PATROL Agent logs

This topic describes the error log and audit log files to which the PATROL Agent writes various information. For each type of log file, it discusses file location, contents, format, management, and aging. This topic contains the following sections:

PATROL Agent error log

As part of the PATROL Agent's many tasks, it writes messages to the PATROL Agent error log file. Messages sent to the error log include both error messages that result from a failed action and informational messages that result from successful action. The error log is not exhaustive and does not record the success or failure of every action.

This topic contains the following sections:

Contents of PATROL Agent error log

The PATROL Agent Error log records the following information for each error message.

Information stored in PATROL error log

Information type	Description
Time and date	The time and date that the event occurred
Error message ID	The catalog message ID issued by the agent The catalogs are stored in <PATROL_HOME>_ /lib/nls/C/ # / #.cat files. If an error message is truncated due to a crash, you can use the ID to identify the last message written to the error log.
Message type	An error message is assigned one of the following types; they are listed in order of least severe to most: I = Informational W = Warning E = Error
Error message	The message written to the error log Messages written to the error log are not necessarily the result of errors or failures. Some PATROL components send informational messages to the error log.

Location of PATROL Agent error log

The following table indicates the file name and path for error log files:

Location of PATROL Agent error log file

File description	File name and path for UNIX
	File name and path for Windows
PATROL Agent error log file	PATROL_HOME/log/PatrolAgent-<hostName>-<port>#.errs
	PATROL_HOME\log\PatrolAgent-<hostName>-<port>#.errs

Redirecting error logs

You can redirect PATROL Agent's default error log file to a different location for virtual Agents in a clustered environment by using the PATROL_LOG_port environment variable.

Limiting size by restricting the number of messages

The /AgentSetup/maxAgentMessageLimit configuration variable determines the number of messages written to the PATROL Agent error log.

Format and type of data	Numeric, messages
Default value	100000
Minimum and maximum	0, none
Dependencies	None
Recommendation	Under normal circumstances, the default value for the number of messages must not be reached. Most of the PATROL Agent messages are a single line long. Only a few messages exceed this size. The global symbol numAgentMsgs tracks how many messages have been written to the log.

You can limit the number of messages that are written to the agent error log using the agent configuration variable, maxAgentMessageLimit. When the number of messages in agent error log reaches the limit, the agent stops logging the error messages to the error log.

When the limit is reached, the following block is written to the agent error log:

Mon Aug 14 11:45:22 2000 Maximum number of messages (12) logged. >>>NO MORE MESSAGES WILL BE LOGGED<<<

Log file aging

The PATROL Agent retains the current error log and the five most recent ones. To create an error log archive, the agent appends the extension ~#~ to the error log, where # indicates the log's relative age. One (1) represents the newest archived log and five (5) represents the oldest.

Example of log file aging technique

These files illustrate the PATROL Agent Error Log file aging technique:

PatrolAgent-hostname-port.errs
PatrolAgent-hostname-port.errs.~1~
PatrolAgent-hostname-port.errs.~2~
PatrolAgent-hostname-port.errs.~3~
PatrolAgent-hostname-port.errs.~4~
PatrolAgent-hostname-port.errs.~5~

Operation

During startup, the PATROL Agent checks to see if a log file or any archived log files exists, and performs the following actions:

If a fifth archive log exists, the agent deletes that log.
If archives one through four exist, the agent increments the extension of each by one.
If an error log file exists, the agent archives it by adding the extension ~1~.
The agent opens a new error log file.

Sample contents of PATROL Agent error log file

The following sample has been extracted from the beginning of a PATROL Agent Error Log file.

