topic Re: Problem on ACCOUNT log analysis in Operating System - OpenVMS

Problem on ACCOUNT log analysis

Davor_7 — Tue, 08 Nov 2005 21:49:21 GMT

Here, i have an account named "AAA"
from UAF, i can see that:
Last Login: 28-OCT-2005 09:30 (interactive), 6-NOV-2005 00:00 (non-interactive)

when i use $ACCOUNT /USER=AAA /SINCE 1-OCT-2005,i cannot track any record for this account. how come?

question no.2, i wanna check whether this hostname(e.g. aaa.domain) successfully login to the system from a certain period. which command is a simple way to find some clues?

thanks a lot !

Re: Problem on ACCOUNT log analysis

John Gillings — Tue, 08 Nov 2005 22:36:30 GMT

Davor,

Is accounting enabled for all classes? See

$ SHOW ACCOUNTING

Note that "account" and "username" are very different things. If you can't figure out the right ACCOUNTING qualifiers to select the records you want, you can use ACCOUNT/FULL/OUTPUT=file to dump the entire contents of the accounting log and then use SEARCH. If you can't find the records you want in a full text dump, they don't exist!

You could also use PIPE, but remember that SEARCH/WINDOW in a pipe process can't have a non zero "pre" window, but can have a positive post window. So, for example, SEARCH/WINDOW will fail, but SEARCH/WINDOW=(0,5) will work.

Re: Problem on ACCOUNT log analysis

Davor_7 — Tue, 08 Nov 2005 23:11:08 GMT

i think it should be enabled.
i test in another account BBB
it works...

Re: Problem on ACCOUNT log analysis

Hein van den Heuvel — Wed, 09 Nov 2005 00:28:42 GMT

WAG:

SYSUAF is update on login.
But the ACCOUNTNG record is only written on logout, is it not?
So either AAA is still looged in, or the accounting record could not be written. Crash?

hth,
Hein.

Re: Problem on ACCOUNT log analysis

Mike Reznak — Wed, 09 Nov 2005 01:48:03 GMT

Hi,

If you want to trace logging activity, the better way is to enable Audit flags for it.
$ SET AUDIT/AUDIT/ENABLE=(BREAKIN=ALL,LOGIN=ALL,LOGFAILURE=ALL,LOGOUT=ALL)
Then you can use
$ ANALYZE/AUDIT 'audit_file' /FULL/SELECT=USERNAME=AAA

Placement of audit_file is found in Destination: in $ SHOW AUDIT/ALL

Mike

Re: Problem on ACCOUNT log analysis

Arch_Muthiah — Wed, 09 Nov 2005 02:10:51 GMT

Davor,

As John said, account and username are different; and to trace the activities of a system, first ACCOUNTING should have been enabled. Once we enable the ACCOUNTING, the system will update the actvities (enabled) in SYS$MANAGER:ACCOUNTING.DAT file.

If ACCOUNTING has been enabled in your system, the command you have used should retrieve the records.

Anyway, make sure the following ACCOUNTING activities have been enabled using
$SHOW ACCOUNTING

network, login, batch,
detached, and intercative

then lets try these commands..

without any user qualifier..
$ ACCOUNTING/SINCE=1-OCT-2005
if no records, then accounting not been enabled.

With user qualifier...
$ ACCOUNTING/USER=AAA /SINCE=1-OCT-2005

If AAA is account name (not username)
$ ACCOUNTING/account=AAA /SINCE=1-OCT-2005

Between two time-stamp
$ ACCOUNTING/USER=AAA/SINCE=1-OCT-2005
/BEFORE=[today or yesterday date]

To trace the access (login) from remote node

by node address..
$ACCOUNTING/Address = [decimal value of IP]

By node
$ACCOUNTING/node = jupiter

Any user on remote node
$ACCOUNTING/node=jupiter/remote_id=remote_username

Archunan

Re: Problem on ACCOUNT log analysis

Arch_Muthiah — Wed, 09 Nov 2005 02:14:48 GMT

Davor,

if ACCOUNTING not been enabled in your system, enable using
$ SET ACCOUNTING/enable = (network, login, intercative, batch )

Archunan

Re: Problem on ACCOUNT log analysis

Davor_7 — Wed, 09 Nov 2005 02:25:21 GMT

Muthiah / all
i confused by:
by node address..
$ACCOUNTING/Address = [decimal value of IP]
By node
$ACCOUNTING/node = jupiter

i wanna track the record from a source PC(TCP/IP)
how to transfer a ip addr to "decimal value of IP" ?

system output:
$account /address=10.10.10.10 /since=27-oct-2005
%ACC-F-SYNTAX, error parsing '10.10.10.10
$account /address=[10.10.10.10] /since=27-oct-2005
%ACC-F-SYNTAX, error parsing '[10.10.10.10]'

Re: Problem on ACCOUNT log analysis

Davor_7 — Wed, 09 Nov 2005 03:23:07 GMT

btw, all

do you know how to specify another accounting file(ACCOUNTING.DAT) for search?

Re: Problem on ACCOUNT log analysis

Karl Rohwedder — Wed, 09 Nov 2005 03:42:42 GMT

You pass the filename via P1:
$ ACCOUNT filename /qualifier...

To check for specific IP hosts/Adresses use AUDITing.
You must emable auditing with:
$ SET AUDIT/AUDIT/ENA=LOGIN=ALL
and analyse with:
$ ANA/AUD/SELE=(TERM=*host*)...

regards Kalle

Re: Problem on ACCOUNT log analysis

Jan van den Ende — Wed, 09 Nov 2005 03:45:39 GMT

Davor,

HELP ACCOUNTING

tells you

ACCOUNT [filespec]

You can search any accounting file by just naming it, with SYS$MANAGER:ACCOUNTNG.DAT being only the default.

hth

Proost.

Have one on me.

jpe

Re: Problem on ACCOUNT log analysis

Davor_7 — Wed, 09 Nov 2005 07:35:19 GMT

thanks all!
i'm late to close this~ hehe

thank you very much.

furthermore, i submit another topic to get detail pwd changed time. could you kindly pls take a look?
thanks

Re: Problem on ACCOUNT log analysis

Hein van den Heuvel — Wed, 09 Nov 2005 08:21:15 GMT

Not late at all. Leaving a topic open for a day is pretty much desirable to give folks all around the globe a chance to contribute.

Also, as you close, kindly give an indication as to what solved the problem for you, through a closing line, point assignments or both.

Regards,
Hein.