About Event Monitoring

An event is any significant occurrence in the system (or in an application). Some critical events are noted in on-screen messages. An event that does not require immediate attention is noted in an event log. Event logging starts automatically every time you start the SunLink Server program. With an event log displayed by the SunLink Server Manager tool, you can troubleshoot various problems and monitor SunLink Server security events.

SunLink Server software records events in the following types of logs:

• System log - Contains events logged by SunLink Server system components. For example, the failure of a service to start during startup is recorded in the system log. The types of events that are logged by system components are determined by the SunLink Server program.

• Security log - Can contain valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects.

• Application log - Contains events logged by applications. For example, a database program might record a file error in the application log. Application developers decide which events to monitor.

System and application logs can be viewed by all users; security logs are accessible only to system administrators.

Interpreting an Event

Event logs consist of a header, a description of the event (based on the event type), and additional data. Most security log entries consist of the header and a description.

SunLink Server Manager displays events from each log separately. Each line shows information about one event, including date, time, source, category, Event ID, user account, and computer name.

Event Header

An event header contains the following information:

• Date - The date the event occurred.

• Time - The time the event occurred.

• Source - The software module that logged the event, which can be either an application name or a component of the system or of a large application, such as a service name.

• Category - A classification of the event by the event source. This information is used primarily in the security log.

• Event - A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems.

• User - The user name of the user on whose behalf the event occurred. If the event is not logged by a user, then the Security ID of the logging entity is displayed.

• Computer - The name of the computer on which the event occurred.

Event Description

The format and contents of the event description vary, depending on the event type. The description is often the most useful piece of information, indicating what happened or the significance of the event.

Event Types

The SunLink Server Manager logs indicate the event types:

• Error - Significant problems, such as a loss of data or loss of functions. For example, an Error event would be logged if a service was not loaded during SunLink Server startup.

• Warning - Events that are not necessarily significant, but that indicate possible future problems. For example, a Warning event would be logged that the server is low on key resources.

• Information - Infrequent significant events that describe successful operations of major server services. For example, when a service starts successfully, it would log an Information event.

• Success Audit - Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system would be logged as a Success Audit event.

• Failure Audit - Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt would be logged as a Failure Audit event.

Additional Data

The data field contains binary data that you can display in bytes or words. The application that was the source of the event record generates this information. Because the data appears in hexadecimal format, only someone who is familiar with the source application can interpret its meaning.

Using SunLink Server Manager to View Events

You determine which event log to view by switching between the system, security, and application logs that are available in the Events group within SunLink Server Manager.

• Selecting a log - Double-click the appropriate log icon for event viewing. Although the logs for the local computer appear the first time you start SunLink Server Manager, you can choose to view the logs of any SunLink Server computer after you have logged on to it.

• Refreshing the view - When you first open a log file, SunLink Server Manager displays the current information for that log. This information is not updated automatically. To see the latest events and to remove overwritten entries, choose the Refresh command from the View item on the menu bar.

• Viewing details about events - For many events, you can view more information by double-clicking the event. The Event Detail dialog box shows a text description of the selected event and any available binary data for the selected event. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by someone who is familiar with the source application. Not all events generate such data.

  ---

  Note -

  To control the types of security events that are audited, you set audit policies by way of your Windows NT tools. You do not use SunLink Server Manager to set audit policy; therefore, this guide does not include instructions.

  ---

Using Event Logs to Troubleshoot Problems

Careful monitoring of event logs can help you to predict and identify the sources of system problems. Logs also can confirm problems with Windows NT application software. If a Windows NT application crashes, an application event log can provide a record of activity leading up to the event.

The following are guidelines for using event logs to diagnose problems:

• Determine how frequently an error occurs. If a particular event seems related to system problems, search the event log to find other instances of the same event or to judge the frequency of an error.

• Note Event IDs. These numbers match a text description in a source message file. Product-support representatives can use this number to understand what occurred in the system.

Monitoring SunLink Server Security Events

You enable auditing from the Windows NT User Manager for Domains Auditing Policy dialog box. Through auditing, you can track SunLink Server security events. You can specify that an audit entry is to be written to the security event log whenever certain actions are performed or files are accessed.

An audit entry shows the activity that occurred, the user who performed the action, and the date and time of the activity. You can audit both successful and failed attempts. The audit trail can show who actually performed actions on the network and who tried to perform actions that are not permitted.

Events are not audited by default. If you have Administrator permission, you can specify which types of system events are audited through the Windows NT User Manager for Domains tool.

The Audit policy determines the amount and type of security logging that SunLink Server software performs. For file and object access, you can specify which files and printers to monitor, which types of file and object access to monitor, and for which users or groups. For example, when File and Object Access auditing is enabled, you can use the Security tab in a file or folder's Properties dialog box (accessed through Explorer) to specify which files are audited and what type of file access is audited for those files.

How to Monitor Events

1. Using SunLink Server Manager, log on to, and then open, the SunLink Server system whose event logs you want to view.

   For instructions, see "How to Log On Using SunLink Server Manager". To make any changes, you must be logged on as root.

2. Double-click Events.

   The following screen appears.

   

3. Double-click the name of the log that you want to view.

4. Double-click any line in the log to see more details about the particular event.

   For background information about interpreting events, see "Interpreting an Event".

How to Monitor Events From the Command Prompt

You can use the SunLink Server elfread command to read system, security and application logs. This command is especially useful when troubleshooting a SunLink Server system that has failed to start. (Events of this type typically are written to the system log.) Use the elfread command as a backup to the SunLink Server Manager, which is the recommended method of viewing log files when the server is running.

1. At the SunLink Server command prompt, type the following:

elfread [-od] logname

Replace logname with one of the following log types: system, security, or application.

To display the log file contents listing the oldest event first, use the -o option. To display detailed information about events, use the -d option.

If no options are specified, a summary of all events in the specified log is displayed in reverse chronological order.

How to View SunLink Server Information

1. Using SunLink Server Manager, log on to, and then open, the SunLink Server system whose information you want to view.

   For instructions, see "How to Log On Using SunLink Server Manager". To make any changes, you must be logged on as root.

2. Double-click Information.

   The following screen appears.

   

   The data displayed in the Information view is current, though not automatically updated. To update the view with the most recent data, click Refresh in the View menu, or click Information again in the Navigation pane.

The following information is provided:

• Solaris user name of the current SunLink Server Manager session

• Solaris server name

• Solaris hardware type

• Solaris version

• SunLink Server system name

• SunLink Server system's domain name

• SunLink Server system's role (if BDC, then the name of the PDC is also provided)

• SunLink Server software version number

• State of the server (stopped or running)

• State of the Schedule Database wizard (scheduled or not scheduled)

In addition to furnishing you with vital information, the Information window includes three buttons from which you can initiate various administrative tasks:

• Properties - By clicking this button, you can initiate changes to the configuration of the SunLink Server system, including its server name, domain name, and domain role. See the section, "About Domain Configuration and Management", along with the instructions that are included in that section.

• State - Depending on whether the SunLink Server program is running or stopped, this button enables you to stop or start the program. See the section, "About Starting and Stopping Services", along with the instructions that are included in that section.

• Schedule - Clicking this button enables you to schedule (or edit) database maintenance tasks to be performed automatically by the SunLink Server program. See the section, "Database Maintenance Tasks", along with the instructions that are included in that section.