PATROL Agent logs
This topic describes the error log and audit log files to which the PATROL Agent writes various information. For each type of log file, it discusses file location, contents, format, management, and aging. This topic contains the following sections:
PATROL Agent error log
As part of the PATROL Agent's many tasks, it writes messages to the PATROL Agent error log file. Messages sent to the error log include both error messages that result from a failed action and informational messages that result from successful action. The error log is not exhaustive and does not record the success or failure of every action.
This topic contains the following sections:
Contents of PATROL Agent error log
The PATROL Agent Error log records the following information for each error message.
Information stored in PATROL error log
Information type | Description |
---|---|
Time and date | The time and date that the event occurred |
Error message ID | The catalog message ID issued by the agent |
Message type | An error message is assigned one of the following types; they are listed in order of least severe to most:
|
Error message | The message written to the error log Messages written to the error log are not necessarily the result of errors or failures. Some PATROL components send informational messages to the error log. |
Location of PATROL Agent error log
The following table indicates the file name and path for error log files:
Location of PATROL Agent error log file
File description | File name and path for UNIX |
File name and path for Windows | |
PATROL Agent error log file | PATROL_HOME/log/PatrolAgent-<hostName>-<port>#.errs |
PATROL_HOME\log\PatrolAgent-<hostName>-<port>#.errs |
Redirecting error logs
You can redirect PATROL Agent's default error log file to a different location for virtual Agents in a clustered environment by using the PATROL_LOG_port environment variable.
Limiting size by restricting the number of messages
The /AgentSetup/maxAgentMessageLimit configuration variable determines the number of messages written to the PATROL Agent error log.
Format and type of data | Numeric, messages |
Default value | 100000 |
Minimum and maximum | 0, none |
Dependencies | None |
Recommendation | Under normal circumstances, the default value for the number of messages must not be reached. Most of the PATROL Agent messages are a single line long. Only a few messages exceed this size. |
You can limit the number of messages that are written to the agent error log using the agent configuration variable, maxAgentMessageLimit. When the number of messages in agent error log reaches the limit, the agent stops logging the error messages to the error log.
When the limit is reached, the following block is written to the agent error log:
Mon Aug 14 11:45:22 2000 Maximum number of messages (12) logged. >>>NO MORE MESSAGES WILL BE LOGGED<<<
Log file aging
The PATROL Agent retains the current error log and the five most recent ones. To create an error log archive, the agent appends the extension ~#~ to the error log, where # indicates the log's relative age. One (1) represents the newest archived log and five (5) represents the oldest.
Example of log file aging technique
These files illustrate the PATROL Agent Error Log file aging technique:
PatrolAgent-hostname-port.errs
PatrolAgent-hostname-port.errs.~1~
PatrolAgent-hostname-port.errs.~2~
PatrolAgent-hostname-port.errs.~3~
PatrolAgent-hostname-port.errs.~4~
PatrolAgent-hostname-port.errs.~5~
Operation
During startup, the PATROL Agent checks to see if a log file or any archived log files exists, and performs the following actions:
- If a fifth archive log exists, the agent deletes that log.
- If archives one through four exist, the agent increments the extension of each by one.
- If an error log file exists, the agent archives it by adding the extension ~1~.
- The agent opens a new error log file.
Sample contents of PATROL Agent error log file
The following sample has been extracted from the beginning of a PATROL Agent Error Log file.
Wed Apr 20 01:06:22 2011: PatrolAgent (V3.9.00i, SunOS 5.8 sun4u sparc, Build_201104100512 Apr 14 2011)
PID 9002 started at Wed Apr 20 01:06:22 2011
Wed Apr 20 01:06:22 2011: EPOCH TIME = 1303241782
Wed Apr 20 01:06:22 2011: Host sol-pat-pun-qa-m03 SunOS sol-pat-pun-qa-m03 5.10 Generic_118822-25 sun4u
Wed Apr 20 01:06:22 2011: uid: 100 euid: 0 gid: 1 egid: 1
Wed Apr 20 01:06:22 2011: BUILDENV = SunOS 5.8 sun4u sparc
Wed Apr 20 01:06:22 2011: Build TARGET = Solaris28-sun4-64
Wed Apr 20 01:06:22 2011: Run Time $TARGET = Solaris210-sun4-64
Wed Apr 20 01:06:22 2011: ID 10218a: I: Internationalized PatrolAgent, Locale = C (C).
