HP Medical Archive Solution Reference Guide

HP Medical Archive Solutions
Audit Message Reference Guide
March 2005 (First Edition)
Part Number 393234-001
© Copyright 2005 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation.
March 2005 (First Edition) Part Number 393234-001
HPMA Audit Message Reference

DISCLAIMER

While every reasonable effort has been made to achieve technical accuracy and completeness, information in this document is subject to change without notice and does not represent a commitment on the part of Bycast Inc., or any of its subsidiaries, affiliates, licensors, or resellers. There are no warranties, express or implied, with respect to the content of this document.
Features and specifications of Bycast
®
products are subject to change
without notice.
This manual contains information and images about Bycast Inc., its fixed content storage systems, and its other products that are protected by copyright and furnished under terms of a license agreement.
This product includes software developed by the OpenSSL Project for use in the Open SSL Toolkit. (http://www.openssl.org/)
Copyright ©2005 by Bycast Inc. All rights reserved.
Proprietary and Confidential
Bycast® and StorageGRID™ are trademarks of Bycast Inc. Their related marks, images, and symbols are the exclusive properties of Bycast Inc.
Adobe® and Acrobat® are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Microsoft® and Windows® are registered trademarks of Microsoft Corporation.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other brands, product names, company names, trademarks, and service marks are the properties of their respective owners.
ii
HP Medical Archive

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Currency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Document Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Using this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Audit Message Overview . . . . . . . . . . . . . . 1
Overview of Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Audit Message Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Message Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Audit Log File Access . . . . . . . . . . . . . . . . . . . . . . . . . . 4
File and Message Format . . . . . . . . . . . . . . 5
Audit Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Audit Message Format . . . . . . . . . . . . . . . . . . . . . . . . . 6
Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Event-Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Common Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Message Reference . . . . . . . . . . . . . . . . . . . 11
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
System Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . 12
Object Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 13
HTTP Protocol Audit Messages . . . . . . . . . . . . . . . . . . 14
DICOM Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . 15
File System Gateway Audit Messages . . . . . . . . . . . . . . 16
Audit Message Reference . . . . . . . . . . . . . . . . . . . . . . . 17
BKSB—Backup Store Begin . . . . . . . . . . . . . . . . . . . . . . 17
BKSE—Backup Store End . . . . . . . . . . . . . . . . . . . . . . . 18
CBRB—Object Receive Begin . . . . . . . . . . . . . . . . . . . . 19
CBRE—Object Receive End . . . . . . . . . . . . . . . . . . . . . . 20
CBSB—Object Send Begin . . . . . . . . . . . . . . . . . . . . . . . 21
iii
HP Medical Archive
HPMA Audit Message Reference
CBSE—Object Send End . . . . . . . . . . . . . . . . . . . . . . . . . 22
CDAD—DICOM Study Add . . . . . . . . . . . . . . . . . . . . . . 23
DASC—DICOM Association Close . . . . . . . . . . . . . . . . 24
DASE—DICOM Association Establish . . . . . . . . . . . . . 24
DASF—DICOM Association Fail . . . . . . . . . . . . . . . . . . 25
DCFE—DICOM C–FIND End . . . . . . . . . . . . . . . . . . . . 26
DCFS—DICOM C–FIND Start . . . . . . . . . . . . . . . . . . . . 27
DCGE—DICOM C–GET End . . . . . . . . . . . . . . . . . . . . . 28
DCGS—DICOM C–GET Start . . . . . . . . . . . . . . . . . . . . 29
DCME—DICOM C–MOVE End . . . . . . . . . . . . . . . . . . 29
DCMS—DICOM C–MOVE Start . . . . . . . . . . . . . . . . . . 31
DCMT—DICOM Storage Commitment . . . . . . . . . . . . 32
DCPE—DICOM C–STORE End . . . . . . . . . . . . . . . . . . 32
DCPS—DICOM C–STORE Start . . . . . . . . . . . . . . . . . . 34
DCSF—DICOM C–STORE Fail . . . . . . . . . . . . . . . . . . . 34
ETAF—Security Authentication Failed . . . . . . . . . . . . . 36
ETCA—TCP/IP Connection Establish . . . . . . . . . . . . . 37
ETCC—TCP/IP Connection Close . . . . . . . . . . . . . . . . . 38
ETCF—TCP/IP Connection Fail . . . . . . . . . . . . . . . . . . 38
FCRE—File Create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
FDEL—File Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
FMFY—File Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
FRNM—File Rename . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
FSTG—File Store to Grid . . . . . . . . . . . . . . . . . . . . . . . . 42
FSWI—File Swap In . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
FSWO—File Swap Out . . . . . . . . . . . . . . . . . . . . . . . . . . 43
HCPE—HTTP PUT C–STORE End . . . . . . . . . . . . . . . . 44
HCPS—HTTP PUT C–STORE Start . . . . . . . . . . . . . . . 45
HDEL—HTTP DELETE Transaction . . . . . . . . . . . . . . 45
HGEE—HTTP GET Transaction End . . . . . . . . . . . . . . 46
HGES—HTTP GET Transaction Start . . . . . . . . . . . . . 47
HHEA—HTTP HEAD Transaction . . . . . . . . . . . . . . . . 48
HOPT—HTTP OPTIONS Transaction . . . . . . . . . . . . . 49
HPOE—HTTP POST Transaction End . . . . . . . . . . . . . 50
HPOS—HTTP POST Transaction Start . . . . . . . . . . . . 51
HPUE—HTTP PUT Transaction End . . . . . . . . . . . . . . 52
HPUS—HTTP PUT Transaction Start . . . . . . . . . . . . . 53
HTSC—HTTP Session Close . . . . . . . . . . . . . . . . . . . . . 53
HTSE—HTTP Session Establish . . . . . . . . . . . . . . . . . . 54
RPSB—Replication Session Begin . . . . . . . . . . . . . . . . . 55
RPSE—Replication Session End . . . . . . . . . . . . . . . . . . 55
SADD—Security Audit Disable . . . . . . . . . . . . . . . . . . . 56
SADE—Security Audit Enable . . . . . . . . . . . . . . . . . . . . 57
SCMT—Object Store Commit . . . . . . . . . . . . . . . . . . . . 57
SREM—Object Store Remove . . . . . . . . . . . . . . . . . . . . 58
SVRF—Object Store Verify Fail . . . . . . . . . . . . . . . . . . . 59
iv
HP Medical Archive
SVRU—Object Store Verify Unknown . . . . . . . . . . . . . 59
SYSD—Node Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
SYSU—Node Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
TACB—Grid Task Action Begin . . . . . . . . . . . . . . . . . . . 61
TACE—Grid Task Action End . . . . . . . . . . . . . . . . . . . . 61
TSGC—Grid Task Stage Change . . . . . . . . . . . . . . . . . . 62
TSTC—Grid Task State Change . . . . . . . . . . . . . . . . . . . 63
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
v
HP Medical Archive
HPMA Audit Message Reference
vi
HP Medical Archive

