HP OpenVMS Systems Documentation

Content starts here

Compaq PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index


Chapter 6
Monitoring Events and Troubleshooting

The PATHWORKS Advanced Server provides several ways for you to determine the specific cause of a server problem and to implement a solution.

This chapter describes the procedures you can use to monitor events and troubleshoot problems:

6.1 Monitoring Server Events

Advanced Server lets you monitor server events as they happen and capture events in log files. The following sections describe the tools you can use to monitor and evaluate server events.

6.1.1 ADMINISTER Commands

Advanced Server ADMINISTER commands let you display information about current server activity and status, as well as recorded events and error messages. In addition, you can use ADMINISTER commands to modify items in the server database to correct certain types of problems.

For example, the SHOW SESSIONS command displays current client sessions. To remove a session that is no longer being used, enter the CLOSE SESSION command.

Refer to the procedures described in Section 6.2.2, The Problem Analysis Process, for information about ADMINISTER commands you can use to help solve certain types of server problems.

6.1.2 Automatic Alerts

Advanced Server includes an Alerter service that sends automatic alert messages to specified clients and users when:

  • The number of failed logon attempts exceeded the set alert level.
  • Errors are encountered during server startup.
  • Any event log file is 80% or more full.
  • A printer is malfunctioning.
  • A print request has been deleted.

The Alerter service can also tell you when certain events occur, as specified by the data associated with the Alerter server configuration parameters in the LANMAN.INI file. You control when the Alerter service sends messages for these events by modifying the appropriate value in the LANMAN.INI file, as described in Section 7.3, Using the LANMAN.INI File.

Table 6-1, Alerter Configuration Parameters, lists the server configuration parameters you can modify to control the way the Alerter service works. You can set the value of each parameter listed in the second column to any positive integer.

Table 6-1 Alerter Configuration Parameters
Desired Action Parameter to Use Default Data
Define the total number of errors that can occur before the server sends an alert message. ErrorAlert 5
Define the total number of incorrect password attempts that can occur before the server sends an alert message. LogonAlert 5
Define the total number of resource access violations that can occur before the server sends an alert message. AccessAlert 5

The Alerter service runs automatically when the server starts, if the Alerter service is included in the values associated with the SrvrServices server parameter in the LANMAN.INI file. The Alerter service is included in the initial configuration by default. To disable the Alerter service, remove the Alerter name from the list defined for the SrvrServices keyword. For more information about services, see Section 2.3.4, Managing Services.

You can specify which Advanced Server users and clients are to receive alert messages. Include the names of these users and clients in the list of values for the AlertNames keyword in the SERVER section of the LANMAN.INI file. For more information about LANMAN.INI keywords, see Section 7.3, Using the LANMAN.INI File.

Note

Client workstations must be running the Messenger service to receive alert messages. The Messenger service does not run on the OpenVMS system; therefore, users logged on from OpenVMS processes will not receive alert messages.

6.1.3 Event Logging

In the Advanced Server, an event is any significant occurrence in the system or in an application that requires user notification. For events that do not require immediate attention, the Advanced Server adds data to an event log file. This event logging service starts automatically every time you start the Advanced Server.

Event logs can provide valuable information about server activities.

Event messages are stored in event files in PWRK$LMROOT:[LANMAN.LOGS]. Each event type is maintained in a separate event log file, as shown in Table 6-2, Event Log Files.

Table 6-2 Event Log Files
Event Type Event Log File Name Description
Application events APPEVENT.EVT Application event messages are generated by applications. For example, user-written applications may store messages in the application event log.
Security events SECEVENT.EVT Event messages are generated based on the audit policy specified for the server, including files or directories. (For more information, see Section 6.1.3.3, Auditing Security Events Domainwide.)
System events SYSEVENT.EVT System event messages are generated by server components.

Table 6-3, Information in Event Files, lists the information shown in each line of an event file.

Table 6-3 Information in Event Files
Item Meaning
Source The server component that logged the message.
Class The event class, either information, warning, error, success audit, or failure audit.
Time The date and time of the event.
Category Classification of the message.
Message ID Unique number for the message.
User The user account name for the user who was logged on and working when the message was logged. N/A indicates that the entry does not specify a user.
Computer The name of the computer where the message was generated.