Wed Apr 20 01:06:22 2011: ID 102192: I: Max. # of open file descriptors = 1024
Wed Apr 20 01:06:22 2011: ID 1021b1: I: CPU time [parm90:seconds]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b2: I: Maximum file size [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b3: I: Maximum data size [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b4: I: Maximum stack size [parm90:bytes]: Current limit = 8Mb, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b5: I: Maximum core file size [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021b6: I: Maximum number of open files [parm90:descriptors]: Current limit = 1024, Hard limit = 65536
Wed Apr 20 01:06:22 2011: ID 1021b9: I: Maximum available mapped address space [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1021ba: I: Maximum available memory [parm90:bytes]: Current limit = unlimited, Hard limit = unlimited
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: ML_ROOT=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/lib/nls
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: XBMLANGPATH=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/lib/images/%B.xbm
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_BIN=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_HEARTBEAT_INTERVAL=4000
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_SKS_DBNAME=default
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: HHHOME=/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/help
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: HOME=/opt/patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: HZ=100
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: LOGNAME=patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: MAIL=/var/mail/patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: OLDPWD=/opt/patqa1/3900QA12/Patrol3/log
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATH=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin:/usr/xpg4/bin:/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin:/usr/xpg4/bin:/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64/bin:/usr/bin::/usr/sbin
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_ADMIN=patqa1
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PATROL_HOME=/opt/patqa1/3900QA12/Patrol3/Solaris210-sun4-64
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: PWD=/opt/patqa1/3900QA12/Patrol3
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: SHELL=/bin/bash
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: SHLVL=2
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: TARGET=Solaris210-sun4-64
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: TERM=xterm
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: TZ=Asia/Calcutta
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: UNAME=SunOS
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: XKEYSYMDB=/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/XKeysymDB
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: XUSERFILESEARCHPATH=/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/%N:/opt/patqa1/3900QA12/Patrol3/lib/app-defaults/%N
Wed Apr 20 01:06:22 2011: ID 1020ff: I: Environment: _=./PatrolAgent
Wed Apr 20 01:06:22 2011: ID 10218c: I: Enabling COS support subsystem using RT Server Locator: tcp:172.19.220.162:2059.
Wed Apr 20 01:06:22 2011: ID 10209d: I: SNMP Sub-Agent is now connected.
Wed Apr 20 01:06:22 2011: ID 102010: I: Binding PatrolAgent to TCP port 3181
Wed Apr 20 01:06:22 2011: ID 1021d3: I: PatrolAgent default account is 'patqa1'
Wed Apr 20 01:06:22 2011: ID 102082: I: PatrolAgent-Info: Loaded `ALL_COMPUTERS' application locally from agent knowledge directory.
Wed Apr 20 01:06:22 2011: ID 102082: I: PatrolAgent-Info: Loaded `SOLARIS' application locally from agent knowledge directory.
Wed Apr 20 01:06:22 2011: ID 1020a9: I: Using default method of collecting process cache: internal function call.
Wed Apr 20 01:06:22 2011: ID 1020ab: I: PatrolAgent's runqSchedPolicy is now set to 1.
Wed Apr 20 01:06:22 2011: PatrolAgent-E-EUSER: Bad PSL script for SOLARIS Command, command type 'PSL', class 'COMMAND'.
Wed Apr 20 01:06:22 2011: Enabling Integration Service support subsystem.
Wed Apr 20 01:06:22 2011: ID 10205a: I: Binding PatrolAgent to port 3181 ...
Wed Apr 20 01:06:23 2011: ID 1021cc: I: Connection established to rtserver tcp:172.19.220.162:2059.
Agent audit log
The Audit Log feature records various security-related aspects of PATROL. The Log records information such as follows:
- Commands that are run as a result of Infobox or Menu commands
- Which console-connection runs commands (listed by console ID)
- Connect/disconnect
- Commit operations
- Configuration operations
- Most spawned commands
This information is critical for locating the source of PAWorkRateExecsMin alarms.
Contents of audit log
The following table lists the type of information recorded in the audit log file:
Type of information recorded in the audit log
Type of information/event | The audit log records... |
---|---|
Spawned Commands | Explicitly created external processes. |
Commands Ran | Each command (that is, script) that is run as a result of a Menu Command or an InfoBox Command. |
Connect/Disconnect Details | Each connection/disconnection. |
Commit Actions | Each file that is transferred during a commit. |
Configuration Actions | Each explicit pconfig, wpconfig, or xpconfig action that affects the state of the PATROL Agent. |
Location of audit log
The file path and name are user-defined. You determine the file location during audit logging setup.
Setting up audit logging
The auditing feature is controlled by the configuration variable /AgentSetup/auditLog. The standard PATROL installation process does not create this variable. You must create and set this variable to enable audit logging and to restrict the number of messages.
Format and type of data | |
Default value | None |
Minimum and maximum | Not applicable |
Dependencies | None |
Recommendation | None |
The following figure demonstrates what the variable would look like when added through wpconfig or xpconfig:
Adding /AgentSetup/auditLog in wpconfig\xpconfig
Keys and values for the audit log variable
The Audit Log configuration variable, /AgentSetup/auditLog, consists of a new line separated list of KEY=VALUE pairs.
