|
|
HP Security Monitor/iX Manager's Guide: HP 3000 MPE/iX Computer Systems > Chapter 7 Auditing System UseUsing System Logging |
|
System logging records the use of certain resources by accounts, groups, and users. Like the administrative functions, system logging can be used for billing purposes or for obtaining an overview of system use. System logging is also used to detect security attacks or breaches after the fact. Unlike these administrative functions, system logging describes system use by creating a running log of events, correlated with the job or session that caused each event. System logging is the only means of recording system use on a job/session basis. The majority of logging events are optional; when the system is configured, the system manager can select whether they are recorded or not. In addition to the LOGGING ENABLED event, the following events are always enabled when the system is started:
The events that the system manager chooses to monitor are recorded on log records contained in a disk file. Each event is recorded in one logical record. The LOG configurator enables the system manager to change the attributes of user and system logging processes. System logging records the use of certain system resources by accounts, groups, and users on a job or session basis. The system manager determines which events are logged. User logging allows users and subsystems to record additions and modifications to databases and other files used in applications programs. The system manager determines the maximum number of logging processes and the maximum number of users per logging process. You can use the LOG configurator which is accessed through SYSGEN to change the attributes of user and system logging processes. To access the LOG configurator, enter the LOG command (abbreviated LO) at the SYSGEN prompt as shown in the following example: The help facility enables you to quickly identify the function and syntax of those LOG configurator commands and options for performing the multiple operations that define or change logging processes. To obtain a list of the commands available for use in the LOG configurator, enter HELP at the LOG configurator prompt as shown in the following example: Example 7-2 Example 6-2. LOG Configurator Help
To display the syntax for each available command, enter HELP ALL as shown in the following example: Example 7-3 LOG Configurator HELP ALL
Entering HELP commandname provides help for a specific command:
The SHOW command displays the LOG values as currently set. SHOW has the following parameters:
SLOG lists the state of the system logging events. ULOG lists the number of user logging processes and users per logging process currently configured. ALL lists all the information associated with the LOG configurator. OFFLINE redirects the output of the SHOW command to the SYSGEN listing file, SYSGLIST. Using OFFLINE does not immediately generate a printout. The information is sent to SYSGLIST until you either enter the OCLOSE command or exit the configurator. Exiting the configurator or using OCLOSE closes SYSGLIST and prints the file. Using SHOW without using any parameters, is the same as specifying SHOW ALL. In addition, the value entered for the ULOG parameter includes the minimum, maximum, current, and default values. To show the current user logging process, enter SHOW ULOG: Example 7-4 Showing User Logging Processes
To view all currently configured values, enter SHOW ALL: System logging records the use of certain resources by accounts, groups, and users. System logging can be used for several purposes, such as billing or obtaining an overview of system use. System logging describes system use by creating a running log of actual events, correlating the event with a job and session. The system manager chooses which events to enable or disable by setting an event number to ON or OFF. (Refer to the preceding example for a list of event numbers and their definitions.) The SLOG command enables and disables the selected system logging events. SLOG has the following parameters:
Enable the logging of an event by entering SLOG event#,...:
or
Disable the logging of an event by entering SLOG OFF=event#,...:
Entering SLOG without ON enables logging. Entering SLOG without an event number causes an error:
Logging event 100 is a special case. If 100 is off, no logging (except that forced on by MPE/iX) takes place.
User logging provides a means for system users and subsystems to record additions and modifications to databases and other files using application programs. The system manager determines the maximum number of logging processes and the maximum number of users per logging process. The ULOG command configures the user logging process parameters. ULOG has the following parameters:
NLOGPROCS controls the user logging ID (LID) table size. Lowering NLOGPROCS loses all current logging ID information from the tape created by SYSGEN. If NLOGPROCS remains unchanged or increases, the current logging ID information is copied to tape. The minimum and maximum number of processes allowed are 2 and 128, respectively. USERSPERPROC specifies the maximum number of users assigned to each configured logging process. The minimum and maximum number of users per logging process are 1 and 1024, respectively.
To set the number of processes or users per process, enter ULOG followed by the number of processes or users:
or
If you desire to clear all LOG configuration changes made, enter the CLEAR command at the LOG configurator prompt.
Once a SYSGEN> KEEP is done, the changes kept become permanent and CLEAR does not remove them. Using the system logging and user logging commands described in the following sections changes the LOG configuration specified in the SYSGEN command line or global BASEGROUP command. These changes are temporary and are easily lost if not properly saved. Saving configuration changes is a two-step procedure. After you alter a configuration, you must, first, hold the changes before exiting the configurator. Second, use the global module KEEP command to save the changes. To hold changes, enter the HOLD command at the LOG configurator prompt:
You can work in a SYSGEN configurator, hold the changes, and continue working in other SYSGEN configurators before saving the changes. To save the changes, hold all desired changes, exit to SYSGEN's global module, and issue the KEEP command:
Use the colon (:) to introduce an MPE command from the LOG configurator. To issue an MPE command, enter the command along with the colon. For example,
Use the EXIT command to terminate the LOG configurator and return to the SYSGEN global module. Exit may be abbreviated EX or E. To end working in the LOG configurator, enter EXIT at the LOG configurator prompt:
To analyze your logs and to read what you are logging, you must print your log files. To do this, use the LOGTOOL utility program. The LOGTOOL utility runs under the online diagnostic system, and can be invoked by entering SYSDIAG. When the diagnostic user interface prompt (DUI>) appears, enter RUN LOGTOOL. In order to print a log, issue the following:
Enter HELP after the LOGTOOL prompt for more information. The STATUS command reports on the status of all system log files. The following example shows the use of the STATUS command in the sequence of printing a log.
If you do not specify the OUTFILE parameter, the log prints on your terminal screen. Typically this report is very long and ties up your terminal for quite some time. If this does happen, you can enter CTRL Y to break the process. If you like, you can filter the output of LOGTOOL utility to show you information about only a specific user or users. The syntax for this is shown below.
The input for these commands should be no longer than 80 characters. Default for all parameters is the wildcard @. For example, to select log records from log files 1 through 5, with log information about password changes (log type 134), and user identification JTEST,MARIA.PAYROLL, you would enter the following.
|
|