6.1.3.1 Displaying Events

You can display events recorded in the event log file in either of the following ways:

  • If the Advanced Server is running, use the ADMINISTER command SHOW EVENTS.
  • If the Advanced Server is not running, use the ELFREAD utility.

These methods are described in the following sections.

6.1.3.1.1 Displaying Events When the Advanced Server Is Running

The following example shows how use the SHOW EVENTS command to display events while the Advanced Server is running. Use the /TYPE qualifier to specify one of the types of events, as follows: SYSTEM (default), SECURITY, or APPLICATION. In this example, the SHOW EVENTS command displays the system events.


LANDOFOZ\\TINMAN> SHOW EVENTS
T Date     Time        Source    Category    Event  User    Computer
- -------- ----------- -------   ----------- -----  ----    -----------
I 08/26/98 11:49:56 AM SYSTEM    None        528    N/A     TINMAN
W 08/27/98 12:07:01 PM Eventlog  None        603    N/A     TINMAN
I 08/27/98 12:15:31 PM Print     None        604    N/A     TINMAN
W 08/27/98 12:46:31 PM BROWSER   None        605    N/A     TINMAN
Total of 4 events

LANDOFOZ\\TINMAN>

You can display detailed information for each event, as generated by the application that was the source of the event record, by specifying the SHOW EVENTS/FULL command. The information might include such additional information as the domain and system names. Not all sources or events generate event details. The following example shows a portion of the data that might be displayed with the SHOW EVENTS/FULL command:


E 06/05/01 04:13:50 PM NETLOGON  None            5513   N/A        TINMAN
NET5513:   The computer DOROTHY tried to connect to the server TINMAN using
 the trust relationship established by the LANDOFOZ domain. However, the
 computer lost the correct security identifier (SID)
 when the domain was reconfigured. Reestablish the trust
 relationship.

I 06/05/01 03:52:17 PM NETLOGON  None            5715   N/A        TINMAN
NET5715:   The partial synchronization replication of the LSA database
 from the domain controller \\WOODMAN completed successfully. 1 delta(s)
 is(are) applied to the database.

I 06/05/01 03:36:38 PM NETLOGON  None            5715   N/A        TINMAN
NET5715:   The partial synchronization replication of the SAM database
 from the domain controller \\WOODMAN completed successfully. 1 delta(s)
 is(are) applied to the database.
    .
    .
    .
6.1.3.1.2 Displaying Events When the Advanced Server Is Not Running

To display events when the Advanced Server is not running, use the ELFREAD utility. The ELFREAD utility allows you to display records in the event file in the following ways:

  • In reverse chronological order (default)
  • In chronological order

You can view records in brief (default) or detailed format.

The ELFREAD command is defined as part of the Advanced Server command set in the SYS$MANAGER:PWRK$DEFINE_COMMANDS.COM command procedure.

The syntax for the ELFREAD command is:

ELFREAD [-o] [-d] event-type

Use the optional parameters to control the ELFREAD output as described in Table 6-4, ELFREAD Command Options.

Table 6-4 ELFREAD Command Options
Desired Output Parameters to Use
Records in chronological order -o
Detail records -d
event-type The event log file specified:
  • SYSTEM
  • SECURITY
  • APPLICATION

6.1.3.2 Saving and Clearing the Event Logs

You can display the event logs and, when necessary, clear the event logs. The Alerter service sends you a message advising you when an event log becomes 80% or more full. When an event file is full, no additional event logging will take place until the event file is cleared. Before clearing an event file, you should save it to a backup file for future reference. The maximum size of an event file is specified by server configuration parameters in the LANMAN.INI file. The server parameter controlling the event log file size is stored in the section associated with each event log and is called MaxSize. (See Section 7.3, Using the LANMAN.INI File, for more information.)

Note

Before changing the value of this parameter (or before restarting the server, once you have changed the parameter), you should rename or delete the current event log file to which the parameter applies. Table 6-2, Event Log Files, lists the event log file names.

