Testing and querying audit records


The Audit tool can be used to test the creation of audit records or to possibly create your own when scripting other operations.

You can also use the Audit tool to query audit records.

Querying Audit Records

You can use audittool to query audit records logged during a period of time.

Audit records have two forms; the first form refers to an object contained in the object repository. Each type of object in the object repository has a type name. For example, ComMQSoftwareWebSphereMQQueueManager. When querying audit records for objects of a given type, the --query-type-name option must be used. Use the repomgr CLI with the --defs-query-types option to get a list of the known type names.

The second form is used when the object is not yet known. For example, when an object is going to be created but not yet discovered by a monitoring extension. When querying audit records of this form, the --query-object-type option must be used.

Regardless of which of the two forms is required, you can specify a mask to match the required records. Note that you cannot query audit records of both forms at the same time.

Below is an example query for audit records during the month of April for an agent with the name AGENT_1.

audittool --query-start "2017-04-01 00:00:00" --query-end "2017-04-30 23:59:59" --query-type-name ComMQSoftwareNetworkHost --query-object-mask AGENT_1 -p BMCSOFTWARE SA

The following is an example that shows all audit records logged for all queue managers belonging to the agent AGENT_1.

audittool --query-start "2017-04-01 00:00:00" --query-end "2017-04-30 23:59:59" --query-type-name ComMQSoftwareWebSphereMQQueueManager --query-object-mask "AGENT_1!%" -p BMCSOFTWARE SA

The next example shows audit records that are related to creating channels belonging to the agent AGENT_1.

audittool --query-start "2017-04-01 00:00:00" --query-end "2017-04-30 23:59:59" --query-object-type "MQ Channel" --query-object-mask "AGENT_1!%" -p BMCSOFTWARE SA

Related topic

Managing the product from a Command Line Interface 

Audit tool options

Option

Argument

Description

--add-desc

description

Description for audit entry. Required for --add-start and --add-end.

--add-end

Event id

Add an audit event end record. Requires --add-desc and --add-status. This option requires the event id output from an --add-start follow it. Any number of --add-int-prop/--add-int-value and --add-string-prop/--add-string-value pairs can be specified.

--add-host

hostname

Host for added audit record. Required for --add-start. Should match object's host.

--add-int-prop

property

Integer Property, requires --add-int-value. Qualifies --add-start and --add-end.

--add-int-value

integer

Integer Value paired with --add-int-prop. Qualifies --add-start and --add-end.

--add-object-name

objectName

Object name. Qualifies --add-start, paired with --add-object-type.

--add-object-oid

hi_lo_typeid

Object identifier. Qualifies --add-start.

--add-object-type

object_type

Object type. Qualifies --add-start, paired with --add-object-name.This option requires one of the following follow it: MQ QueueManager|MQ CommandServer|MQ Queue|MQ Channel| MQ Process|MQ Message|Q Pasa! Agent|MQ ChannelListener| MQ TriggerMonitor|MQ ChannelInitiator|MQAuthorities| MQ Authinfo|MQ Namelist|MQ Listener|MQ Service|MQ Topic| MQ Subscription|MQ AuthRec|MQ CommInfo|MQ ChlAuth|MQ TTChl| MQ SMDS|MQ CFSStruct

--add-start

event_label

Add an audit event start record: PropertyChange|Start|Stop|Create|Delete|DistributeAgent|Reset|Ping|Resolve|Clear|Export|Import|Put|Upgrade-user|Upgrade-user-cancel|Secure-agent-login|Set|Display|               Query-usage|Cluster-data|Suspend|Resume|Refresh|Query-namelist-names|Query-namelist-names-with-content|RunAmqmdain|Query-version|Discovery|Register|Unregister|Get-Extension-Preferences|Set-Extension-Preferences|Delete-Extension-Preferences|Get-Agent-Preferences|Set-Agent-Preferences|Delete-Agent-Preferences|Set-Extension-Events|Query-Product-Feature|Query-Enabled-Product-Features|Query-Agent-Version|Reconfirm|Query-Registered-Objects|Associate-Event-Template|Associate-History-Template|Run-Script|Distribute-Packages|Schedule-Discovery|Suppress-Events|Get-Extension-Preferences-Multilevels|Modify-Dashboard

--add-status

status

End record status. Required for --add-end.

--add-string-prop

property

String Property, requires --add-string-value. Qualifies --add-start and --add-end.

--add-string-value

string

String Value, paired with --add-string-prop. Qualifies --add-start and --add-end.

--as-host

Host name

Application Service host.

--as-port

Port number

Application service port.

--query-end

"yyyy-MM-ddHH:mm:ss"

Get the audit records before the specified time.

--query-object-type

Object type

Used to query audit records of the specified object type. See --add-object-type for the list of possible object types.

--query-start

"yyyy-MM-ddHH:mm:ss"

Get the audit records after the specified time.

--query-type-name

Type name

Object Type Name. Qualifies query.

-? Or
–h

 

Give this help summary.

-p

 

Password.

-s

 

Specify password via stdin.



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*