Audit logging

IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Audit logging

By using the auditing capability, you can capture significant events occurring in the IBM Tivoli Monitoring environment. You can also record these events in permanent storage for later retrieval and analysis. Each audit record fully describes some event that has changed the state of the IBM Tivoli Monitoring system.
These auditing and logging records can be stored in the Tivoli Data Warehouse. Standard reports are provided via the Tivoli Common Reporting feature.
The auditing facility covers the self-describing agents (including their auto-refresh feature), actions of the Warehouse Proxy Agent, EIF-SSL connections, automated Take Action commands, and the integration of IBM Tivoli Monitoring with Tivoli Application Dependency Discovery Manager.
Supported platforms include Windows, Linux, UNIX, IBM i, and z/OS systems.
Audit records are stored in two places:

Collected ITM Audit attribute data accessible from the portal client

In the Managed System Status workspace you can right-click your monitoring components and select Audit Log to view component-specific collected audit log information. You can then create situations against the ITM Audit table to monitor audited events and collect audit data historically in the Tivoli Data Warehouse.
When examining audit information look for Results with non-zero values. A value of 0 indicates success. Creating situations that monitor for records that have non-zero value Results can help filter out general information messages.
The Tivoli Enterprise Portal User's Guide contains more information about the ITM Audit attribute group and workspace. For information about the Audit Log workspace and how to enable historical collection for the ITM Audit attribute group, see Managed System Status workspace. For attribute definitions, see ITM Audit attributes.

Locally stored XML formatted log file

The log file can be used by a third-party product to parse and evaluate the audit information. Use the provided SAPM DTD to assist you with third-party products. The DTD is provided on the IBM Tivoli Monitoring Tools DVD in the XML directory; see the SAPMAudit.dtd file.
Log files are stored in the auditlogs directory under the <install_dir> directory. Each agent process has its own log file and is formatted in XML. See the following log files names:

For single-instance: <UserID>.<hostname>_<pc>_audit.log

For multi-instance: <UserID>.<hostname>_<pc>_<instance>_audit.log

/QIBM/ProdData/IBM/ITM/support

Collect log from SMF Facility.

When enabled, ITM Audit records are stored in the Systems Management Facility–format (SMF) type-112 records, coded in UTF8, and are included in a common repository (SYS1.MANn datasets) with all other z/OS event data. See Configure the Tivoli Enterprise Monitoring Server on z/OS.

Audit trace levels

Auditing events have three different trace levels: Minimum, Basic, and Detail. Every event is assigned a trace level. You might want to increase or decrease the trace level to collect additional data.

Minimum: Major state changes to the product
Basic: Any actions that modify objects or cause an access failure
Detail: Any action that causes a successful or failed access control

Event record types

A record type is associated with each audit event to indicate the nature of the audit record. The event record types are categorized in the following table:

Full event name Short name (displayed in logs) Description
Authorization Checking CHECKING Events related to checking whether a user has permission to perform a particular operation or event.
Authentication Validation VALIDATE Events related to authenticating the identify of the user or entity.
Contextual Event CONTEXT Any other event that might occur contextually within an application.
Object Maintenance OBJMAINT Events related to changing an object such as updating, deleting, creating, or moving any IBM Tivoli Monitoring object or table.
System Administration SYSADMIN Events related to program startup and shutdown, audit and authorization system changes, configuration changes, table creation, and data synchronization configuration.
Security Maintenance SECMAINT Events related to granting or revoking privileges.

Audit log XML elements mapped to the ITM Audit attribute group
The audit log XML contains elements that coordinate to ITM Audit attributes.

Audit log XML example

Audit environment variables
Environment variables can be modified to control the audit capability.

Take Action and command execution audit logging
If you have IBM Tivoli Monitoring V6.3 or later, audit records are generated for Take Action and tacmd executecommand execution. Take Action execution includes Take Actions initiated from the Tivoli Enterprise Portal, running the tacmd executeaction command, situation Take Action commands, and workflow policy Take Action commands. The identity of the user who initiated the Take Action is passed to the monitoring agent using a secure session token.

+
Search Tips | Advanced Search

Full event name	Short name (displayed in logs)	Description
Authorization Checking	CHECKING	Events related to checking whether a user has permission to perform a particular operation or event.
Authentication Validation	VALIDATE	Events related to authenticating the identify of the user or entity.
Contextual Event	CONTEXT	Any other event that might occur contextually within an application.
Object Maintenance	OBJMAINT	Events related to changing an object such as updating, deleting, creating, or moving any IBM Tivoli Monitoring object or table.
System Administration	SYSADMIN	Events related to program startup and shutdown, audit and authorization system changes, configuration changes, table creation, and data synchronization configuration.
Security Maintenance	SECMAINT	Events related to granting or revoking privileges.