The following sample audit record was generated during start-up and indicates that self-describing agent services on a particular monitoring server is disabled.
<AuditEvt Domain="" Type="SYSADMIN" Level="Minumum" Ver="1">
<Who>
<UserID/>
<AuthID>SYSTEM</AuthID>
</Who>
<What>
<Op Name="Self-Describing Agent Status"
OpObjType="ibm-prod-tivoli-itm:SelfDescribingAgentInstall" Type="Disable"/>
<Msg Text="Self-Descrbing Agent Feature disabled at the local TEMS."
RBKey="KFASD010"/>
<Result>0</Result>
</What>
<When>
<EvtTS MS="1307723083106" ITM="1110610162443106"/>
<Seq>1</Seq>
</When>
<OnWhat>
<Obj Type="ibm-prod-tivoli-itm:SelfDescribingAgentInstall" Name="SDA Services"/>
</OnWat>
<Where>
<Origin>
<Node Name=Tivoli Enterprise Monitoring Server" Type="SERVER" AddrType="IPv4"
Addr="10.1.1.1" SYSID="HUB_NC051039"/>
</Origin>
<App Code="KMS" Ver="06.23.00" Comp="KFA"/>
<SvcPt>system.nc051039_ms</SvcPt>
</Where>
<WhereFrom>
<Source>
<Node Name="Tivoli Enterprise Monitoring Server" Type"SERVER" SYSID="HUB_NC051039"
Addr="10.1.1.1" AddrType="IPv4"/>
</Source>
</WhereFrom>
<WhereTo>
<Target>
<Node Name="Tivoli Enterprise Monitoring Server" Type="SERVER" AddrType="IPv4"
Addr="10.1.1.1" SYSID="HUB_NC051039"/>
</Target>
</WhereTo>
</AuditEvt>| Question | Tag(s) | Value | Interpretation |
|---|---|---|---|
| Who | UserID | Empty | The empty UserID tag indicates that this event was generated by an unknown UserID or an autonomous process performing an action that was not initiated directly by a user. |
| AuthID | SYSTEM | Indicates the ID that this event was authorized under. | |
| What | Op | Self-Describing Agent Status | The "Self-Describing Agent Status" operation was successfully completed (Result 0) with the explanatory message indicating that the self-describing agent feature has been disabled. |
| Msg | Self-Describing Feature disabled at the local TEMS. | ||
| Result | 0 | ||
| Type | Disable | Indicates that this particular operation is of the generic "disable" type. Operations are typically self-explanatory, but they are all classified into a generic event model type (GEM), as specified by the Tivoli® Security and Information Event Manager. | |
| When | ITM | 1110610162443106 | The time that the event was generated (not logged) in Coordinated Universal Time (UTC) format (CYYMMDDhhmmssms). This date reads: June 10, 2011 at 04:24:43 106 ms. |
| OnWhat | Name | SDA Services | The object name is the affected code, component, of other contextually relevant identifier that receives the operation. In this example, the object "SDA Services" received the operation "Self-Describing Agent Status" which successfully completed (with a result of 0) on the object "SDA Services". |
| Where | SYSID | HUB_NC051039 | This is where the event was logged. The application KMS on Managed System ID HUB_NC051039 (IP 10.1.1.1) logged this event. This system identifies itself as the Tivoli Enterprise Monitoring Server. |
| Addr | 10.1.1.1 | ||
| Name | Tivoli Enterprise Monitoring Server | ||
| App | KMS | ||
| WhereFrom | SYSID | HUB_NC051039 | This event was initiated on MSN HUB_NC051039 (IP 10.1.1.1). This system identifies itself as the Tivoli Enterprise Monitoring Server. |
| Addr | 10.1.1.1 | ||
| Name | Tivoli Enterprise Monitoring Server | ||
| WhereTo | SYSID | HUB_NC051039 | The event is targeted at MSN HUB_NC051039 (IP 10.1.1.1). This target system is identified as the Tivoli Enterprise Monitoring Server. |
| Addr | 10.1.1.1 | ||
| Name | Tivoli Enterprise Monitoring Server |