HP 3000 Manuals HP 3000 Manuals
System Logging Changes by Mike Paivinen Commercial Systems Division This article describes the changes that have been made to system logging since MPE/iX Release 4.0. New system log events have been added and new log record formats have been added for several existing log events to handle HFS filenames.
NOTE If you are unfamiliar with the Hierarchical File System (HFS), you may first want to read the "The Hierarchical File System" article.
Terminology System Log Event refers to an event that causes information to be written to the active system log file, LOG####.PUB.SYS. System log events can be configured using SYSGEN. System Log Record refers to a logical record written to a system log file as the result of a system log event. System log records can be displayed using LOGTOOL. System Log Record Format refers to the layout of information in a system log record. System log record formats can be displayed using LOGTOOL. New System Log Events Seven new system log events have been added in this release. Four events were added with the POSIX enhancements to MPE/iX. Two events were added with the new Security Monitor/iX software; see the article "HP3000 Security Monitor/iX" in this Communicator. One event was added with the new UPS Monitor/iX software; see the article "HP PowerTrust UPS Monitor/iX" in this Communicator. The following list defines the seven new log events and when the events are logged. * Chdir (127)--a process changes its current working directory (CWD). * Process Adoption (128)--a network server process changes from the system process environment to a user job/session environment, or vice-versa. The Chdir, Process Adoption, Process Creation (141), and Chgroup (143) log events can be used to track a process' CWD. * File Owner Change (129)--the file owner or group ID of a file changes. * Security Configuration Change (142)--a change is made to the security configuration using Security Monitor/iX. This event can only be enabled from Security Monitor/iX. * CI Command Logging (145)--Security Monitor/iX detects the execution of one of the CI commands enabled for logging. This event can only be enabled from Security Monitor/iX. * UPS Monitor Event Logging (148)--a UPS event is detected by UPS Monitor/iX. * Directory Open/Close Logging (155)--no log record is created for this system log event. Instead, the system manager can use this event to control whether file open error logging and file close logging includes hierarchical directories. Normally, this event should be disabled. However, system managers with C2-like audit requirements may want to enable directory logging. To enable the logging of directory open errors and/or closes, the File Open (144) and/or NM File Close (105) log events must also be enabled in SYSGEN, respectively. There are now a total of 39 system log events. System Log Record Formats Starting with MPE/iX Release 4.5, variable-length HFS filenames need to be logged for system log events that log filenames. Since the existing record formats can accommodate only fixed-length MPE-syntax filenames, additional record formats have been created for these system log events by adding 100 to the current record formats. For a given log event, the system uses the 1## record format if the file resides in the MPE namespace, i.e., FILE.GROUP.ACCOUNT. If the file resides outside of the MPE namespace, the 2## record format is used. For example, accessing the file CATALOG.PUB.SYS would result in a NM File Close record using the 105 format. Accessing the file as /SYS/PUB/CATALOG would still result in a 105 format log record because the file is in the MPE namespace. Accessing the file /usr/include/stdio.h would result in a 205 format NM File Close record. While the 1## log record formats remain unchanged, the new 2## log record format is variable in length and the filename has been moved to the end of the record. The filename is terminated with a NULL (0) character. The header for the 2## log records also differs from the header for the 1## log records. The 2## header has incorporated the information that used to be in the audit trailer, which is part of selected log records. No audit trailer is added to the 2## log records. Aside from these differences, the other information in a log record is the same between the 1## format and the 2## format for a given log event. Of course, the location of the information within the log record may differ.
NOTE Details on system log record formats can be found in the manual Manager's Guide To MPE/iX Security (32650-90474), which is new for MPE/iX Release 5.0. Previously, this information was included in several other manuals.
1## vs. 2## Record Formats. Most of the system log events do not log filenames. The system will continue to log those events using the existing 1## record formats. Five system log events that log filenames are always logged using the 2## record format: * Chdir (227) * Process Adoption (228) * File Owner Change (229) * Security Configuration Change (242) * CI Command Logging (245) These events are all new events starting with MPE/iX Release 5.0. All of these log records include filenames except for Security Configuration Change. However, six system log events that log a filename are logged in either the 1## record format or the 2## record format depending on the namespace in which the file resides--NM File Close (105/205), Password Change (134/234), Restore (136/236), User Logging (140/240), Process Creation (141/241), and File Open (144/244). The ACD Change event can log up to three filenames. If all three files are in the MPE namespace, then the 138 record format is used. Otherwise, the 238 record format is used.
NOTE This behavior is a change since MPE/iX Release 4.5. It allows existing system logging applications to continue to work on MPE/iX Release 5.0 if the only files being accessed on the system are those in the MPE namespace.
Filenames. Filenames in the 1## record formats are always logged as three separate components or as FILE.GROUP.ACCOUNT. Filenames in the 2## record formats are logged either as absolute or relative pathnames depending on the system log event. Program filenames are always logged as absolute pathnames. Filenames in the NM File Close (205) and Restore (236) records are always logged as absolute pathnames. Filenames in the Chdir (227), File Owner Change (229), ACD Change (238), and File Open (244) records are logged as either relative or absolute pathnames depending on how the user or application entered the filename. SYSGEN SYSGEN can be used to enable and disable system log events. System log events are in the range 100 to 163. So, the SYSGEN command log>slog on=105 enables the NM File Close log event. NM File Close records in the system log file are either in the 105 format or the 205 format depending on whether the file being closed is in the MPE namespace or not. LOGTOOL LOGTOOL's LIST command can be used to display system log records. Starting with LOGTOOL version A.03.02, which is included with MPE/iX Release 5.0, the TYPE keyword of the LIST command is used to selectively display system log events instead of system log record formats. For example, the command LOGTOOL>list log=35;type=105 displays all NM File Close records in the log file LOG0035.PUB.SYS. It displays records in both the 105 and 205 record formats. Similarly, the command LOGTOOL>list log=57;type=241 displays all Process Creation records, including those in the 141 record format. In contrast, LOGTOOL's TYPES command is used to display system log record formats. LOGTOOL displays only the record format(s) specifically requested on the TYPES command. For example, you must use the command LOGTOOL>types type=105,205;detail to display the details of both the 105 and 205 record formats for the NM File Close event.