When an event log becomes full, you can save and clear the event log:

  • Saving an event log causes the current event log entries to be written to a specified archive file on the local computer.
  • Clearing an event log causes the current event log entries to be deleted.
6.1.3.2.1 Saving an Event Log

To save an event log, use the SAVE EVENTS command. The event log is stored, using the file name and location that you specify in the command line. For example, to save the Security event log to the file SEVENTS.BKP, enter the following command:


LANDOFOZ\\TINMAN> SAVE EVENTS SEVENTS.BKP/TYPE=SECURITY
%PWRK-S-ELFSAVE, Security Event Log from server "TINMAN" saved

LANDOFOZ\\TINMAN>

If you do not specify a path as part of the file name, the event file is created in the PWRK$LMLOGS: directory. You can save the event log file of a remote Compaq OpenVMS Advanced Server by specifying the server name with the /SERVER qualifier, as in the following example:


LANDOFOZ\\TINMAN> SAVE EVENTS SYSTEM.BKP/TYPE=SYSTEM/SERVER=DOROTHY
%PWRK-S-ELFSAVE, System Event Log from server "DOROTHY" saved

This saves the system event log file of server DOROTHY to the file PWRK$LMLOGS:SYSTEM.BKP on server DOROTHY.

You can display the saved event file by using the ADMINISTER SHOW EVENTS /TYPE command, specifying the event file name and location and the types of events to be viewed. See Section 6.1.3.1.1, Displaying Events When the Advanced Server Is Running.

6.1.3.2.2 Clearing an Event Log

To clear an event log, enter the CLEAR EVENTS command. The specified event log entries are deleted. For example:


LANDOFOZ\\TINMAN> CLEAR EVENTS/TYPE=SECURITY
Clear the Security Event Log [YES or NO] (YES) : YES
%PWRK-S-ELFCLEARED, Security Event Log on server "TINMAN" cleared

If you do not specify the event log type, the default is to clear the system event log.

6.1.3.3 Auditing Security Events Domainwide

The Advanced Server can track selected activities of users by auditing security events and then placing entries in a server's security log. You must enable auditing in order for the server to record security events. By default, auditing is not enabled.

To enable auditing, you must use the SET AUDIT POLICY command, as documented in Section 6.1.3.3.1, Enabling Security Event Auditing. You can use the command to establish an audit policy for the entire domain. (The command affects the security logs of the domain controller and of all server domain controllers in the domain: they all share the same audit policy. Member servers maintain their own auditing policy.) You can select any of several types of security events to be logged in the domain. For example, you can log:

  • A systemwide event such as a user logging on or off
  • An attempt by a user to access a specific directory or file
  • An attempt by a user to rename a user account or change a password

You can select whether successful or unsuccessful attempts at specific operations are to generate event messages.

For more information about setting an auditing policy, see Section 6.1.3.4, Establishing the Audit Policy.

6.1.3.3.1 Enabling Security Event Auditing

To enable auditing on the server, use the SET AUDIT POLICY command with the /AUDIT qualifier. For example:


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"
6.1.3.3.2 Disabling Auditing

To disable auditing on the domain, use the SET AUDIT POLICY command with the /NOAUDIT qualifier.

6.1.3.4 Establishing the Audit Policy

The audit policy defines the types of events to be included in the Security event log. You can change the audit policy for the domain using the SET AUDIT POLICY command.

The SET AUDIT POLICY command lets you specify event results for which auditing is enabled, including both successful and failed attempts to perform certain functions. Include the /SUCCESS qualifier to specify successful completion of operations, and the /FAILURE qualifier to specify failed operations.

The following list shows the events you can specify:

  • All events
  • None of the events
  • Attempts to access a directory or file set for auditing or to send a print job to a shared print queue set for auditing
  • Attempts to create, change, and delete user accounts and groups; attempts to rename, disable, and enable a user account; attempts to set or change a password
  • Attempts to log on to the domain, log off the domain, and make server connections
  • Attempts to change user rights policies, auditing policies, or trust relationships
  • Attempts to invoke a program, and handle duplication, indirect accesses, and process exits
  • Attempts to restart or shut down the system, and events that affect system security or the security log
  • Attempts to exercise a user right (except those associated with logging on and logging off)

For more information about using the SET AUDIT POLICY command, refer to the Compaq Advanced Server for OpenVMS Commands Reference Manual or the ADMINISTER command interface online help.

6.1.3.4.1 Example: Setting the Audit Policy

The following example shows how to use the SET AUDIT POLICY command to log all failures of logon and logoff attempts:


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=(LOGONOFF)
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

6.1.3.5 Displaying the Audit Policy

To display the audit policy, enter the SHOW AUDIT POLICY command. This displays the audit policy currently established for the server. For example:


LANDOFOZ\\TINMAN> SHOW AUDIT POLICY

Audit Policy for domain "LANDOFOZ":

Auditing is currently Enabled.

