Difference: APPXAuditLog (4 vs. 5)
Revision 52008-09-15 - SteveFrizzell
| Line: 1 to 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| Changed: | |||||||||
| < < |
| ||||||||
| > > |
| ||||||||
APPX Audit Log | |||||||||
| Line: 9 to 9 | |||||||||
OverviewA new service has been added in Release 5.0 - appxAuditMgr. It accepts the same command parameters as appxLoginMgr, with the addition of the --serviceType=logmonitor flag that indicates it is to run as a log monitor, not a login manager. The appxAuditMgr program is located in the services directory of your Appx installation. For example, here is a command to create a log monitor: | |||||||||
| Changed: | |||||||||
| < < | |||||||||
| > > | |||||||||
| ./appxAuditMgr -install -serviceType=logmonitor -name=myLogMonitor -port=8064 | |||||||||
| Line: 17 to 17 | |||||||||
| This port is not a listener, so you can not login directly to that port. | |||||||||
| Changed: | |||||||||
| < < | Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize. | ||||||||
| > > | Once you have created this new Service Type, it will create .ini and .env files for you. In our example, appxAuditMgr will create myLogMonitor.ini and myLogMonitor.env files in the ./services directory. You can change the name of the log file (which defaults to /tmp/appxlog%N.xml) by setting the LogNamePattern in the myLogMonitor.ini file. You can also change the LogRotationInterval and LogRotationSize. | ||||||||
| Since we rotate audit logs, you specify a LogNamePattern instead of just a filename. The pattern can include %N (which is translated to a monotonically increasing counter: 0, 1, 2, ..) or any of the date/time format specs. supported by the strftime() function (see 'man strftime' for a list of the patterns). For example, a LogNamePattern of '/tmp/appx_%F.xml' would generate names like: | |||||||||
| Changed: | |||||||||
| < < | |||||||||
| > > | |||||||||
| /tmp/appx_2007-01-31.xml /tmp/appx_2007-02-28.xml The default pattern (as reflected in the serviceName. ini file) is: | |||||||||
| Changed: | |||||||||
| < < | LogNamePattern = /tmp/appxlog%N.xml | ||||||||
| > > | LogNamePattern = /tmp/appxlog%N.xml | ||||||||
| Each time the log monitor rotates to a new log file, it replaces %N with the next number in sequence (it was always starting at 0). You can use other specifiers in the LogNamePattern too, for example, "/tmp/appx-%D-%B-%Y" would result in file names like: | |||||||||
| Changed: | |||||||||
| < < | | ||||||||
| > > | | ||||||||
/tmp/appx-12-Jun-08 | |||||||||
| Line: 86 to 85 | |||||||||
| After you have modified .ini file, you need to stop and re-start that service. To stop service, assuming you are in ./services directory of your Appx installation simply type: | |||||||||
| Changed: | |||||||||
| < < | |||||||||
| > > | |||||||||
| ./appxAuditMgr -stop -name=myLogMonitor ./appxAuditMgr -start -name=myLogMonitor If you stop/start service as a root, make sure you give it a fully qualified path. | |||||||||
| Changed: | |||||||||
| < < | |||||||||
| > > | |||||||||
| ./appxAuditMgr -stop -name=/usr/local/appx/services/myLogMonitor | |||||||||
| Line: 105 to 104 | |||||||||
| To define FMS group, go to System Administration, Configuration, Log Profile press F9 to add a new profile. You can name it anything you want. For server name you must give it your server name:port number that you created earlier with appxAuditMgr: | |||||||||
| Changed: | |||||||||
| < < |  1 0" _moz-userdefined="">" _moz-userdefined=""> 1 2" _moz-userdefined=""> 21600 pixelWidth" _moz-userdefined=""> 21600 pixelHeight" _moz-userdefined=""> 0 1" _moz-userdefined=""> | ||||||||
| > > | 1 0" _moz-userdefined="">" _moz-userdefined=""> 1 2" _moz-userdefined=""> 21600 pixelWidth" _moz-userdefined=""> 21600 pixelHeight" _moz-userdefined=""> 0 1" _moz-userdefined=""> | ||||||||
| Then click on Log File Parameters and make sure you check parameters that you wish to log: | |||||||||
| Line: 118 to 117 | |||||||||
| You can now assign this FMS group to the file(s) that you wish to monitor. To close existent log file and rotate the log, you need issue the following command: | |||||||||
| Changed: | |||||||||
| < < | |||||||||
| > > | |||||||||
