Administrators can look up and analyze audit logs using text editors or spreadsheet software such as Microsoft(R) Excel.
This section describes the procedure for looking up and analyzing audit logs, and also presents a usage example.
Procedure for looking up and analyzing audit logs
Use the following procedure to look up and analyze audit logs.
Operation procedure
Import the audit log file from the output destination on the Systemwalker Operation Manager server specified in the audit log definitions to a text editor or a spreadsheet program such as Microsoft(R) Excel.
Audit logs are recorded in audit log files in CSV format as shown below, with each item separated by a comma.
"2006/09/26 11:25:12.672 +0900","10.90.100.100","host1","user1","ADD_PROJECT","SUBSYSTEM=0;PROJECT=PRJ01;"," The project is added.",S,"MPJOBSCH","PID=8045;", |
Look up and analyze audit logs by using the search and sort functions of the text editor or spreadsheet program (such as Microsoft(R) Excel) to extract the desired audit logs.
Audit logs can be analyzed efficiently using Microsoft(R) Excel's filter and sorting functions.
Audit log usage examples
Several audit log usage examples are shown below.
Examples utilizing records that include specific information that matches the analysis objectives
To isolate information relating to changes and operations on a particular job net, use the job net name as a keyword to search for and extract audit logs that include the specific job net name, and then analyze the content of these audit logs.
For details on search keywords, see "Appendix B List of Search Keywords for Audit Logs."
The main information contained in audit logs is as follows:
Date | The date that the operation was performed |
Operation location | The location where the operation was performed |
Execution host | The name of the host where the operation was actually executed |
Operator | The name of the user that performed the operation |
Operation type | The category for the content of the operation performed (addition, change, deletion, etc.) |
Operation target | Information that identifies the operation (project name, subsystem number, job net name, calendar name, etc.) |
Operation content | The content of the operation |
Execution result | Whether the executed operation was successful |
For details on audit logs, see the Systemwalker Operation Manager Reference Guide.
Example 1
Objective: To identify the user who changed job net "AAA", because an error in the definitions has been found
Method: Extract all lines containing "AAA" for the job net from the audit log file, and then identify the user from the "Operator" and "Operation content" fields.
Example 2
Objective: To check whether operations have been performed strictly according to the operation procedure guide
Method: Extract all lines containing the user name for the operator ("BBB") to be checked from the audit log file, and then check whether the operations in these lines have been performed according to the operation procedure guide.
Example 3
Objective: To extract only those records relating to job net "CCC" in subsystem 1 in a multi-subsystem operation
Method: Extract lines where the "Operation target" field contains the following strings, and then extract those lines that contain the job net name "CCC".
SUBSYSTEM=1
SUBSYSTEM=all
Example 4
Objective: To check whether there are any users connected to the server using a lower version client
Method: Extract lines where the "Operation type" field contains the string "ADMIT_OMGR", and then check the "CL_VERSION=XXX" in the "Additional information" part.
If "V13.0 or V13.1" is displayed in the "XXX" part, this indicates a connection from a V13.0.0 or V13.1.0 client. If "V13.2 or later" is displayed, this indicates a connection from a client running V13.2.0 or later.
Examples of how to use audit logs when problems occur
When problems occur, checking the following records (in addition to the event log/syslog and job execution histories) can be a useful way to isolate the cause of problems.
Records of the service/daemon starting
Logs of start/stop operations for the Systemwalker Operation Manager common infrastructure, the calendar function, the Jobscheduler function, the Job Execution Control function, and the service/daemon for the ACL manager are recorded with the "Operation content" part in the following format:
[Windows]
"Started <function name> daemon/service."
"Stopped <function name> daemon/service."
The name of the function (Systemwalker Operation Manager common infrastructure, calendar function, etc.) will be output in the <function name> part.
[UNIX]
"Executed a command. (COMMAND=<command name command arguments>)"
However, for the ACL manager, the following messages will be output.
"Started the ACL Manager daemon/service."
"Stopped the ACL Manager daemon/service."
Records of login authentication to Systemwalker Operation Manager
Logs of login authentications to Systemwalker Operation Manager are recorded with the "Operation content" part in the following format:
"Admitted user."
If a function that spans multiple servers (such as the multi-server monitoring function or distributing policies to multiple servers) is used, authentication on the other servers will be performed automatically. At this point, the user ID and password used to log in to the first server will automatically be used as the user ID and password for authentication on the other servers, and a record of the authentication will be recorded in the audit logs on each server.
Records of definition changes and operations from Systemwalker Operation Manager environment setup clients
Logs of policy application operations are recorded with the "Operation content" part in the following format:
"The policy is applied." or "Applied policies."
Records of client usage
Logs indicating which clients have been used are recorded with the "Operation content" part in the following format:
"Logged in <window name>"
One of the following will be output in the <window name> part:
Systemwalker Operation Manager window
Systemwalker Operation Manager Environment Setup window
Multi-Server Monitoring window
Print Jobscheduler Info window
Master Schedule Management window
Master Schedule Management Environment Setup dialog box