Using the audit log to track monitoring activity

Edit online

When you are monitoring a condition or compound condition, be aware that any linked response actions will be executed in the background by daemons.

Often, the response action will somehow log or notify you about the event occurring. For example, RSCT's predefined responses use response scripts that do one of the following:

log information to a file
mail the information to a particular user ID
broadcast the information to all users who are logged in

In some cases, you might create your own response script that performs no such logging or notification but, instead, provides a more targeted solution for when the monitored attribute tests True. For example, you might create a recovery script that deletes unnecessary files when the /tmp directory is 90% full.

Whether or not the response script performs some type of notification or logging itself, it is important to know that RMC has an audit log in which it records information about the system's operation and that the event response resource manager appends entries to this log for all triggered response actions. The audit log includes information about the normal operation of the system as well as failures and other errors and, thus, augments any information that a response script might provide.

You can use the lsevent and lsaudrec commands to track monitoring activity. The lsevent command is described in Listing event monitoring information from the audit log and the lsaudrec command is described in Listing records from the audit log.