL---all events; the default
  • ERROR---events that affect server operation, but are not necessarily fatal
  • WARNING---events that do not directly affect server operation; informational
/FULL or /BRIEF The /FULL qualifier generates a report that includes all information logged for each event. The /BRIEF qualifier outputs only the event header and is the default.
/INPUT= event_log_file Specifies the name of the event log file. The default file is:
SYS$SYSDEVICE:[PWRK$ROOT]EVTLOG.DAT
/OUTPUT= report_file Specifies the name of the output file you want the report written to. The default output is written to SYS$DEVICE.
/PID= pid Specifies the process ID whose events you want to display.
/PURGE= server Purges entries from the EVTLOG.DAT file on the specified server. If no server is specified, entries in the current file are purged.

If you use the /PURGE qualifier with other qualifiers, all entries are purged and EVTLOG.DAT file is empty. You can use /PURGE with other qualifiers to specify which entries you want to purge. For example, to purge all events in the EVTLOG.DAT file on server TINMAN that are classed as ERROR and written to the file before November 1, 1997, enter the following command:

$ ADMINISTRATE/ANALYZE/PURGE=TINMAN/CLASS=ERROR/BEFORE=01-NOV-1997

/SOURCE= event_source Filters the logged events that are written to the report or purged from the EVTLOG.DAT file. The available sources are:
  • ALL---includes events from all sources; this is the default
  • COMMON_SERVICES---events originating from common components, such as the PATHWORKS lock manager and PATHWORKS file system
  • LAN_MANAGER---events originating from LAN Manager
  • LICENSE_MANAGER---events originating from the license management utility
  • MANAGEMENT---events originating from the Monitor process or Configurator
  • MASTER_PROCESS---events originating from the master process, PWRK$MASTER
  • TRANSPORT---events originating from any of the transports

Example 6-1, ADMINISTRATE/ANALYZE Command and Display, shows a sample report from the Event logger generated by the following command executed on the server TINMAN.

Example 6-1 ADMINISTRATE/ANALYZE Command and Display

$ ADMINISTRATE/ANALYZE/INPUT=EVTLOG.DAT/OUTPUT=EVTLOG_RPT.TXT 
 
  :::::::::: PATHWORKS Error Log Report :::::::::: 
           DATE: 25-OCT-1998 15:52:06.88 
 
   ================= EVENT #1 ================== 
 
Event Time:   18-OCT-1998 17:14:09.04       Node:  TINMAN 
Process Id:   000001DB 
Event:        Master Process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000001DB(X) 
 
 
   ================= EVENT #2 ================== 
 
Event Time:   18-OCT-1998 17:14:19.57       Node:  TINMAN 
Process Id:   000001DB 
Event:        NetBEUI Daemon process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000002DE(X) 
 
 
   ================= EVENT #3 ================== 
 
Event Time:   18-OCT-1998 17:14:23.26       Node:  TINMAN 
Process Id:   000001DB 
Event:        NetBEUI Daemon process shutting down 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000002DE(X) 
      Status:       SYSTEM-S-NORMAL, normal successful completion 
 
   ================= EVENT #4 ================== 
 
Event Time:   18-OCT-1998 17:14:29.04       Node:  TINMAN 
Process Id:   000001DB 
Event:        NetBIOS transport process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   00000262(X) 
 
 
   ================= EVENT #5 ================== 
 
Event Time:   18-OCT-1998 17:14:37.19       Node:  TINMAN 
Process Id:   000001DB 
Event:        LANman Controller process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   00000282(X) 
 
 
   ================= EVENT #6 ================== 
 
Event Time:   18-OCT-1998 17:14:50.93       Node:  TINMAN 
Process Id:   000001DB 
Event:        License Registrar process starting 
Event Source: Master Process 
Event Class:  Audit 
 
      Process Id:   000002D1(X) 
 
 
                  . 
                  . 
                  . 
 
   ================= EVENT #19 ================== 
 
Event Time:   19-OCT-1998 09:23:34.63       Node:  TINMAN 
Process Id:   000003DE 
Event:        No license for client - access denied 
Event Source: LAN Manager Server 
Event Class:  Warning 
 
      Client:   PCGURU 
 
                  . 
                  . 
                  . 
 
=============== EVENT #25 =================== 
 
Event Time:  19-OCT-1998 10:38:11.85       Node:  TINMAN 
Process Id:  555749340 
Event:        Unexpected System Error Encountered 
Event Source: PATHWORKS Printing Services 
Event Class:  Error 
 


Previous Next Contents Index