Audit Event states:

Audit Event         Success   Failure
------------------  --------  --------
ACCESS              Disabled  Disabled
ACCOUNT_MANAGEMENT  Disabled  Disabled
LOGONOFF            Disabled  Enabled
POLICY_CHANGE       Disabled  Disabled
PROCESS             Disabled  Disabled
SYSTEM              Disabled  Disabled
USER_RIGHTS         Disabled  Disabled

LANDOFOZ\\TINMAN>

6.1.3.6 Setting and Displaying Security Event Auditing for Files and Directories

You can set and display the audit trail for a specific file or directory using the SET FILE and SHOW FILE commands.

Use the SET FILE command with the /AUDIT qualifier to specify the events to audit.

The following list shows the types of operations you can audit for files and directories:

  • All events
  • Attempts to display file names, attributes, permissions, owner, or data
  • Attempts to create subdirectories and files, change attributes, and display permissions and owner
  • Attempts to display attributes, permissions, and owner; attempts to change subdirectories; and attempts to run program files
  • Attempts to delete a directory or file
  • Attempts to change directory or file permissions
  • Attempts to change directory or file ownership

For more information about using the SET FILE command, refer to the Compaq Advanced Server for OpenVMS Commands Reference Manual or the ADMINISTER command interface online help.

For example, to set auditing of operations on the user file SIMIANS.DAT, enter the following command:


LANDOFOZ\\TINMAN> SET FILE \WITCH\MKEY\SIMIANS.DAT-
_LANDOFOZ\\TINMAN>/AUDIT=(SUCCESS=ALL,FAILURE=ALL)
%PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified
%PWRK-S-FILESMODIFIED, total of 1 file modified

LANDOFOZ\\TINMAN>
6.1.3.6.1 Example: Displaying the Audit Settings for a File

The following example shows how to display the audit settings for a file, using the SHOW FILES /AUDIT command:


LANDOFOZ\\TINMAN> SHOW FILES \WITCH\MKEY\SIMIANS.DAT/AUDIT
\\TINMAN \WITCH\MKEY\SIMIANS.DAT
    SIMIANS.DAT
        Audit Events:                   Success         Failure
           LION                         RWXDPO          RWXDPO

Total of 1 file

LANDOFOZ\\TINMAN>

6.1.4 Advanced Server Log Files

The Advanced Server records several types of messages in log files in the following locations:

  • PWRK$LOGS:, the logical name for the directory PWRK$COMMONROOT:[LOGS]
  • PWRK$LMLOGS:, the logical name for the directory
    PWRK$LMROOT:[LANMAN.LOGS]

Table 6-5, Log File Names, lists the log files kept in the PWRK$LOGS and PWRK$LMLOGS areas. In each case, nodename refers to the name of the server node.

Table 6-5 Log File Names
Log File Name Message Type
In PWRK$LOGS:
NETBIOS_ nodename.LOG NetBIOS protocol over DECnet
NETBIOS_ERROR.LOG NetBIOS protocol over DECnet error
NETBIOS_OUTPUT.LOG NetBIOS protocol over DECnet output
PWRK$CONFIG_INFO_ nodename.LOG Configuration information
PWRK$CONFIG_ERROR_ nodename.LOG Configuration errors
PWRK$KNBDAEMON_ nodename.LOG NetBIOS protocol over TCP/IP
PWRK$LICENSE_R_ nodename.LOG License Registrar
PWRK$LICENSE_REGISTRAR_ nodename.LOG License Registrar
PWRK$LICENSE_S_ nodename.LOG License Server
PWRK$LICENSE_SERVER_ nodename.LOG License Server
PWRK$MASTER_ nodename.LOG Master process (process start and shutdown)
PWRK$NBDAEMON_ nodename.LOG NetBIOS protocol over NetBEUI
In PWRK$LMLOGS:
PWRK$ADMIN_ n _ nodename .LOG Remote task command
PWRK$LMMCP_ nodename. LOG Master control process
PWRK$LMSRV_ nodename.LOG File server process
PWRK$LMBROWSER_ nodename.LOG Browser
PWRK$UPGRADE.LOG Upgrade utility


Previous Next Contents Index