IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2


Audit logging

By using the auditing capability, you can capture significant events occurring in the IBM Tivoli Monitoring environment. You can also record these events in permanent storage for later retrieval and analysis. Each audit record fully describes some event that has changed the state of the IBM Tivoli Monitoring system.

These auditing and logging records can be stored in the Tivoli Data Warehouse. Standard reports are provided via the Tivoli Common Reporting feature.

The auditing facility covers the self-describing agents (including their auto-refresh feature), actions of the Warehouse Proxy Agent, EIF-SSL connections, automated Take Action commands, and the integration of IBM Tivoli Monitoring with Tivoli Application Dependency Discovery Manager.

Supported platforms include Windows, Linux, UNIX, IBM i, and z/OS systems.

Audit records are stored in two places:

Collected ITM Audit attribute data accessible from the portal client

In the Managed System Status workspace you can right-click your monitoring components and select Audit Log to view component-specific collected audit log information. You can then create situations against the ITM Audit table to monitor audited events and collect audit data historically in the Tivoli Data Warehouse.

When examining audit information look for Results with non-zero values. A value of 0 indicates success. Creating situations that monitor for records that have non-zero value Results can help filter out general information messages.

The Tivoli Enterprise Portal User's Guide contains more information about the ITM Audit attribute group and workspace. For information about the Audit Log workspace and how to enable historical collection for the ITM Audit attribute group, see Managed System Status workspace. For attribute definitions, see ITM Audit attributes.

Locally stored XML formatted log file

The log file can be used by a third-party product to parse and evaluate the audit information. Use the provided SAPM DTD to assist you with third-party products. The DTD is provided on the IBM Tivoli Monitoring Tools DVD in the XML directory; see the SAPMAudit.dtd file.

Log files are stored in the auditlogs directory under the <install_dir> directory. Each agent process has its own log file and is formatted in XML. See the following log files names:

For single-instance: <UserID>.<hostname>_<pc>_audit.log

For multi-instance: <UserID>.<hostname>_<pc>_<instance>_audit.log

/QIBM/ProdData/IBM/ITM/support

Collect log from SMF Facility.

When enabled, ITM Audit records are stored in the Systems Management Facility–format (SMF) type-112 records, coded in UTF8, and are included in a common repository (SYS1.MANn datasets) with all other z/OS event data. See Configure the Tivoli Enterprise Monitoring Server on z/OS.


Audit trace levels

Auditing events have three different trace levels: Minimum, Basic, and Detail. Every event is assigned a trace level. You might want to increase or decrease the trace level to collect additional data.


Event record types

A record type is associated with each audit event to indicate the nature of the audit record. The event record types are categorized in the following table:

Full event name Short name (displayed in logs) Description
Authorization Checking CHECKING Events related to checking whether a user has permission to perform a particular operation or event.
Authentication Validation VALIDATE Events related to authenticating the identify of the user or entity.
Contextual Event CONTEXT Any other event that might occur contextually within an application.
Object Maintenance OBJMAINT Events related to changing an object such as updating, deleting, creating, or moving any IBM Tivoli Monitoring object or table.
System Administration SYSADMIN Events related to program startup and shutdown, audit and authorization system changes, configuration changes, table creation, and data synchronization configuration.
Security Maintenance SECMAINT Events related to granting or revoking privileges.



+

Search Tips   |   Advanced Search