Wed Apr 20 01:06:22 2011: PatrolAgent (V3.9.00i, SunOS 5.8 sun4u sparc, Build_201104100512 Apr 14 2011)
PID 9002 started at Wed Apr 20 01:06:22 2011
Wed Apr 20 01:06:22 2011: EPOCH TIME = 1303241782
Wed Apr 20 01:06:22 2011: Host sol-pat-pun-qa-m03 SunOS sol-pat-pun-qa-m03 5.10 Generic_118822-25 sun4u
Wed Apr 20 01:06:22 2011: uid: 100 euid: 0 gid: 1 egid: 1
Wed Apr 20 01:06:22 2011: BUILDENV = SunOS 5.8 sun4u sparc
Wed Apr 20 01:06:22 2011: Build TARGET = Solaris28-sun4-64
Wed Apr 20 01:06:22 2011: Run Time $TARGET = Solaris210-sun4-64
Wed Apr 20 01:06:22 2011: ID 10218a: I: Internationalized PatrolAgent, Locale = C (C).
Wed Apr 20 01:06:22 2011: ID 102192: I: Max. # of open file descriptors = 1024
Wed Apr 20 01:06:22 2011: ID 1021b1: I: CPU time [parm90:seconds]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b2: I: Maximum file size [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b3: I: Maximum data size [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b4: I: Maximum stack size [parm90:bytes]: Current limit = 8Mb, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b5: I: Maximum core file size [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b6: I: Maximum number of open files [parm90:descriptors]: Current limit = 1024, Hard limit = 65536
Wed Apr 20 01:06:22 2011: ID 1021b9: I: Maximum available mapped address space [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021ba: I: Maximum available memory [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: ML_ROOT=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/lib/nls
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: XBMLANGPATH=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/lib/images/%B.xbm
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_BIN=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_HEARTBEAT_INTERVAL=4000
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_SKS_DBNAME=default
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: HHHOME=/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/help
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: HOME=/opt/patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: HZ=100
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: LOGNAME=patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: MAIL=/var/mail/patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: OLDPWD=/opt/patqa1/3900QA12/Patrol3/log
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATH=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin:/usr/xpg4/bin:/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin:/usr/xpg4/bin:/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin:/usr/bin::/usr/sbin
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_ADMIN=patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_HOME=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PWD=/opt/patqa1/3900QA12/Patrol3
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: SHELL=/bin/bash
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: SHLVL=2
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: TARGET=Solaris210-sun4-64
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: TERM=xterm
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: TZ=Asia/Calcutta
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: UNAME=SunOS
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: XKEYSYMDB=/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/XKeysymDB
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: XUSERFILESEARCHPATH=/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/%N:/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/%N
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: _=./PatrolAgent
Wed Apr 20 01:06:22 2011: ID 10218c: I: Enabling COS support subsystem using RT Server Locator: tcp:172.19.220.162:2059.
Wed Apr 20 01:06:22 2011: ID 10209d: I: SNMP Sub-Agent is now connected.
Wed Apr 20 01:06:22 2011: ID 102010: I: Binding PatrolAgent to TCP port 3181
Wed Apr 20 01:06:22 2011: ID 1021d3: I: PatrolAgent default account is 'patqa1'
Wed Apr 20 01:06:22 2011: ID 102082: I: PatrolAgent-Info: Loaded `ALL_COMPUTERS' application locally from agent knowledge directory.
Wed Apr 20 01:06:22 2011: ID 102082: I: PatrolAgent-Info: Loaded `SOLARIS' application locally from agent knowledge directory.
Wed Apr 20 01:06:22 2011: ID 1020a9: I: Using default method of collecting process cache: internal function call.
Wed Apr 20 01:06:22 2011: ID 1020ab: I: PatrolAgent's runqSchedPolicy is now set to 1.
Wed Apr 20 01:06:22 2011: PatrolAgent-E-EUSER: Bad PSL script for SOLARIS Command, command type 'PSL', class 'COMMAND'.
Wed Apr 20 01:06:22 2011: Enabling Integration Service support subsystem.
Wed Apr 20 01:06:22 2011: ID 10205a: I: Binding PatrolAgent to port 3181 ...
Wed Apr 20 01:06:23 2011: ID 1021cc: I: Connection established to rtserver tcp:172.19.220.162:2059.

Agent audit log

The Audit Log feature records various security-related aspects of PATROL. The Log records information such as follows:

Commands that are run as a result of Infobox or Menu commands
Which console-connection runs commands (listed by console ID)
Connect/disconnect
Commit operations
Configuration operations
Most spawned commands

This information is critical for locating the source of PAWorkRateExecsMin alarms.

Contents of audit log

The following table lists the type of information recorded in the audit log file:

Type of information recorded in the audit log

Type of information/event	The audit log records...
Spawned Commands	Explicitly created external processes. Note: The agent does not create a log entry for implicitly created commands. This means that the PATROL Agent will not log the commands that are created by a process that it creates. Example: Using PSL popen() to create a process, and then sending a command down the channel for this process to run. The agent logs the creation of the popen() process.
Commands Ran	Each command (that is, script) that is run as a result of a Menu Command or an InfoBox Command. The entry in the log file records the console ID of the peer and the local account name used for the connection.
Connect/Disconnect Details	Each connection/disconnection. The entry in the log file records the console ID of the peer, the console type, and the local account name used for this connection.
Commit Actions	Each file that is transferred during a commit. The entry in the log file records the name of the file, the console ID of the connection performing the commit, and the local account that is used for the connection.
Configuration Actions	Each explicit pconfig, wpconfig, or xpconfig action that affects the state of the PATROL Agent. The entry in the log file records the events that change variables, kill the agent, and PSL pconfig() operations.

Location of audit log

The file path and name are user-defined. You determine the file location during audit logging setup.

Setting up audit logging

The auditing feature is controlled by the configuration variable /AgentSetup/auditLog. The standard PATROL installation process does not create this variable. You must create and set this variable to enable audit logging and to restrict the number of messages.

