File Audit Logging events

The following table lists the events that are created for the File Audit Logging component.

Table 1. Events for the File Audit Logging component
Event	Event Type	Severity	Call Home	Details
auditc_auditlogfile	STATE_CHANGE	ERROR	no	Message: Unable to open or append to the auditLog {1} files for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check whether the audited file system is mounted on the node.
auditc_auth_failed	STATE_CHANGE	ERROR	no	Message: Authentication error encountered in audit consumer for group {1} for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: For more information, check the /var/adm/ras/mmaudit.log.
auditc_brokerconnect	STATE_CHANGE	ERROR	no	Message: Unable to connect to Kafka broker server {1} for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Run the mmmsgqueue status -v command to check message queue status and ensure that the message queue is in a HEALTHY state. You might disable and re-enable the message queue in case the message queue remains unhealthy.
auditc_compress	STATE_CHANGE	WARNING	no	Message: Could not compress for audit log file {1}.
				Description: Warning encountered in audit consumer.
				Cause: N/A
				User Action: For more information, check the /var/adm/ras/mmaudit.log file. Ensure that the audit fileset is mounted and the file system is in a HEALTHY state.
auditc_createkafkahandle	STATE_CHANGE	ERROR	no	Message: Failed to create audit consumer Kafka handle for file system {0}.
				Description: Warning encountered in audit consumer.
				Cause: N/A
				User Action: Ensure that gpfs.librdkafka packages are installed. Then, enable or disable audit with the mmaudit enable/disable command.
auditc_err	STATE_CHANGE	ERROR	no	Message: Error encountered in audit consumer for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: For more information, check the /var/adm/ras/mmaudit.log.
auditc_flush_auditlogfile	STATE_CHANGE	ERROR	no	Message: Unable to flush the auditLog {1} files for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check whether the file system is mounted on the node.
auditc_flush_errlogfile	STATE_CHANGE	ERROR	no	Message: Unable to flush the errorLog file for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check whether the file system is mounted on the node.
auditc_found	INFO_ADD_ENTITY	INFO	no	Message: Audit consumer for file system {0} was found.
				Description: An audit consumer listed in the IBM Storage Scale configuration was detected.
				Cause: N/A
				User Action: N/A
auditc_initlockauditfile	STATE_CHANGE	ERROR	no	Message: Failed to indicate to systemctl on successful consumer startup sequence for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Disable and re-enable auditing by using the mmaudit command.
auditc_loadkafkalib	STATE_CHANGE	ERROR	no	Message: Unable to initialize file audit consumer for file system {0}. Failed to load librdkafka library.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check the installation of librdkafka libraries and retry the mmaudit command.
auditc_mmauditlog	STATE_CHANGE	ERROR	no	Message: Unable to append to file {1} for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check that the audited file system is mounted on the node. Ensure the file system to be audited is in a HEALTHY state and then, retry by using the mmaudit disable/enable command.
auditc_nofs	STATE_CHANGE	INFO	no	Message: No file system is audited.
				Description: No file system is audited.
				Cause: N/A
				User Action: N/A
auditc_offsetfetch	STATE_CHANGE	ERROR	no	Message: Failed to fetch topic ({1}) offset for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check on the topicName by using the mmmsgqueue list --topics command. If topic is listed, then try restarting consumers with the mmaudit all consumerStop/consumerStart -N <node(s)> command. If the problem persists, then try disabling and re-enabling audit with the mmaudit enable/disable command.
auditc_offsetstore	STATE_CHANGE	ERROR	no	Message: Failed to store an offset for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check on the topicName by using the mmmsgqueue list --topics command. If topic is listed, then try restarting consumers with the mmaudit all consumerStop/consumerStart -N <node(s)> command. If the problem persists, then try disabling and re-enabling audit with the mmaudit enable/disable command.
auditc_ok	STATE_CHANGE	INFO	no	Message: File Audit consumer for file system {0} is running.
				Description: File Audit consumer is running.
				Cause: N/A
				User Action: N/A
auditc_service_failed	STATE_CHANGE	ERROR	no	Message: File audit consumer {1} for file system {0} is not running.
				Description: File audit consumer service is not running.
				Cause: N/A
				User Action: For more information, use the systemctl status <consumername> command and see the /var/adm/ras/mmaudit.log.
auditc_service_ok	STATE_CHANGE	INFO	no	Message: File audit consumer service for file system {0} is running.
				Description: File audit consumer service is running.
				Cause: N/A
				User Action: N/A
auditc_setconfig	STATE_CHANGE	ERROR	no	Message: Failed to set configuration for audit consumer for file system {0} and group {1}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: For more information, check the /var/adm/ras/mmaudit.log file. Attempt to fix by disabling and re- enabling the file audit logging by using the mmaudit disable/enable command.
auditc_setimmutablity	STATE_CHANGE	WARNING	no	Message: Could not set immutability on for auditLogFile {1}.
				Description: Warning encountered in audit consumer.
				Cause: N/A
				User Action: For more information, check the /var/adm/ras/mmaudit.log file. Ensure that the audit fileset is mounted and the file system is in a HEALTHY state.
auditc_topicsubscription	STATE_CHANGE	ERROR	no	Message: Failed to subscribe to topic ({1}) for file system {0}.
