Administrators can look up and analyze audit logs using text editors or spreadsheet software such as Microsoft(R) Excel.

This section describes the procedure for looking up and analyzing audit logs, and also presents a usage example.

Use the following procedure to look up and analyze audit logs.

Operation procedure

1. Import the audit log file from the output destination on the Systemwalker Operation Manager server specified in the audit log definitions to a text editor or a spreadsheet program such as Microsoft(R) Excel.

   Audit logs are recorded in audit log files in CSV format as shown below, with each item separated by a comma.

   "2006/09/26 11:25:12.672 +0900","10.90.100.100","host1","user1","ADD_PROJECT","SUBSYSTEM=0;PROJECT=PRJ01;"," The project is added.",S,"MPJOBSCH","PID=8045;", "2006/09/26 11:30:41.835 +0900","10.90.100.100","host1","user1","ADD_JOBNET","SUBSYSTEM=0;PROJECT=PRJ01;JOBNET=JOBNET01;"," The job net is added.",S,"MPJOBSCH","PID=8045;", "2006/09/26 11:30:45.390 +0900","10.90.100.100","host1","user1","START_JOBNET","SUBSYSTEM=0;PROJECT=PRJ01;JOBNET=JOBNET01;"," The job net is started.",S,"MPJOBSCH","PID=8045;",

2. Look up and analyze audit logs by using the search and sort functions of the text editor or spreadsheet program (such as Microsoft(R) Excel) to extract the desired audit logs.

   Audit logs can be analyzed efficiently using Microsoft(R) Excel's filter and sorting functions.

Several audit log usage examples are shown below.

Examples utilizing records that include specific information that matches the analysis objectives

To isolate information relating to changes and operations on a particular job net, use the job net name as a keyword to search for and extract audit logs that include the specific job net name, and then analyze the content of these audit logs.

For details on search keywords, see "Appendix B List of Search Keywords for Audit Logs."

The main information contained in audit logs is as follows:

For details on audit logs, see the Systemwalker Operation Manager Reference Guide.

• Example 1

  Objective: To identify the user who changed job net "AAA", because an error in the definitions has been found

  Method: Extract all lines containing "AAA" for the job net from the audit log file, and then identify the user from the "Operator" and "Operation content" fields.

• Example 2

  Objective: To check whether operations have been performed strictly according to the operation procedure guide

  Method: Extract all lines containing the user name for the operator ("BBB") to be checked from the audit log file, and then check whether the operations in these lines have been performed according to the operation procedure guide.

• Example 3

  Objective: To extract only those records relating to job net "CCC" in subsystem 1 in a multi-subsystem operation

  Method: Extract lines where the "Operation target" field contains the following strings, and then extract those lines that contain the job net name "CCC".

  • SUBSYSTEM=1

  • SUBSYSTEM=all

• Example 4

  Objective: To check whether there are any users connected to the server using a lower version client

  Method: Extract lines where the "Operation type" field contains the string "ADMIT_OMGR", and then check the "CL_VERSION=XXX" in the "Additional information" part.

  If "V13.0 or V13.1" is displayed in the "XXX" part, this indicates a connection from a V13.0.0 or V13.1.0 client. If "V13.2 or later" is displayed, this indicates a connection from a client running V13.2.0 or later.

Examples of how to use audit logs when problems occur

When problems occur, checking the following records (in addition to the event log/syslog and job execution histories) can be a useful way to isolate the cause of problems.

• Records of the service/daemon starting

  Logs of start/stop operations for the Systemwalker Operation Manager common infrastructure, the calendar function, the Jobscheduler function, the Job Execution Control function, and the service/daemon for the ACL manager are recorded with the "Operation content" part in the following format:

  [Windows]

  • "Started <function name> daemon/service."

  • "Stopped <function name> daemon/service."

    The name of the function (Systemwalker Operation Manager common infrastructure, calendar function, etc.) will be output in the <function name> part.

  [UNIX]

  • "Executed a command. (COMMAND=<command name command arguments>)"

  However, for the ACL manager, the following messages will be output.

  • "Started the ACL Manager daemon/service."

  • "Stopped the ACL Manager daemon/service."

• Records of login authentication to Systemwalker Operation Manager

  Logs of login authentications to Systemwalker Operation Manager are recorded with the "Operation content" part in the following format:

  • "Admitted user."

  If a function that spans multiple servers (such as the multi-server monitoring function or distributing policies to multiple servers) is used, authentication on the other servers will be performed automatically. At this point, the user ID and password used to log in to the first server will automatically be used as the user ID and password for authentication on the other servers, and a record of the authentication will be recorded in the audit logs on each server.

• Records of definition changes and operations from Systemwalker Operation Manager environment setup clients

  Logs of policy application operations are recorded with the "Operation content" part in the following format:

  • "The policy is applied." or "Applied policies."

• Records of client usage

  Logs indicating which clients have been used are recorded with the "Operation content" part in the following format:

  • "Logged in <window name>"

  One of the following will be output in the <window name> part:

  • Systemwalker Operation Manager window

  • Systemwalker Operation Manager Environment Setup window

  • Multi-Server Monitoring window

  • Print Jobscheduler Info window

  • Master Schedule Management window

  • Master Schedule Management Environment Setup dialog box