Format and type of data	See Keys and values for the audit log variable
Default value	None
Minimum and maximum	Not applicable
Dependencies	None
Recommendation	None

The following figure demonstrates what the variable would look like when added through wpconfig or xpconfig:
Adding /AgentSetup/auditLog in wpconfig\xpconfig

Keys and values for the audit log variable

The Audit Log configuration variable, /AgentSetup/auditLog, consists of a new line separated list of KEY=VALUE pairs.

AgentSetup/auditLog keys and values

Key	Description
Active	Determines whether the audit logging feature is turned on or off, and where the information is being logged. The recognized values include the following: 0 — turns off audit logging and is the default setting (No, and False are also valid values) 1 — logs information to a file (Yes, On, and True are also valid values) 2 — log information is sent to the Applications log by default. If you are using Windows 2000 or later, see Creating a custom node in the windows event log. 3 — logs information to both a file and Windows Event Log
Delimiter	Determines the delimiter character that separates the fields in the log file. The default character is the pipe-symbol '\|'.
FileAging	Determines the interval at which a new log file is created as follows: Daily N — create a new log file every day at approximately the hour N, where N ranges from midnight 12 A.M. represented as 0 to 11 P.M. represented as 23; the default is Daily 0 Entries N — create a new log file after logging N entries, where N is the number of entries; for example, N >= 100 Size N — create a new log file when the file reaches a designated size, where N is the file size in KB; for example, N >= 32
FileCount	Determines how many old log files are retained. The default value is 5. Each time a new log file is created, the previous files are renamed in the same manner as done with the agent regular log file.
FileName	Determines the pathname and filenaming convention for the audit log file. The name can contain the following macros: %H — refers to the current agent-host %P — refer to the port-number being used If path is not a fully qualified pathname, the PATROL Agent treats it as being relative to the <PATROL_HOME>/log directory. All subdirectories in the pathname must already exist. PATROL Agent creates the log file but not the directories leading up to the file. If the file cannot be opened, the agent writes an error message to the agent's log file. The default path and file name is: NT — PATROL_HOME\log\PatrolAgent-%H-%P.audit UNIX — PATROL_HOME/log/PatrolAgent-%H-%P.audit

Creating a custom node in the windows event log

When you set the /AgentSetup/auditLog configuration variable to log information to the Windows Event Log, the activity will be logged to the "Applications" Windows Event Log by default. On Windows 2000 or later, you can create a separate, custom "PATROL" node in the Windows Event Log.

The following task describes how to create a custom log. You must first remove the existing agent service (if necessary), and install the agent with the -l (L) command line option.

To remove the agent service

Type the following command in the command line and press Enter:
PatrolAgent -remove

To install the agent service

Type the following command in the command line and press Enter:
PatrolAgent -install -l logname (where logname is the desired name for the custom log node)
Restart your computer for the change to take effect.

Audit log file format

The log file stores data in the following format:

Time|Host|EntryType|User|Entry-specific-data

Each field is separated by the delimiter character (the default is a pipe, |) specified in /AgentSetup/auditLog configuration variable.

Audit log file format

Field	Description
Time	The date and local time in yyyymmdd:hh:mm:ss format
Host	The name of the computer on which the agent is running
EntryType	The type of action being recorded is as follows: Audit Run Connect Disconnect Commit pconfig Command Note: Runs records any attempt by the agent to create (spawn) an external process. Command (i.e., script) is run as a result of a menu or an InfoBox command. Entry- specific data field description provides information about what type of information each entry type provides.
User	The name of the local account used to perform the action
Entry- specific data	The Entry Type is determined by the type of action being recorded. The left column lists the action; the right describes the entry.
	Audit	Indicates file opened/closed
	Command	The console ID running the command; if the command originates from the system-output window, it displays the actual command
	Commit	The console ID and the name of the file being transferred
	Config	Two types of entries are as follows: The first indicates where the connection originated. It contains the console ID and the high-level action taking place such as reboot agent. The second gives a specific action such as store or delete, and lists the variable affected.
	Connect	The console ID and the connection type
	Disconnect	The console ID of the connection
	Run	The command name and its arguments

Sample audit log file

PATROL Agent doesn't restart after you run set_unset_tls command to configure TLS 1.2

A PATROL Agent doesn't restart successfully when you run set_unset_tls command to enable TLS 1.2 on a PATROL Agent with the following conditions:

If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software
If the PATROL Agent is running on Microsoft Windows operating system

Workaround:

Perform the following sequence of steps:

Run the script to disable TLS mode. For step-by-step instructions, see Configuring the PATROL Agent to enable the default configuration.
Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\common\security\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\common\security\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\common\security\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Run the script to enable TLS 1.2. For step-by-step instructions, see Configuring the PATROL Agent network communication to be TLS compliant.