Advanced Server provides several ways for you to determine the specific cause of a server problem and to implement a solution.

This chapter describes the procedures you can use to monitor events and troubleshoot problems, including:

• Section 6.1, Monitoring Server Events, describes commands and utilities that allow you to monitor current server activity and display information about server events in log files, including:
  • ADMINISTER commands
  • Alert messages
  • Event logs
  • Advanced Server log files
• Section 6.2, Troubleshooting Server Problems, describes how to troubleshoot Advanced Server problems.

Advanced Server lets you monitor server events as they happen and capture events in log files. The following sections describe the tools you can use to monitor and evaluate server events.

6.1.1 ADMINISTER Commands

Advanced Server ADMINISTER commands let you display information about current server activity and status, as well as recorded events and error messages. In addition, you can use ADMINISTER commands to modify items in the server database to correct certain types of problems.

For example, the SHOW SESSIONS command displays current client sessions. To remove a session that is no longer being used, enter the CLOSE SESSION command.

Refer to the procedures described in Section 6.2.2, The Problem Analysis Process, for information about ADMINISTER commands you can use to help solve certain types of server problems.

6.1.2 Automatic Alerts

Advanced Server includes an Alerter service that sends automatic alert messages to specified clients and users when:

• The number of failed logon attempts exceeded the set alert level.
• Errors are encountered during server startup.
• The audit trail file is 80% or more full.
• A printer is malfunctioning.
• A print request has been deleted.

The Alerter service can also tell you when certain events occur, as specified by the data associated with the Alerter server configuration parameters in the OpenVMS Registry. You control when the Alerter service sends messages for these events by modifying the data for the appropriate value in the OpenVMS Registry, as described in Section 7.2, Managing Server Configuration Parameters.

Table 6-1, Alerter Configuration Parameters, lists the server configuration parameters you can modify to control the way the Alerter service works.

Table 6-1 Alerter Configuration Parameters

To specify...	Use this Value	Default Data
The total number of errors that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer.	ErrorAlert	5
The total number of incorrect password attempts that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer.	LogonAlert	5
The total number of resource access violations that can occur before the server sends an alert message. You can set the value for this keyword to any positive integer.	AccessAlert	5

The Alerter service runs automatically when the server starts, if the Alerter service is included in the data associated with the ServerServices server parameter in the OpenVMS Registry. The Alerter service is included in the initial configuration by default. To disable the Alerter service, remove the Alerter name from the list of data for the ServerServices value. See Section 2.3.3, Managing Services, for more information about services.

You can specify that Advanced Server users and clients are to receive alert messages. Include the names of these users and clients in the data field for the AlertNames value in OpenVMS Registry. See Appendix A, Server Configuration Parameters, for more information about OpenVMS Registry values and data.

In the Advanced Server, an event is any significant occurrence in the system or in an application that requires user notification. For events that do not require immediate attention, the Advanced Server adds data to an event log file. This event logging service starts automatically every time you start the Advanced Server.

Event logs can provide valuable information about server activities. In addition to system operation event logging, you can:

1. Establish an audit policy for event types on the server
2. Set auditing for directories or files

You may select from several event types and, for each, whether successful or unsuccessful attempts at specific operations are to generate event messages.

Event messages are stored in event files in PWRK$LMROOT:[LANMAN.LOGS]. Each event type is maintained in a separate event log file, as shown in Table 6-2, Event Log Files.

Table 6-2 Event Log Files

Event Type	Event Log File Name	Description
Application events	APPEVENT.EVT	Application event messages are generated by applications. For example, distributed common object module (DCOM) applications may store messages in the application event log.
Security events	SECEVENT.EVT	Event messages are generated based on the audit policy specified for the server, including files or directories. (For more infomration, see Section 6.1.3.3, Enabling Auditing.)
System events	SYSEVENT.EVT	System event messages are generated by server components.

Table 6-3, Information in Event Files, lists the information shown in each line in an event file.

Table 6-3 Information in Event Files

Item	Meaning
Source	The server component that logged the message.
Category	Classification of the message.
Message ID	Unique number for the message.
User	The user account name for the user who was logged on and working when the message was logged. N/A indicates that the entry does not specify a user.
Computer	The name of the computer where the message was generated.

6.1.3.1 Displaying Events

You can display events recorded in the event log file in either of the following ways:

• If the Advanced Server is running, use the ADMINISTER command SHOW EVENTS.
• If the Advanced Server is not running, use the ELFREAD utility.

These methods are described below.