				Description: Error encountered in audit consumer.
				Cause: N/A
				User Action: Check on the topicName and initial configuration details by using the mmmsgqueue list --topics command and retry the mmaudit command.
auditc_vanished	INFO_DELETE_ENTITY	INFO	no	Message: Audit consumer for file system {0} has vanished.
				Description: An audit consumer that was listed in the IBM Storage Scale configuration was removed.
				Cause: N/A
				User Action: N/A
auditc_warn	STATE_CHANGE	WARNING	no	Message: Warning encountered in audit consumer for file system {0}.
				Description: Warning encountered in audit consumer.
				Cause: N/A
				User Action: For more information, check the /var/adm/ras/mmaudit.log.
auditp_auth_err	STATE_CHANGE	ERROR	no	Message: Error obtaining authentication credentials or configuration for producer; error message: {2}.
				Description: Authentication error encountered in event producer.
				Cause: N/A
				User Action: Verify that the file audit log is properly configured. Disable and enable the file audit log by using the mmmsgqueue and the mmaudit commands.
auditp_auth_info	TIP	TIP	no	Message: Authentication or configuration information is not present or outdated. Request to load credentials or configuration is started and new credentials or configuration is used on next event. Message: {2}.
				Description: Event producer has no or outdated authentication information.
				Cause: N/A
				User Action: N/A
auditp_auth_warn	STATE_CHANGE	WARNING	no	Message: Authentication credentials for Kafka could not be obtained. An attempt to update credentials is performed later. Message: {2}.
				Description: Event producer failed to obtain authentication information.
				Cause: N/A
				User Action: N/A
auditp_create_err	STATE_CHANGE	ERROR	no	Message: Error encountered while creating a new (loading or configuring) event producer; error message: {2}.
				Description: error encountered when creating a new event producer.
				Cause: N/A
				User Action: Verify that the correct gpfs.librdkafka is installed. For more information, check /var/adm/ras/mmfs.log.latest.
auditp_found	INFO_ADD_ENTITY	INFO	no	Message: New event producer for file system {2} was configured.
				Description: A new event producer was configured.
				Cause: N/A
				User Action: N/A
auditp_log_err	STATE_CHANGE	ERROR	no	Message: Error opening or writing to event producer log file.
				Description: Log error encountered in event producer.
				Cause: N/A
				User Action: Verify that the log directory and /var/adm/ras/mmaudit.log file are present and writeable. For more information, check /var/adm/ras/mmfs.log.latest.
auditp_msg_send_err	STATE_CHANGE	WARNING	no	Message: Failed to send message to target sink for file system {2}; errormessage: {3}.
				Description: Error sending messages encountered in event producer.
				Cause: N/A
				User Action: Check connectivity to Kafka broker and topic and check whether the broker can accept new messages. For more information, check the /var/adm/ras/mmfs.log.latest and /var/adm/ras/mmmsgqueue.log files.
auditp_msg_send_stop	STATE_CHANGE	ERROR	no	Message: Failed to send more than {2} messages to target sink. Producer is now shutdown. No more messages are sent.
				Description: Producer reached the error threshold. The producer no longer attempts to send messages.
				Cause: N/A
				User Action: To re-enable events, and disable and re-enable file audit logging, run the mmaudit <device> disable/enable command. If file audit logging fails again, then you might need to disable and re-enable message queue. Run the mmmsgqueue enable/disable command, and then enable the file audit logging. If file audit logging continues to fail, then run the mmmsgqueue config --remove command. Now, enable the message queue and then enable the file audit logging.
auditp_msg_write_err	STATE_CHANGE	WARNING	no	Message: Failed to write message to Audit log for file system {2}; error message: {3}.
				Description: Error writing messages encountered in event producer.
				Cause: N/A
				User Action: Ensure that the Audit fileset is healthy. For more information, check the /var/adm/ras/mmfs.log.latest and /var/adm/ras/mmmsgqueue.log.
auditp_msg_write_stop	STATE_CHANGE	ERROR	no	Message: Failed to write more than {2} messages to Audit log. Producer is now shutdown. No more messages are sent.
				Description: Producer reached the error threshold. The producer no longer attempts to send messages.
				Cause: N/A
				User Action: To re-enable events, run the mmaudit all producerRestart -N <Node> command. If that does not succeed, then ensure that the Audit fileset is healthy and disable or enable the file audit logging with the mmaudit command. For more information, check the /var/adm/ras/mmfs.log.latest and /var/adm/ras/mmmsgqueue.log.
auditp_msgq_unsupported	STATE_CHANGE	ERROR	no	Message: Message queue is no longer supported and no clustered watch folder or file audit logging commands can be run until the message queue is removed.
				Description: Message queue is no longer supported in IBM Storage Scale and must be removed.
				Cause: N/A
				User Action: For more information, see the mmmsgqueue config --remove-msgqueue command page.
auditp_ok	STATE_CHANGE	INFO	no	Message: Event producer for file system {2} is OK.
				Description: Event producer is OK.
				Cause: N/A
				User Action: N/A
auditp_vanished	INFO_DELETE_ENTITY	INFO	no	Message: An event producer for file system {2} was removed.
				Description: An event producer was removed.
				Cause: N/A
				User Action: N/A