Audit log XML example

IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Audit logging
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Audit log XML example

The following sample audit record was generated during start-up and indicates that self-describing agent services on a particular monitoring server is disabled.
<AuditEvt Domain="" Type="SYSADMIN" Level="Minumum" Ver="1">
  <Who>
    <UserID/>
    <AuthID>SYSTEM</AuthID>
  </Who>
  <What>
    <Op Name="Self-Describing Agent Status" 
      OpObjType="ibm-prod-tivoli-itm:SelfDescribingAgentInstall" Type="Disable"/>
    <Msg Text="Self-Descrbing Agent Feature disabled at the local TEMS." 
      RBKey="KFASD010"/>
    <Result>0</Result>
  </What>
  <When>
    <EvtTS MS="1307723083106" ITM="1110610162443106"/>
    <Seq>1</Seq>
  </When>
  <OnWhat>
    <Obj Type="ibm-prod-tivoli-itm:SelfDescribingAgentInstall" Name="SDA Services"/>
  </OnWat>
  <Where>
    <Origin>
      <Node Name=Tivoli Enterprise Monitoring Server" Type="SERVER" AddrType="IPv4" 
        Addr="10.1.1.1" SYSID="HUB_NC051039"/>
    </Origin>
    <App Code="KMS" Ver="06.23.00" Comp="KFA"/>
    <SvcPt>system.nc051039_ms</SvcPt>
  </Where>
  <WhereFrom>
    <Source>
      <Node Name="Tivoli Enterprise Monitoring Server" Type"SERVER" SYSID="HUB_NC051039" 
        Addr="10.1.1.1" AddrType="IPv4"/>
    </Source>
  </WhereFrom>
  <WhereTo>
    <Target>
      <Node Name="Tivoli Enterprise Monitoring Server" Type="SERVER" AddrType="IPv4" 
        Addr="10.1.1.1" SYSID="HUB_NC051039"/>
    </Target>
  </WhereTo>
</AuditEvt>
In this example the following questions can be answered:

Question Tag(s) Value Interpretation
Who UserID Empty The empty UserID tag indicates that this event was generated by an unknown UserID or an autonomous process performing an action that was not initiated directly by a user.
AuthID SYSTEM Indicates the ID that this event was authorized under.
What Op Self-Describing Agent Status The "Self-Describing Agent Status" operation was successfully completed (Result 0) with the explanatory message indicating that the self-describing agent feature has been disabled.
Msg Self-Describing Feature disabled at the local TEMS.
Result 0
Type Disable Indicates that this particular operation is of the generic "disable" type. Operations are typically self-explanatory, but they are all classified into a generic event model type (GEM), as specified by the Tivoli Security and Information Event Manager.
When ITM 1110610162443106 The time that the event was generated (not logged) in Coordinated Universal Time (UTC) format (CYYMMDDhhmmssms). This date reads: June 10, 2011 at 04:24:43 106 ms.
OnWhat Name SDA Services The object name is the affected code, component, of other contextually relevant identifier that receives the operation. In this example, the object "SDA Services" received the operation "Self-Describing Agent Status" which successfully completed (with a result of 0) on the object "SDA Services".
Where SYSID HUB_NC051039 This is where the event was logged. The application KMS on Managed System ID HUB_NC051039 (IP 10.1.1.1) logged this event. This system identifies itself as the Tivoli Enterprise Monitoring Server.
Addr 10.1.1.1
Name Tivoli Enterprise Monitoring Server
App KMS
WhereFrom SYSID HUB_NC051039 This event was initiated on MSN HUB_NC051039 (IP 10.1.1.1). This system identifies itself as the Tivoli Enterprise Monitoring Server.
Addr 10.1.1.1
Name Tivoli Enterprise Monitoring Server
WhereTo SYSID HUB_NC051039 The event is targeted at MSN HUB_NC051039 (IP 10.1.1.1). This target system is identified as the Tivoli Enterprise Monitoring Server.
Addr 10.1.1.1
Name Tivoli Enterprise Monitoring Server

Parent topic:
Audit logging

+
Search Tips | Advanced Search

Question	Tag(s)	Value	Interpretation
Who	UserID	Empty	The empty UserID tag indicates that this event was generated by an unknown UserID or an autonomous process performing an action that was not initiated directly by a user.
AuthID	SYSTEM	Indicates the ID that this event was authorized under.
What	Op	Self-Describing Agent Status	The "Self-Describing Agent Status" operation was successfully completed (Result 0) with the explanatory message indicating that the self-describing agent feature has been disabled.
Msg	Self-Describing Feature disabled at the local TEMS.
Result	0
Type	Disable	Indicates that this particular operation is of the generic "disable" type. Operations are typically self-explanatory, but they are all classified into a generic event model type (GEM), as specified by the Tivoli Security and Information Event Manager.
When	ITM	1110610162443106	The time that the event was generated (not logged) in Coordinated Universal Time (UTC) format (CYYMMDDhhmmssms). This date reads: June 10, 2011 at 04:24:43 106 ms.
OnWhat	Name	SDA Services	The object name is the affected code, component, of other contextually relevant identifier that receives the operation. In this example, the object "SDA Services" received the operation "Self-Describing Agent Status" which successfully completed (with a result of 0) on the object "SDA Services".
Where	SYSID	HUB_NC051039	This is where the event was logged. The application KMS on Managed System ID HUB_NC051039 (IP 10.1.1.1) logged this event. This system identifies itself as the Tivoli Enterprise Monitoring Server.
Addr	10.1.1.1
Name	Tivoli Enterprise Monitoring Server
App	KMS
WhereFrom	SYSID	HUB_NC051039	This event was initiated on MSN HUB_NC051039 (IP 10.1.1.1). This system identifies itself as the Tivoli Enterprise Monitoring Server.
Addr	10.1.1.1
Name	Tivoli Enterprise Monitoring Server
WhereTo	SYSID	HUB_NC051039	The event is targeted at MSN HUB_NC051039 (IP 10.1.1.1). This target system is identified as the Tivoli Enterprise Monitoring Server.
Addr	10.1.1.1
Name	Tivoli Enterprise Monitoring Server