| kill -s SIGUSR1 <PID> where PID is a process ID of the audit log listener. Existent log will be closed and rotated to the next one. | |||||||||
| Changed: | |||||||||
| < < | The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log
files. On large, active systems the number of events can exceed
the maximum file size. XML files can easily be imported into a RDBMS,
which does not have the same file size limitation. | ||||||||
| > > | The log file is generated in XML format. Why XML, and not Appx/IO? The biggest reason is the size of the log files. On large, active systems the number of events can exceed the maximum file size. XML files can easily be imported into a RDBMS, which does not have the same file size limitation. | ||||||||
| You can view the log file with a browser, with XML Notepad, or you can download SQL Express (free) and write queries against your XML file. You can also use the various xlst processing programs to create queries (such as xsltproc or xalan from Apache). | |||||||||
| Changed: | |||||||||
| < < | Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element: | ||||||||
| > > | Each Audit Log document contains one primary enclosing <events> node which contains one or more <event> nodes. Each <event> node contains an eventID node which has a <type> element that identifies the type of event that is being logged. A variety of additional nodes (shown in the table below) are included in each <event> node depending on the value of the <type> element. The following values may occur for the <type> element: | ||||||||
| |||||||||
| Line: 226 to 215 | |||||||||
| $ xslt stylesheetFileName logFileName >output.html | |||||||||
| Changed: | |||||||||
| < < | for example: | ||||||||
| > > | for example: | ||||||||
| $ xslt /stylesheets/structure.xslt /tmp/appxlog0.xml > /tmp/fileCreates.html | |||||||||
| Changed: | |||||||||
| < < | To use a stylesheet with xalan (the XSLT processor from Apache): | ||||||||
| > > | To use a stylesheet with xalan (the XSLT processor from Apache): | ||||||||
| $ xalan -xsl stylesheetFileName <logFileName >output.html | |||||||||
| Changed: | |||||||||
| < < | for example: | ||||||||
| > > | for example: | ||||||||
| $ xalan -xsl /stylesheets/structure.xslt < /tmp/appxlog0.xml > /tmp/fileCreates.html | |||||||||
| Line: 242 to 231 | |||||||||
BUGS | |||||||||
| Changed: | |||||||||
| < < | #2195 - FIXED - System Administration - Configuration - Log Profiles. There is a button at the bottom of the screen that is carried over to the details screen. it looks like it's just a left over and needs to be removed #2201 - FIXED - --- MOD SCROLL BEHAV subroutine needs to be added to the input process. Also, when in CHANGE MODE, it highlights the Name, but then you press ENTER to go to the next screen - and it takes you tot he next record instead. #2219 - FIXED -Testing showed the when you issue kill -1 PID command, it kills the listener, but doesn't close the file. Furthermore, when you restart listener - your log file is getting completely wiped out. Same results were when kill -s sigusr1 PID command was issued - the log file didn't close, Appx session closed and log file was wiped out. #2220 - FIXED - If you run a process - any process, against the file where FMS group for the listener is assigned to, Appx closes session all together - needs better handling. #2225 - FIXED - As of 6/13/08 - you can not use IP address in Log Profile. If server name is used - all is well. If IP address is used - nothing is logged | ||||||||
| > > | No open bugs. | ||||||||
NOTES:If log file is not closed/rotated properly, Internet Explorer will display your .xml file, but it will show an error at the end of the file saying "File not closed". Firefox, however, will throw an error and won't display file at all In Linux, the way to close log and rotate it is to issue kill -s SIGUSR1 PID command. | |||||||||
| Changed: | |||||||||
| < < | How to close and rotate the log in Windows? | ||||||||
| > > | How to close and rotate the log in Windows? | ||||||||
Comments:Read what other users have said about this page or add your own comments. | |||||||||
View topic | History: r25 < r24 < r23 < r22 | More topic actions...
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback