Chapter 16. Tivoli Audit Facility Troubleshooting; Audit Log Workspace Shows Only 100 Of The Most Recent Audit Records; Audit Log Workspace Does Not Display Records Before The Latest Component Startup - IBM E027SLL-H - Tivoli Monitoring - PC Troubleshooting Manual

Chapter 16. Tivoli Audit Facility troubleshooting

An auditing facility in IBM Tivoli Monitoring includes detailed information for
certain major state changes or events that occur within your monitoring
environment. Audit events in the system reflect authorization and authentication
failures, and major and minor changes, but do not reflect minor service messages
stored in the RAS logs.

Audit Log workspace shows only 100 of the most recent audit records

By default, all Tivoli Monitoring components show only the 100 most recent audit
records in the Audit Log workspace. The environment variable,
AUDIT_MAX_HIST, defines the maximum number of audit records kept in
short-term memory for direct queries. You can increase the setting for this
environment variable and recycle the component that you want to display more
audit records in the Audit Log workspace. Note that only audit events created
since the component was started are displayed.
If you want to display audit records for events that occured before the most recent
component startup, you must enable historical data collection for the ITM Audit
attribute group and distribute the history collection settings to the components you
want to have access to the historical audit data.
If data warehousing is available, it might be more efficient to collect audit records
historically from critical ITM components. See the Audit Log workspace
description in the Tivoli Enterprise Portal User's Guide for details on configuring
historical data collection for the ITM Audit attribute group.
Audit Log workspace does not display records before the latest
component startup
The Audit Log workspace shows audit records generated since the component was
most recently started. To access audit records that were generated before the latest
restart, collect audit records historically from critical ITM components. See the
Audit Log workspace description in the Tivoli Enterprise Portal User's Guide for
details on configuring historical data collection for the ITM Audit attribute group.
On distributed systems, you can also examine the component's XML-formatted
audit log to access audit records that were generated prior to the latest restart.
These logs are located on the component in the <install_dir>/auditlogs directory.
Refer to Appendix F. ITM Audit log in the IBM Tivoli Monitoring Version 6.2.3
Administrator's Guide.
ITM components in a z/OS environment can enable the SMF audit facility to
collect ITM Audit records. For more information, see the Planning and
Configuration Guide for the specific component.
© Copyright IBM Corp. 2005, 2012
255