Listing event monitoring information from the audit log

Edit online

The lsevent command lists event monitoring information recorded by the Event Response resource manager in the audit log.

Statements about conditions equally apply to compound conditions. Compound conditions provide the capability to execute response scripts when multiple conditions meet some specified criteria.

Without any operands, lsevent lists the events that are recorded in the audit log—these describe the monitored events that have occurred.

Example: To list the information for events that have occurred, enter: 
lsevent

You can specify a condition name (or compound condition name) to list events for a particular condition.

Example: To list event information about the "FileSystem space used" condition, enter: 
lsevent "FileSystem space used"

Response information can be listed separately or with the event information. Responses are run based on a condition or event occurring. Information about a response includes when it was run, what the response script was, the return code, the expected return code (if the response was defined so as to record it), standard error output, and standard output (if the response was defined so as to record it).

If you want to list the event responses for a condition or both the events and event responses for a condition, specify the -R or -A flag, respectively. You can also specify one or more response names to limit the response output.

Examples: The following examples illustrate the use of the lsevent command with the -R and -A flags to list information about events and event responses from the audit log.
  • To list all event response information for the "FileSystem space used" condition, enter: 
    lsevent -R "FileSystem space used"
  • To list only the event responses for the "Broadcast event on-shift" response for the "FileSystem space used" condition, enter: 
    lsevent -R "FileSystem space used" "Broadcast event on-shift"
  • To list both event information and event response information for the "Broadcast event on-shift" response for the "FileSystem space used" condition, enter: 
    lsevent -A "FileSystem space used" "Broadcast event on-shift"

You can use the -r flag to list information about event responses. The -r flag tells lsevent that all command parameters, if any, are response names and that event response information is to be listed for the specified response names. If no response names are specified along with the -r flag, then information for all event responses is listed.

Examples: The following examples illustrate the use of the lsevent command with the -r flag to list event response information from the audit log.
  • To list all event response information, enter: 
    lsevent -r
  • To list event response information for the "Broadcast event on-shift" response, enter: 
    lsevent -r "Broadcast event on-shift"

You can also limit the portion of the audit log that is searched by specifying a beginning timestamp (using the -B flag), an ending timestamp (using the -E flag), or both, and by specifying the number of most recent records to be searched (using the -O flag). You can use these flags in combination with any of the other event and event response criteria discussed above.

Examples: The following examples illustrate the use of the lsevent command with the -O, -B, and -E flags to list event information from a specific portion of the audit log.
  • To see event information for the "FileSystem space used" condition found in the latest 1000 records in the audit log, enter: 
    lsevent -O 1000 "FileSystem space used"
  • To see event information for the "FileSystem space used" condition that occurred on July 27th between 14:30 and 15:00, enter: 
    lsevent -B 072714302006 -E 072715002006 "FileSystem space used"
    The timestamps are in the form MMddhhmmyyyy, where MM = month, dd = day, hh = hour, mm = minutes, and yyyy = year. The timestamp can be truncated from right to left, except for MM. If not present, the following defaults are used:
    • year = the current year
    • minutes = 00
    • hour = 00
    • day = 01
Targeting nodes:

The lsevent command is affected by the environment variables CT_CONTACT and CT_MANAGEMENT_SCOPE. The CT_CONTACT environment variable indicates a node whose RMC daemon will carry out the command request (by default, the local node on which the command is issued). The CT_MANAGEMENT_SCOPE indicates the management scope — either local scope, peer domain scope, or management domain scope.

The lsevent command's -a flag, if specified, indicates that the command applies to all nodes in the management scope.

The lsevent command's -n flag specifies a list of nodes containing the audit log records to display. Any node specified must within the management scope (as determined by the CT_MANAGEMENT_SCOPE environment variable) for the local node or the node specified by the CT_CONTACT environment variable (if it is set).

If the CT_MANAGEMENT_SCOPE environment variable is not set and either the -a flag or -n flag is specified, then the default management scope will be the management domain scope if it exists. If it does not, then the default management scope is the peer domain scope if it exists. If it does not, then the management scope is the local scope.

For more information, see the lsevent command man page and Target nodes for a command.

For detailed syntax information on the lsevent command, see its online man page. For detailed syntax information, see also the Technical Reference: RSCT for AIX® and Technical Reference: RSCT for Multiplatforms guides.