offloadauditlog

The offloadauditlog command provides an activity report for a console (identified as smc1 or smc2). The report includes basic information, such as, a list of who logged in, when they logged in, and what they did during their session.

Read syntax diagramSkip visual syntax diagram
>>-offloadauditlog--+- -logaddr-+--+---------+--audit_log_file-><
                    +-smc1------+  '- -quiet-'                   
                    '-smc2------'                                

Parameters

Notes:
  1. Only users with administrator authority are authorized to use this command.
  2. A separate log entry is added each time a resource is created, deleted, modified. Entries are added to the audit file only after the operation has completed.
  3. You must periodically extract the log using the offloadauditlog command and save the log file in a directory of your choice. The log file is automatically reduced (old entries removed first) by the subsystem so that it does not consume more than 50 megabytes of disk storage.

    When the log is 60% full, an entry ("Audit_Log_At_60%") is placed in the audit log. Another entry is added when the log is 75% ("Audit_Log_At_75%") full. At 100%, the log is reduced to 50% full.

-logaddr smc1|smc2
(Required) Specifies that the audit log be offloaded for the designated storage management console. The designated storage management console must be configured and available to offload the audit log successfully.
-quiet
(Optional) Specifies that the confirmation prompt be turned off.
audit_log_file
(Required) Specifies the file name to which the audit log entries are extracted.
Note: If you specify a file name that contains prior log entries, these entries are overwritten with the current data.

Example

Invoking the offloadauditlog command
dscli>dscli> offloadauditlog 
–logaddr smc1 auditlog-200509.txt
The resulting output
Sun Aug 11 02:23:49 PST 2004 DS CLI Version: 5.0.0.0:
Audit log successfully offloaded from smc1 to file auditlog-200509.txt.

Representative report

The following is an example of the report information that is extracted when you use the offloadauditlog command (the wrapping is done simply for clarity and is not representative of your actual report):

U,2005/10/04 15:08:46:834 MST,admin,1,,W,1002,User_Login_Fail,,1,
"IP = N996304B.tucson.ibm.com/9.11.178.201"
U,2005/10/04 15:29:37:432 MST,admin,1,,W,1001,User_Login_Expire,,0,
"IP = N996304B.tucson.ibm.com/9.11.178.201"
U,2005/10/04 15:32:56:979 MST,admin,1,,N,1000,User_Login,,0,
"IP = N996304B.tucson.ibm.com/9.11.178.201"
U,2005/10/04 15:34:21:020 MST,admin,1,,N,1000,User_Login,,0,
"IP = N996304B.tucson.ibm.com/9.11.178.201"
U,2005/10/05 16:54:32:171 MST,admin,1,,N,1103,
User_Password_Change,,be741104,"userName = admin"
S,2005/10/06 00:01:10:239 MST,,1,,W,1200,Audit_Log_At_60%,,,""
U,2005/10/06 00:23:09:817 MST,admin,1,IBM.2107-AZ12341,N,2050,
Array_Create,A0,0,"A0"
U,2005/10/06 00:23:10:518 MST,admin,1,IBM.2107-AZ12341,N,2060,
Rank_Create,R0,-1,"R0"
U,2005/10/06 00:23:12:110 MST,admin,1,IBM.2107-AZ12341,N,2070,
XPool_Create,P0,0,"P0"
U,2005/10/06 00:23:12:761 MST,admin,1,,N,2073,XPool_Assign_Rank,,,""
U,2005/10/06 00:23:16:947 MST,admin,1,IBM.2107-AZ12341,N,2090,
Volume_Create,1000,0,"1000"
U,2005/10/06 00:23:17:187 MST,admin,1,IBM.2107-AZ12341,N,2090,
Volume_Create,1001,,"1001"
S,2005/10/06 00:23:24:508 MST,,1,,W,1201,Audit_Log_At_75%,,,""
U,2005/10/06 12:47:16:345 MST,admin,1,IBM.2107-AZ12341,N,2092,
Volume_Delete,2005,0,"2005"
U,2005/10/06 12:47:16:656 MST,admin,1,IBM.2107-AZ12341,N,2092,
Volume_Delete,2006,-1,"2006"

Audit Log file definitions

Fields are output in comma-separated (CSV) format. This format makes it easy to import the file into a spreadsheet. The Input Parms field is a special case. It uses the CSV format internally to separate one input field from the next. To manage this, the entire Input Parms field is enclosed in double quotation marks.

Field Format Description
Source 1 char Specifies the source of the log entry:
S
Represents a server event that is not associated with a user action
U
Represents a user-requested action
C
Represents a continuation line for additional input attributes. There can be multiple C entries for a given user-requested (U) log entry.
Timestamp

YYYY/MM/DD
HH:MM:SS:MMM TMZ

 Represents the date, time, and time zone of the log entry.
User 1 - 16 char Represents the user account that is making the request.
MC 1 char, a "1" or "2" Represents the management console that processed the user request.
Device 16 char Represents the storage image ID that consists of the following values: manufacture, type, and serial number.
NWC 1 char Represents the following message types: N = notification, W = warning, and C = critical.
Entry ID 4 char Represents the unique identifier that is associated with the activity that is represented by the log entry.
Entry name 20 char max A text description that corresponds to the Entry ID.
Object ID 5 char max Represents a unique identifier that identifies the object.
Exit code 8 char Represents the final result code.

Input
Parameters

 160 char max Represents unformatted text that includes input parameters in the format: “attr1 = value1, attr2 = value2” with a comma (,) separator between parameters and double quotation marks around the entire field.
Parent topic: Audit commands
Library | Support | Terms of use | Feedback
© Copyright IBM Corporation 2004, 2007. All Rights Reserved.