To display events when the Advanced Server is running:

Use the SHOW EVENTS command. Use the /TYPE qualifier to specify one of the types of events, as follows: SYSTEM (default), SECURITY, or APPLICATION. For example, to display System events, enter the following command:

LANDOFOZ\\TINMAN> SHOW EVENTS T Date Time Source Category Event User Computer - -------- ----------- ------- ----------- ----- ---- ----------- I 08/26/98 11:49:56 AM SYSTEM None 528 N/A TINMAN W 08/27/98 12:07:01 PM Eventlog None 603 N/A TINMAN I 08/27/98 12:15:31 PM Print None 604 N/A TINMAN W 08/27/98 12:46:31 PM BROWSER None 605 N/A TINMAN Total of 4 events LANDOFOZ\\TINMAN>

To display events when the Advanced Server is not running:

Use the ELFREAD utility. The ELFREAD utility allows you to display records in the event file in the following ways:

• In reverse chronological order (default)
• In chronological order

You can view records in brief (default) or detail format.

The ELFREAD command is defined as part of the Advanced Server command set in the SYS$STARTUP:PWRK$DEFINE_COMMANDS.COM command procedure.

The syntax for the ELFREAD command is:

ELFREAD [-o] [-d] event-type

Use the optional parameters to control the ELFREAD output as described in Table 6-4, ELFREAD Command Options.

Table 6-4 ELFREAD Command Options

To display...	Include:
Records in chronological order	-o
Detail records	-d
event-type	The event log file specified, one of the following: SYSTEM SECURITY APPLICATION

6.1.3.2 Saving and Clearing the Event Logs

You can display the event logs and, when necessary, clear the event log. The Alerter service sends you a message advising you when the event log becomes 80% or more full. When the event file is full, no additional event logging will take place until the event file is clear. Before clearing the event file, you should save it to a backup file for future reference. The maximum size of an event file is specified by server configuration parameters in the OpenVMS Registry. The server parameter controlling the event log file size is stored in the key associated with each event log and is called MaxSize. (See Appendix A, Server Configuration Parameters, for more information.)

When an event log becomes full, you can save and clear the event log.

• Saving the event log causes the current log file to be stored.
• Clearing the event log causes the event log to be deleted.

The default location of the event log is PWRK$LMROOT:[LANMAN.LOGS].

To save the event log:

Use the SAVE EVENTS command. The current event log is stored using the file name and location that you specify in the command line. For example, to save the Security event log to the file SEVENTS.BKP, enter the following command:

LANDOFOZ\\TINMAN> SAVE EVENTS SEVENTS.BKP/TYPE=SECURITY %PWRK-S-ELFSAVE, Security Event Log from server "TINMAN" saved LANDOFOZ\\TINMAN>

If you do not specify a path as part of the file name, the event file is created in the PWRK$LMLOGS: directory.

To clear the event log:

Enter the CLEAR EVENTS command. The current Security event log messages are deleted. For example:

LANDOFOZ\\TINMAN> CLEAR EVENTS/TYPE=SECURITY Clear the Security Event Log [YES or NO] (YES) : YES %PWRK-S-ELFCLEARED, Security Event Log on server "TINMAN" cleared

If you do not specify the event log type, the default is to save and clear the SYSTEM event log.

6.1.3.3 Enabling Auditing

By default, auditing is not enabled. You must enable auditing in order for the server to record security events.

To enable auditing on the server:

Use the SET AUDIT POLICY command with the /AUDIT qualifier. For example:

LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"

To disable auditing:

Use the SET AUDIT POLICY command with the /NOAUDIT qualifier.

To display the audit policy:

Enter the SHOW AUDIT POLICY command. This displays the audit policy currently established for the server. For example:

LANDOFOZ\\TINMAN> SHOW AUDIT POLICY Audit Policy for domain "LANDOFOZ": Auditing is currently Enabled. Audit Event states: Audit Event Success Failure ------------------ -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Disabled Enabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN>

6.1.3.4 Establishing the Audit Policy

The audit policy defines the types of events to be included in the Security event log. You can change the audit policy for the server using the SET AUDIT POLICY command.

The SET AUDIT POLICY command lets you specify event results for which auditing is enabled, including both successful and failed attempts to perform certain functions. Include the /SUCCESS qualifier to specify successful completion of operations, and the /FAILURE qualifier to specify failed operations.

The following list shows the events you can specify.

• All events.
• None of the events.
• Attempts to access a directory or file set for auditing or to send a print job to a print queue set for auditing.
• Attempts to create, change, and delete user accounts and groups. Attempts to rename, disable, and enable a user account. Attempts to set or change a password.
• Attempts to log on to the network, log off the network, and make network connections.
• Attempts to change user rights policies, auditing policies, or trust relationships.
• Attempts to invoke a program, and handle duplication, indirect accesses, and process exits.
• Attempts to restart or shut down the system, and events that affect system security or the security log.
• Attempts to exercise a user right (except those associated with logging on and logging off).

For more information about using the SET AUDIT POLICY command, refer to Advanced Server for OpenVMS Commands Reference Manual.

