ITM Audit attributes

The ITM Audit attributes give information on critical state-changing events in the monitoring environment. This attribute group includes information such as which user, application, or process initiated the event; what type of action the event represents; when did the event happen; what database, application, or permission was manipulated; on which computer did this event happen; which system is the source of the event; and which system is the target of the event. You can create Enterprise level queries and situations with this attribute group.

Note: Some attributes might return blank data because they are reserved for future use.

Situations created using this attribute group are displayed under All Managed Systems, not under the node that you created the situation from. Pure events are generated for situations created with this attribute group.

Application Code The product code for the application. Character limit: 16.

Application Component The specific component within the product that generated the event. Character limit: 16.

Application Version The version of the application. Character limit: 24.

Assumable Authorization ID The authorization ID granted to the user or entity. Character limit: 128.

Audit Record Version The version of the audit information. Character limit: 4.

Authorization ID The role, group, or user the User ID or Entity is authorized under. Character limit: 128.

Authorization Plugin Type The type of authorization plug-in in use at the time the audit event occurred. Reserved for future use. Character limit: 4.

Enumeration Description
-1 Not_Applicable
0 LOCAL
1 SSO
2 LDAP
4 TSPM
16 RBAC
32 DIS
128 TIM
256 WAS
512 OTHER
1024 TAM

Correlator A unique number to correlate all the audit records related to a single event. Reserved for future use. Character limit: 8.

Enumeration Description
-1 Not_Available

Domain The multi-tenant domain identifier. A custom identifier to identify unique namespaces within the product namespace. Typically used for separating customers logically within a common infrastructure (ISP Model). This is set by providing a value for the ITM_DOMAIN environment parameter. Character limit: 128.

Entity Identifies a non-user entity that initiated the audit event. Character limit: 128.

Entity Type Describes the type of entity that initiated the Audit Event. Character limit: 128.

Extra Attributes A string that contains a semi-colon delimited list of name="value" pairs for which no dedicated column exists in the ITM Audit table. The event's message parameters are stored in the Extra Attributes field as ParamN=n;PARM1="VALUE";PARM2="VALUE"...;PARMn="VALUE". In the name="value" pairs, the value is always enclosed in quotation marks (" ") and embedded quotation marks are escaped by doubling them. The separator between name="value" pairs is a semicolon (;). No whitespace is allowed around the equal sign (=) or semicolon. Note: The column can hold only 512 bytes, so the string is truncated at 512 characters if longer than that. There will be fewer than 512 characters if multi-byte characters are used.

Grantee The grantee ID for which a privilege or authority was granted, revoked or checked for authorization. Reserved for future use. Character limit: 128.

Grantee Type The Common Data Model type of the grantee. Reserved for future use. Character limit: 128.

Message The audit event descriptive message text. Character limit: 512.

Object Name The descriptive name of the object. Character limit: 256.

Object Path The detailed path to the object. Character limit: 256.

Object Type The Common Data Model class of the object. Public CDM classes are defined in CDM v2.10.21 or greater. Private CDM classes are prefixed with ibm-prod-tivoli-itm: private namespace designation. Character limit: 128.

Object Version The version of the object. Character limit: 24.

Operation Object Type The Common Data Model class of the operation. Public CDM classes are defined in CDM v2.10.21 or greater. Private CDM classes are prefixed with ibm-prod-tivoli-itm: private namespace designation. Character limit: 128.

Operation Type The Common Data Model action of the operation. The action type should be compatible with the type of object involved. Public CDM Actions are defined in CDM v2.10.21 or greater. Character limit: 128.

Operation Name The descriptive name of the operation. Character limit: 128.

Origin The network name of the managed system that emitted the audit event. Character limit: 128.

Origin Address The address of the node that emitted the audit event. Character limit: 64.

Origin Hostname The host name of the node that emitted the audit event. Character limit: 128.

