HPE Community
Operating System - OpenVMS
1753454 Members
6095 Online
108794 Solutions
New Discussion юеВ

Problem on ACCOUNT log analysis

 
SOLVED
Go to solution
Davor_7
Regular Advisor

тАО11-08-2005 01:49 PM

тАО11-08-2005 01:49 PM

Problem on ACCOUNT log analysis

Here, i have an account named "AAA"
from UAF, i can see that:
Last Login: 28-OCT-2005 09:30 (interactive), 6-NOV-2005 00:00 (non-interactive)

when i use $ACCOUNT /USER=AAA /SINCE 1-OCT-2005,i cannot track any record for this account. how come?

question no.2, i wanna check whether this hostname(e.g. aaa.domain) successfully login to the system from a certain period. which command is a simple way to find some clues?

thanks a lot !
0 Kudos
12 REPLIES 12
John Gillings
Honored Contributor

тАО11-08-2005 02:36 PM

тАО11-08-2005 02:36 PM

Solution

Re: Problem on ACCOUNT log analysis

Davor,

Is accounting enabled for all classes? See

$ SHOW ACCOUNTING

Note that "account" and "username" are very different things. If you can't figure out the right ACCOUNTING qualifiers to select the records you want, you can use ACCOUNT/FULL/OUTPUT=file to dump the entire contents of the accounting log and then use SEARCH. If you can't find the records you want in a full text dump, they don't exist!

You could also use PIPE, but remember that SEARCH/WINDOW in a pipe process can't have a non zero "pre" window, but can have a positive post window. So, for example, SEARCH/WINDOW will fail, but SEARCH/WINDOW=(0,5) will work.
A crucible of informative mistakes
0 Kudos
Davor_7
Regular Advisor

тАО11-08-2005 03:11 PM

тАО11-08-2005 03:11 PM

Re: Problem on ACCOUNT log analysis

i think it should be enabled.
i test in another account BBB
it works...
0 Kudos
Hein van den Heuvel
Honored Contributor

тАО11-08-2005 04:28 PM

тАО11-08-2005 04:28 PM

Re: Problem on ACCOUNT log analysis

WAG:

SYSUAF is update on login.
But the ACCOUNTNG record is only written on logout, is it not?
So either AAA is still looged in, or the accounting record could not be written. Crash?

hth,
Hein.
0 Kudos
Mike Reznak
Trusted Contributor

тАО11-08-2005 05:48 PM

тАО11-08-2005 05:48 PM

Re: Problem on ACCOUNT log analysis

Hi,

If you want to trace logging activity, the better way is to enable Audit flags for it.
$ SET AUDIT/AUDIT/ENABLE=(BREAKIN=ALL,LOGIN=ALL,LOGFAILURE=ALL,LOGOUT=ALL)
Then you can use
$ ANALYZE/AUDIT 'audit_file' /FULL/SELECT=USERNAME=AAA

Placement of audit_file is found in Destination: in $ SHOW AUDIT/ALL

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
Arch_Muthiah
Honored Contributor

тАО11-08-2005 06:10 PM

тАО11-08-2005 06:10 PM

Re: Problem on ACCOUNT log analysis

Davor,

As John said, account and username are different; and to trace the activities of a system, first ACCOUNTING should have been enabled. Once we enable the ACCOUNTING, the system will update the actvities (enabled) in SYS$MANAGER:ACCOUNTING.DAT file.

If ACCOUNTING has been enabled in your system, the command you have used should retrieve the records.

Anyway, make sure the following ACCOUNTING activities have been enabled using
$SHOW ACCOUNTING

network, login, batch,
detached, and intercative

then lets try these commands..

without any user qualifier..
$ ACCOUNTING/SINCE=1-OCT-2005
if no records, then accounting not been enabled.

With user qualifier...
$ ACCOUNTING/USER=AAA /SINCE=1-OCT-2005

If AAA is account name (not username)
$ ACCOUNTING/account=AAA /SINCE=1-OCT-2005

Between two time-stamp
$ ACCOUNTING/USER=AAA/SINCE=1-OCT-2005
/BEFORE=[today or yesterday date]

To trace the access (login) from remote node

by node address..
$ACCOUNTING/Address = [decimal value of IP]

By node
$ACCOUNTING/node = jupiter

Any user on remote node
$ACCOUNTING/node=jupiter/remote_id=remote_username

Archunan
Regards
Archie
0 Kudos
Arch_Muthiah
Honored Contributor

тАО11-08-2005 06:14 PM

тАО11-08-2005 06:14 PM

Re: Problem on ACCOUNT log analysis

Davor,

if ACCOUNTING not been enabled in your system, enable using
$ SET ACCOUNTING/enable = (network, login, intercative, batch )


Archunan
Regards
Archie
0 Kudos
Davor_7
Regular Advisor

тАО11-08-2005 06:25 PM

тАО11-08-2005 06:25 PM

Re: Problem on ACCOUNT log analysis

Muthiah / all
i confused by:
by node address..
$ACCOUNTING/Address = [decimal value of IP]
By node
$ACCOUNTING/node = jupiter

i wanna track the record from a source PC(TCP/IP)
how to transfer a ip addr to "decimal value of IP" ?

system output:
$account /address=10.10.10.10 /since=27-oct-2005
%ACC-F-SYNTAX, error parsing '10.10.10.10
$account /address=[10.10.10.10] /since=27-oct-2005
%ACC-F-SYNTAX, error parsing '[10.10.10.10]'
0 Kudos
Davor_7
Regular Advisor

тАО11-08-2005 07:23 PM

тАО11-08-2005 07:23 PM

Re: Problem on ACCOUNT log analysis

btw, all

do you know how to specify another accounting file(ACCOUNTING.DAT) for search?
0 Kudos
Karl Rohwedder
Honored Contributor

тАО11-08-2005 07:42 PM

тАО11-08-2005 07:42 PM

Re: Problem on ACCOUNT log analysis

You pass the filename via P1:
$ ACCOUNT filename /qualifier...

To check for specific IP hosts/Adresses use AUDITing.
You must emable auditing with:
$ SET AUDIT/AUDIT/ENA=LOGIN=ALL
and analyse with:
$ ANA/AUD/SELE=(TERM=*host*)...

regards Kalle
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.