To set the audit policy:

Use the SET AUDIT POLICY command. For example, to log all failures of logon and logoff attempts, use the SET AUDIT POLICY command with the /AUDIT/FAILURE=(LOGONOFF) qualifiers, as shown in the following example:

LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=(LOGONOFF) %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN>

6.1.3.5 Setting and Displaying Auditing for Files and Directories

You can set and display the audit trail for a specific file or directory using the SET FILE and SHOW FILE commands.

Use the SET FILE command with the /AUDIT qualifier to specify the events to audit.

The following list shows the types of operations you can audit for files and directories:

• All events.
• Attempts to display file names, attributes, permissions, and owner.
• Attempts to create subdirectories and files, change attributes, and display permissions and owner.
• Attempts to display attributes, permissions, and owner, and attempts to change subdirectories.
• Attempts to delete a directory.
• Attempts to change directory permissions.
• Attempts to change directory ownership.

For more information about using the SET FILE command, refer to Advanced Server for OpenVMS Commands Reference Manual.

For example, to set auditing of operations on the user file SIMIANS.DATA, enter following command:

LANDOFOZ\\TINMAN> SET FILE \WITCH\MKEY\SIMIANS.DAT- _LANDOFOZ\\TINMAN>/AUDIT=(SUCCESS=ALL,FAILURE=ALL) %PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified %PWRK-S-FILESMODIFIED, total of 1 file modified LANDOFOZ\\TINMAN>

To display the audit settings for a file:

Use the SHOW FILES /AUDIT command. For example:

LANDOFOZ\\TINMAN> SHOW FILES \WITCH\MKEY\SIMIANS.DAT/AUDIT \\TINMAN \WITCH\MKEY\SIMIANS.DAT LANMAN.INI Audit Events: Success Failure LION RWXDPO RWXDPO Owner: Administrator Total of 1 file LANDOFOZ\\TINMAN>

6.1.4 Advanced Server Log Files

The Advanced Server records several types of messages in log files in the following locations:

• PWRK$LOGS:, the logical name for the directory PWRK$COMMONROOT:[LOGS]
• PWRK$LMLOGS:, the logical name for the directory
  PWRK$LMROOT:[LANMAN.LOGS]

Table 6-5, Log File Names, lists the log files kept in the PWRK$LOGS and PWRK$LMLOGS areas.

Table 6-5 Log File Names

Log File Name	Message Type
In PWRK$LOGS:
NETBIOS_ nodename.LOG	NetBIOS protocol over DECnet
NETBIOS_ERROR.LOG	NetBIOS protocol over DECnet error
NETBIOS_OUTPUT.LOG	NetBIOS protocol over DECnet output
PWRK$CONFIG_INFO_ nodename.LOG	Configuration information
PWRK$CONFIG_ERROR_ nodename.LOG	Configuration errors
PWRK$KNBDAEMON_ nodename.LOG	NetBIOS protocol over TCP/IP
PWRK$LICENSE_R_ nodename.LOG	License registrar
PWRK$LICENSE_REGISTRAR_ nodename.LOG	License registrar
PWRK$LICENSE_S_ nodename.LOG	License server
PWRK$LICENSE_SERVER_ nodename.LOG	License server
PWRK$MASTER_ nodename.LOG	Master process (process start and shutdown)
PWRK$MONITOR_ nodename.LOG	Monitor process
PWRK$NBDAEMON_ nodename.LOG	NetBIOS protocol over NetBEUI
In PWRK$LMLOGS:
PWRK$ADMIN_ n _ nodename .LOG	Remote task command
PWRK$LMDMN_ nodename.LOG	LAN Manager daemon
PWRK$LMMCP_ nodename. LOG	Master control process
PWRK$LMSRV_ nodename.LOG	File server process
PWRK$LMBROWSER_ nodename.LOG	Browser
PWRK$UPGRADE.LOG	Upgrade utility

6.1.4.1 Displaying Log Files

You can use any ASCII text editor to look at log files, so long as the log files are not open (that is, in use).

The log files store records of the messages that have occurred during server operation. Not all the messages in the log need your attention. Many messages are caused by communication problems from which the server recovers automatically. If the server fails to recover from a problem, log files can provide you with information about the cause of the problem.

You can examine messages recorded in any log file. Each line in a log file provides information about logged entries, including a date and time stamp. For example, the PWRK$LMSRV_nodename.LOG file provides information about cache exhaustion messages.

6.1.4.2 Using the Event Logger to View Event Log Files

The Advanced Server provides the ADMIN/ANALYZE utility for viewing events in log files. The events are logged in the file PWRK$COMMON:EVTLOG.DAT on each server.

To view output or to purge the EVTLOG.DAT file, enter the following command:

$ ADMINISTRATE/ANALYZE

Table 6-6, Event Logger Command Qualifiers, lists the qualifiers you can use with the ADMINISTRATE/ANALYZE command.