Origin Name The descriptive name of the node that emitted the audit event. Character limit: 128.

Origin Port The communication port used by the origin node. Character limit: 4.

Enumeration Description
-1 Not_Available

Origin Protocol The communication protocol used by the origin node. Character limit: 16.

Origin Type The descriptive classification of the node that emitted the audit event. Character limit: 4.

Enumeration Description
-1 Not_Available
1 GUI
2 CLIENT
3 SERVER
4 ENDPOINT
5 AGENT
6 CLI
7 OTHER

Privilege The access type for which a security label is granted. The set of values possible here are specified as the set of actions appropriate to the type of object specified in the object parameters. Reserved for future use. Character limit: 128.

Privilege Type Indicates the type of privilege or authority granted or revoked. Reserved for future use. Character limit: 128.

Record Type Indicates the set of attributes expected in the audit event. Character limit: 4.

Enumeration Description
32 Permission_Checking
33 Object_Maintenance
34 Security_Maintenance
35 System_Administration
36 Contextual_Event
37 Authentication_Validation

Resource Bundle Key The message ID number. Character limit: 64.

Result The application specific return code. This allows for easier filtering and situation creation. Character limit: 4.

RunAs The role, group, or user the user ID is authorized under. Character limit: 128.

Security Policy Name The identifier for the security policy authorizing this action. Reserved for future use. Character limit: 128.

Sequence Number The audit event count of this particular audit event since the component was started. The audit event count is reset to zero when the component is reset. Character limit: 8.

Enumeration Description
-1 Not_Available

Service Point The origin's service point. Refer to "Using the Cloud Pak System Software Monitoring Server Service Console" in the Cloud Pak System Software Knowledge Center. Character limit: 128.

Source The Managed System Name of the node that initiated the operation reported by the audit event. Character limit: 128.

Source Address The address of the node that initiated the operation reported by the audit event. Character limit: 64.

Source Hostname The host name of the node that initiated the operation reported by the audit event. Character limit: 128.

Source Name The descriptive name of the node that initiated the operation reported by the audit event. Character limit: 128.

Source Port The communication port used by the source node. Character limit: 4.

Enumeration Description
-1 Not_Available

Source Protocol The communication protocol used by the Ssource node. Character limit: 16.

Source Type The descriptive classification of the node that initiated the operation reported by the audit event. Character limit: 4.

Enumeration Description
-1 Not_Available
1 GUI
2 CLIENT
3 SERVER
4 ENDPOINT
5 AGENT
6 CLI
7 OTHER

System Name The Managed System Name of the node that emitted the audit event. Character limit: 32.

Target The Managed System Name of the node where the operation is targeted. Character limit: 128.

Target Address The address of the node where the operation is targeted. Character limit: 64.

Target Hostname The host name of the node where the operation is targeted. Character limit: 128.

Target Name The descriptive name of the node where the operation is targeted. Character limit: 128.

Target Port The communication port used by the target node. Character limit: 4.

Enumeration Description
-1 Not_Available

Target Protocol The communication protocol used by the target node. Character limit: 16.

Target Type The descriptive classification of the node where the operation is targeted. Character limit: 4.

Enumeration Description
-1 Not_Available
1 GUI
2 CLIENT
3 SERVER
4 ENDPOINT
5 AGENT
6 CLI
7 OTHER

Timestamp This is the time the log event was generated. The format is MM/DD/YY HH:MM:SS. Character limit: 16

Timestamp (MS) The UTC Timestamp in milliseconds from the epoch. (Number of seconds elapsed since midnight Coordinated Universal Time (UTC) of January 1, 1970, not counting leap seconds. Also known as POSIX time or UNIX time.) Character limit: 8.

Trace Level The minimum AUDIT_TRACE level required to generate this message. Character limit: 4.

Enumeration Description
4000 Detail
5000 Basic
6000 Minimum

User ID The user ID that initiated the operation. Character limit: 128.