- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Problem on ACCOUNT log analysis
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 01:49 PM
тАО11-08-2005 01:49 PM
from UAF, i can see that:
Last Login: 28-OCT-2005 09:30 (interactive), 6-NOV-2005 00:00 (non-interactive)
when i use $ACCOUNT /USER=AAA /SINCE 1-OCT-2005,i cannot track any record for this account. how come?
question no.2, i wanna check whether this hostname(e.g. aaa.domain) successfully login to the system from a certain period. which command is a simple way to find some clues?
thanks a lot !
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 02:36 PM
тАО11-08-2005 02:36 PM
SolutionIs accounting enabled for all classes? See
$ SHOW ACCOUNTING
Note that "account" and "username" are very different things. If you can't figure out the right ACCOUNTING qualifiers to select the records you want, you can use ACCOUNT/FULL/OUTPUT=file to dump the entire contents of the accounting log and then use SEARCH. If you can't find the records you want in a full text dump, they don't exist!
You could also use PIPE, but remember that SEARCH/WINDOW in a pipe process can't have a non zero "pre" window, but can have a positive post window. So, for example, SEARCH/WINDOW will fail, but SEARCH/WINDOW=(0,5) will work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 03:11 PM
тАО11-08-2005 03:11 PM
Re: Problem on ACCOUNT log analysis
i test in another account BBB
it works...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 04:28 PM
тАО11-08-2005 04:28 PM
Re: Problem on ACCOUNT log analysis
SYSUAF is update on login.
But the ACCOUNTNG record is only written on logout, is it not?
So either AAA is still looged in, or the accounting record could not be written. Crash?
hth,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 05:48 PM
тАО11-08-2005 05:48 PM
Re: Problem on ACCOUNT log analysis
If you want to trace logging activity, the better way is to enable Audit flags for it.
$ SET AUDIT/AUDIT/ENABLE=(BREAKIN=ALL,LOGIN=ALL,LOGFAILURE=ALL,LOGOUT=ALL)
Then you can use
$ ANALYZE/AUDIT 'audit_file' /FULL/SELECT=USERNAME=AAA
Placement of audit_file is found in Destination: in $ SHOW AUDIT/ALL
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 06:10 PM
тАО11-08-2005 06:10 PM
Re: Problem on ACCOUNT log analysis
As John said, account and username are different; and to trace the activities of a system, first ACCOUNTING should have been enabled. Once we enable the ACCOUNTING, the system will update the actvities (enabled) in SYS$MANAGER:ACCOUNTING.DAT file.
If ACCOUNTING has been enabled in your system, the command you have used should retrieve the records.
Anyway, make sure the following ACCOUNTING activities have been enabled using
$SHOW ACCOUNTING
network, login, batch,
detached, and intercative
then lets try these commands..
without any user qualifier..
$ ACCOUNTING/SINCE=1-OCT-2005
if no records, then accounting not been enabled.
With user qualifier...
$ ACCOUNTING/USER=AAA /SINCE=1-OCT-2005
If AAA is account name (not username)
$ ACCOUNTING/account=AAA /SINCE=1-OCT-2005
Between two time-stamp
$ ACCOUNTING/USER=AAA/SINCE=1-OCT-2005
/BEFORE=[today or yesterday date]
To trace the access (login) from remote node
by node address..
$ACCOUNTING/Address = [decimal value of IP]
By node
$ACCOUNTING/node = jupiter
Any user on remote node
$ACCOUNTING/node=jupiter/remote_id=remote_username
Archunan
Archie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 06:14 PM
тАО11-08-2005 06:14 PM
Re: Problem on ACCOUNT log analysis
if ACCOUNTING not been enabled in your system, enable using
$ SET ACCOUNTING/enable = (network, login, intercative, batch )
Archunan
Archie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 06:25 PM
тАО11-08-2005 06:25 PM
Re: Problem on ACCOUNT log analysis
i confused by:
by node address..
$ACCOUNTING/Address = [decimal value of IP]
By node
$ACCOUNTING/node = jupiter
i wanna track the record from a source PC(TCP/IP)
how to transfer a ip addr to "decimal value of IP" ?
system output:
$account /address=10.10.10.10 /since=27-oct-2005
%ACC-F-SYNTAX, error parsing '10.10.10.10
$account /address=[10.10.10.10] /since=27-oct-2005
%ACC-F-SYNTAX, error parsing '[10.10.10.10]'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 07:23 PM
тАО11-08-2005 07:23 PM
Re: Problem on ACCOUNT log analysis
do you know how to specify another accounting file(ACCOUNTING.DAT) for search?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2005 07:42 PM
тАО11-08-2005 07:42 PM
Re: Problem on ACCOUNT log analysis
$ ACCOUNT filename /qualifier...
To check for specific IP hosts/Adresses use AUDITing.
You must emable auditing with:
$ SET AUDIT/AUDIT/ENA=LOGIN=ALL
and analyse with:
$ ANA/AUD/SELE=(TERM=*host*)...
regards Kalle