Table 6-6 Event Logger Command Qualifiers

Qualifier	Description
/AFTER= dd-mmm-yy hh:mm:ss.cc	Restricts the report or the purge operation to events after the specified time.
/BEFORE= dd-mmm-yy hh:mm:ss.cc	Restricts the report or the purge operation to events before the specified time.
/CLASS= event_class	Filters the logged events that are written to the report or purged from the EVTLOG.DAT file. The available classes are: ALL---all events; the default ERROR---events that affect server operation, but are not necessarily fatal WARNING---events that do not directly affect server operation; informational
/FULL or /BRIEF	The /FULL qualifier generates a report that includes all information logged for each event. The /BRIEF qualifier outputs only the event header and is the default.
/INPUT= event_log_file	Specifies the name of the event log file. The default file is: SYS$SYSDEVICE:[PWRK$ROOT]EVTLOG.DAT
/OUTPUT= report_file	Specifies the name of the output file you want the report written to. The default output is written to SYS$DEVICE.
/PID= pid	Specifies the process ID whose events you want to display.
/PURGE= server	Purges entries from the EVTLOG.DAT file on the specified server. If no server is specified, entries in the current file are purged. If you use the /PURGE qualifier with other qualifiers, all entries are purged and EVTLOG.DAT file is empty. You can use /PURGE with other qualifiers to specify which entries you want to purge. For example, to purge all events in the EVTLOG.DAT file on server TINMAN that are classed as ERROR and written to the file before November 1, 1997, enter the following command:
$ ADMINISTRATE/ANALYZE/PURGE=TINMAN/CLASS=ERROR/BEFORE=01-NOV-1997
/SOURCE= event_source	Filters the logged events that are written to the report or purged from the EVTLOG.DAT file. The available sources are: ALL---includes events from all sources; this is the default COMMON_SERVICES---events originating from common components, such as the PATHWORKS lock manager and PATHWORKS file system LAN_MANAGER---events originating from LAN Manager LICENSE_MANAGER---events originating from the license management utility MANAGEMENT---events originating from the Monitor process or Configurator MASTER_PROCESS---events originating from the master process, PWRK$MASTER TRANSPORT---events originating from any of the transports

Example 6-1, ADMINISTRATE/ANALYZE Command and Display, shows a sample report from the Event logger generated by the following command executed on the server TINMAN.

Example 6-1 ADMINISTRATE/ANALYZE Command and Display

$ ADMINISTRATE/ANALYZE/INPUT=EVTLOG.DAT/OUTPUT=EVTLOG_RPT.TXT :::::::::: PATHWORKS Error Log Report :::::::::: DATE: 25-OCT-1998 15:52:06.88 ================= EVENT #1 ================== Event Time: 18-OCT-1998 17:14:09.04 Node: TINMAN Process Id: 000001DB Event: Master Process starting Event Source: Master Process Event Class: Audit Process Id: 000001DB(X) ================= EVENT #2 ================== Event Time: 18-OCT-1998 17:14:19.57 Node: TINMAN Process Id: 000001DB Event: NetBEUI Daemon process starting Event Source: Master Process Event Class: Audit Process Id: 000002DE(X) ================= EVENT #3 ================== Event Time: 18-OCT-1998 17:14:23.26 Node: TINMAN Process Id: 000001DB Event: NetBEUI Daemon process shutting down Event Source: Master Process Event Class: Audit Process Id: 000002DE(X) Status: SYSTEM-S-NORMAL, normal successful completion ================= EVENT #4 ================== Event Time: 18-OCT-1998 17:14:29.04 Node: TINMAN Process Id: 000001DB Event: NetBIOS transport process starting Event Source: Master Process Event Class: Audit Process Id: 00000262(X) ================= EVENT #5 ================== Event Time: 18-OCT-1998 17:14:37.19 Node: TINMAN Process Id: 000001DB Event: LANman Controller process starting Event Source: Master Process Event Class: Audit Process Id: 00000282(X) ================= EVENT #6 ================== Event Time: 18-OCT-1998 17:14:50.93 Node: TINMAN Process Id: 000001DB Event: License Registrar process starting Event Source: Master Process Event Class: Audit Process Id: 000002D1(X) . . . ================= EVENT #19 ================== Event Time: 19-OCT-1998 09:23:34.63 Node: TINMAN Process Id: 000003DE Event: No license for client - access denied Event Source: LAN Manager Server Event Class: Warning Client: PCGURU . . . =============== EVENT #25 =================== Event Time: 19-OCT-1998 10:38:11.85 Node: TINMAN Process Id: 555749340 Event: Unexpected System Error Encountered Event Source: PATHWORKS Printing Services Event Class: Error