LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1995, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1995, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Logging event 245 (command logging)
From:
Reply To:	Pete Crosby <[log in to unmask]>
Date:	Tue, 21 Mar 1995 14:34:31 EST
Content-Type:	text/plain
Parts/Attachments:	text/plain (80 lines)

(sending this to Tom with a copy to the list as other may find the
 information useful)

Tom, you wrote:

>>>I wrote a program that used AIFSCGET/PUT to change our logging mask. I enabled
>>>event 45 (245, command logging) with it, but I don't see any of those events
>>>in the log file.
>>>
>>>Am I missing something?
>>>
>>>We are running on C.50.00.
>>

And I replied,

>> Read the section on system logging changes in the 5.0 COMMUNICATOR.
>>
>> Basically, within the OS there is no true logging event greater than
>> 163. The event numbers greated than 200 map to their 100 level
>> counterparts; they were created to allow handling of longer file names
>> for POSIX and for SECURITY MONITOR.
>>
>> The system has different record structures for the 100 and 200 level
>> events and they are written to the logfile using the appropriate
>> structure. When they are extracted with LOGTOOL, however, you can ask
>> for the 100 type or the 200 type and you will always get both.
>>
>> This means when you enable event type 245, what really gets enabled
>> is type 145 (even though there is no true type 145). It turns out that
>> type 145/245 records are always logged using the 245 type but can be
>> extracted using either one.

And you replied,

>
>Pete:
>
>   When you call AIFSCPUT, you pass a bit mask, and #45 is "Command
>logging". I enabled this (there is no way at that level to say 145/245),
>and got NO command records. I only specified 245 for clarity, that is
>the definition I found in the TYPES command in LOGTOOL.
>
>   My problem is still that I turned it on, and nothing happened. My
>further problem (which is because of management here) is that I can't
>read the 5.0 communicator. We have laser rom, and my cheap-ass 286 PC
>can't read it. Apparently, the reader software runs in 386 enhanced mode.
>
>   If I am missing anything, such as "the change won't take effect until
>a SWITCHLOG/reboot", or "event X won't do anything unless event Y is on",
>please tell me.
>

Okay, here's the deal. Event types 142 and 145 are specifically for
the product SECURITY MONITOR/iX. Even though you may be able to turn
them on, you will NEVER log anything unless you have the product.
SECURITY MONITOR/iX allows you to enable event logging for specific
commands. If one of those commands is executed an event will be logged
by the SECURITY MONITOR/iX code. No other code in the OS will log an
event of this type. In other words, the system does not allow you to
log every command every user enters. Through SECURITY MONITOR/iX you can
turn on such logging but there is overhead involved.

On a different note, be aware that changes made through AIFSCPUT are
TEMPORARY, though immediate. They will not survive a reboot of the
system and they will not be reflected by SYSGEN.

I hope this answers your question(s).

--
                            --Pete Crosby

************************************************************************
* "Arguing with an Engineer is like mud-wrestling a pig. Pretty soon   *
*  you realize the pig likes it"  -author unknown                      *
*                                                                      *
*  Note: my comments are my own and do not reflect the views of my     *
*        employer or necessarily anyone else.     [log in to unmask]       *
************************************************************************

ATOM RSS1 RSS2

RAVEN.UTC.EDU