D.69. tarantella query audit

Displays all log entries matching some criteria.

Syntax

tarantella query audit
{ --app app | --person person | --host host | --filter filter }
[ --server arrayhost ]
[ --format text|csv|xml ]

Description

The following table shows the available options for this command.

Option

Description

--app

Displays log entries referring to a specific application. Use the object name for the application.

--person

Displays log entries referring to a specific person. Use the object name for the person.

--host

Displays log entries referring to a specific SGD server. Use the object name or a peer DNS name for the server.

--filter

An RFC2254-compliant LDAP search filter to find matching entries to display. Enclose the filter in quotes. You can use the =, ~=, <= and >= matching rules in the filter.

--server

Only show log entries from the specified SGD server. Use a peer DNS name. If you omit this option, log entries across the entire array are displayed.

--format

Specifies the output format. The default setting is text. If you select the text format, SGD formats the log output so that it is easy to read on scree, but it does not show every detail logged. Using the csv format shows every detail logged but it is only suitable for outputting to a file.

Note

The output that you see depends on the Log Filter settings for the array. To produce log entries for processing by this command, make sure the Log Filter attribute on the Global Settings → Monitoring tab in the Administration Console includes at least one filter that outputs to a .jsl file.

Using a Filter

The attributes you use in the filter are the log fields used in the .jsl log files. The following table lists the commonly used attributes.

Field Name

Description

log-category

The logging component/sub-component/severity setting used in the log filters. For example, to find entries for a server/printing/* log filter, you can use a "(log-category=*printing*)" filter

log-date

The system date and time when the event took place. The format is yyyy/MM/dd HH:mm:ss.SSS.

log-ip-address

The IP address of a client or server associated with an event.

log-keyword

The keyword for auditable events.

log-localhost

The peer DNS name of the SGD server where the event took place.

log-pid

The process ID of the event.

log-security-type

The type of security used on a connection, std or ssl.

log-systime

The system Coordinated Universal Time (UTC) time, in milliseconds, when the event took place.

log-tfn-name

The name of an object associated with an event. For example, starting an application session can record the name of the user, the application and the SGD server.

Note

A complete list of all the log fields is available in the /opt/tarantella/var/serverresources/schema/log.at.conf schema file.

Examples

The following example displays all log entries for the UNIX system user indigo that were logged on the SGD server boston.example.com.

# tarantella query audit \
--person .../_user/indigo --server boston.example.com

The following example outputs all log entries that refer to the Write-o-Win application, in comma-separated values (CSV) format.

# tarantella query audit \
--app "o=applications/cn=Write-o-win" --format csv

The following example outputs all log errors that occurred on or after 23 October 2003 for the Write-o-Win application, in human-readable text format.

# tarantella query audit \
--filter "(&(log-category=*error*)(log-tfn-name=o=applications/cn=Write-o-win) \
(log-date>=2003/10/23 00:00:00.0))" \
--format text