AgentSetup/auditLog keys and values
Key | Description |
---|---|
Active | Determines whether the audit logging feature is turned on or off, and where the information is being logged. The recognized values include the following:
|
Delimiter | Determines the delimiter character that separates the fields in the log file. The default character is the pipe-symbol '|'. |
FileAging | Determines the interval at which a new log file is created as follows:
|
FileCount | Determines how many old log files are retained. The default value is 5. |
FileName | Determines the pathname and filenaming convention for the audit log file. The name can contain the following macros:
|
Creating a custom node in the windows event log
When you set the /AgentSetup/auditLog configuration variable to log information to the Windows Event Log, the activity will be logged to the "Applications" Windows Event Log by default. On Windows 2000 or later, you can create a separate, custom "PATROL" node in the Windows Event Log.
The following task describes how to create a custom log. You must first remove the existing agent service (if necessary), and install the agent with the -l (L) command line option.
To remove the agent service
Type the following command in the command line and press Enter:
PatrolAgent -remove
To install the agent service
- Type the following command in the command line and press Enter:
PatrolAgent -install -l logname
(where logname is the desired name for the custom log node) - Restart your computer for the change to take effect.
Audit log file format
The log file stores data in the following format:
Time|Host|EntryType|User|Entry-specific-data
Each field is separated by the delimiter character (the default is a pipe, |) specified in /AgentSetup/auditLog configuration variable.
Audit log file format
Field | Description | |
---|---|---|
Time | The date and local time in yyyymmdd:hh:mm:ss format | |
Host | The name of the computer on which the agent is running | |
EntryType | The type of action being recorded is as follows:
Note: Runs records any attempt by the agent to create (spawn) an external process. Command (i.e., script) is run as a result of a menu or an InfoBox command. Entry- specific data field description provides information about what type of information each entry type provides. | |
User | The name of the local account used to perform the action | |
Entry- specific data | The Entry Type is determined by the type of action being recorded. The left column lists the action; the right describes the entry. | |
Audit | Indicates file opened/closed | |
Command | The console ID running the command; if the command originates from the system-output window, it displays the actual command | |
Commit | The console ID and the name of the file being transferred | |
Config | Two types of entries are as follows:
| |
Connect | The console ID and the connection type | |
Disconnect | The console ID of the connection | |
Run | The command name and its arguments |
Sample audit log file
20020528:15:18:45|PAYROLL_NT4|audit|PatrolAgent|File opened
20020528:15:18:47|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ps -elf
20020528:15:18:54|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c uname -a
20020528:15:18:56|PAYROLL_NT4|connect|PAYROLL_ADM2|U:7412.51622@172.19.205.24 Developer
20020528:15:18:56|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c /bin/ksh
20020528:15:18:56|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c /bin/ksh
20020528:15:19:04|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c mount -v
20020528:15:19:04|PAYROLL_NT4|command|PAYROLL_ADM2|U:7412.51622@172.19.205.24
20020528:15:19:04|PAYROLL_NT4|command|PAYROLL_ADM2|U:7412.51622@172.19.205.24
20020528:15:19:04|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c nfsstat
20020528:15:19:04|PAYROLL_NT4|command|PAYROLL_ADM2|U:7412.51622@172.19.205.24
20020528:15:19:04|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c file /etc/utmp
20020528:15:19:04|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c sh -c 'test -r /etc/utmp ;echo $?'
20020528:15:19:04|PAYROLL_NT4|execute|PAYROLL_ADM2| /bin/ksh -c sh -c 'test -f /etc/utmp ;echo $?'
20020528:15:19:04|PAYROLL_NT4|pconfig|<>|Store /LOG/files/etc-utmp/filter
20020528:15:19:04|PAYROLL_NT4|pconfig|<>|Store /LOG/files/etc-utmp/path
20020528:15:19:04|PAYROLL_NT4|pconfig|<>|Store /LOG/files/etc-utmp/dump
20020528:15:19:04|PAYROLL_NT4|pconfig|<>|Store /LOG/files/etc-utmp/fpos
...
20020528:15:20:15|PAYROLL_NT4|command|PAYROLL_ADM2|U:7412.51622@172.19.205.24 Agent KILL command
20020528:15:20:15|PAYROLL_NT4|disconnect|PAYROLL_ADM2|U:7412.51622@172.19.205.24
20020528:15:20:20|PAYROLL_NT4|audit|PatrolAgent|File closed
PATROL Agent doesn't restart after you run set_unset_tls command to configure TLS 1.2
A PATROL Agent doesn't restart successfully when you run set_unset_tls command to enable TLS 1.2 on a PATROL Agent with the following conditions:
- If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software
- If the PATROL Agent is running on Microsoft Windows operating system
Workaround:
Perform the following sequence of steps:
Run the script to disable TLS mode. For step-by-step instructions, see Configuring the PATROL Agent to enable the default configuration.
Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\common\security\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:
#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\common\security\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:
#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\common\security\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:
#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Run the script to enable TLS 1.2. For step-by-step instructions, see Configuring the PATROL Agent network communication to be TLS compliant.
Comments
Log in or register to comment.