Preface

Purpose

The Audit Management System (AMS) service stores audit messages of grid activity and events to a set of text log files. To enable you to read and analyze the audit trail, this document provides information on the structure and content of the text file log.
The objectives of this document are to:
Describe how to access the current log file and archived logs
Describe the text file format
Provide a reference for common audit messages

Currency

The content is current with the AMS service software version 4.6.0, as included in the HP Medical Archive system release 5.2. To find the version number of your AMS service software:
1. Using the NMS interface, select an AMS service Overview page.
The version number is reported in the Node Information block.
If you have an earlier version of the AMS service, contact HP Support.

Intended Audience

The content of this guide is intended for administrators responsible for producing reports of network activity and usage that require analysis of the audit messages.
You are assumed to have a sound understanding of the nature of audited activities within the HP Medical Archive system. To use the text log file, you are assumed to have access to the configured audit share on the server hosting the AMS service.
vii
HP Medical Archive
HPMA Audit Message Reference

References

This document assumes familiarity with many terms related to computer operations and programming, network communications, and operating system file operations. There is wide use of acronyms. To assist you, there is a glossary at the back of this reference (page 65).

Document Structure

HP Medical Archive product guides are generally provided in printed format. They may also be available in Adobe Document Format).
You may print copies of the PDF editions for internal use but all copies must be treated as proprietary and confidential; not for general distribution.

Using this Guide

This guide is comprised of three chapters:
“Audit Message Overview”—Provides a brief overview of the audit message system and the design of the text log file.
“File and Message Format”—Defines the format of the audit log file and the format of audit messages, along with details of the common elements found in all audit messages.
“Message Reference”—Provides supporting information for all audit messages issued by the system.
®
Acrobat® PDF (Portable

Conventions

This guide adheres to conventions for terminology to avoid confusion or misunderstanding. There are also conventions for typography to enhance readability and usefulness of the text.
viii
HP Medical Archive
Preface
Terminology
There is some room for confusion between common computer network terminology for “server” and “node” as they are used in HP Medical Archive products and documents.
A server is usually thought of as a piece of computing hardware that provides data services to requesting network clients; a resource pro­viding network, computational, and storage services. Within the context of the HP Medical Archive, a server is an entity hosting one or more grid services.
Nodes in a network are usually defined as an independent entity with a unique network identity, running on a resource. In this text, the use of the phrase “grid node” refers to an addressable entity on the grid that provides and uses functional services within the grid to perform one or more tasks. Each grid node has a unique “node ID”. These include: ADC, CMS and LDR. In the HP Medical Archive User Guide and other user documents these are referred to as “services”.
In contrast, the HP Medical Archive packages the grid service modules into “nodes”. Some node packages are required, others are optional. When used in this context the term appears in uppercase; as in “ControlNODE”, which usually incorporates the ADC, CMS and SSM services on one server.
Numerics
Numeric values are presented in decimal unless noted otherwise.
Hexadecimal values in the narrative are noted using the prefix “0x”; for example: 0x3B. Where sample messages include data as a string of hexadecimal characters, the prefix only appears if it is included within the message.
Fonts
To assist you in easily picking out the elements of importance, changes from the standard font are used:
Items upon which you act are shown in bold. These include:
Sequences of selections from the navigation tree, tabs, and
page options, such as: LDR X Configuration X Notifications.
Buttons or keys to click or press, such as Apply or <Tab>.
Radio buttons or check buttons to enable or disable, such as
Save configuration as default.
ix
HP Medical Archive
HPMA Audit Message Reference
Field prompts, names of windows and dialogs, messages, and
other literal text in the interface is shown in sans-serif such as the LDR State pull down menu, or the Sign In... window.
Items within the narrative that require emphasis appear in italics.
Coding samples or interactions with a command terminal are
shown in the fixed space font: Any italicized portion indicates variable data you provide to meet
your needs.
Keyboard keys that use words or standard abbreviations are shown within angle brackets, such as <Ctrl> for the control key, <Tab>, <space>, and <Enter>.

Contacts

<?xml version=1.0 ?>
For general product and company information, refer to the HP web site at:
www.hp.com
If you cannot find the information you need in this document, there are several other resources you can use to get more detailed information:
The HP website (http://www.hp.com)
Your nearest HP authorized reseller (for the locations and tele-
phone numbers of these resellers, refer to the HP website)
HP technical support:
In North America, call 1-800-652-6672
For other regions, refer to the HP website.
x
HP Medical Archive

Audit Message Overview

Chapter Contents
1
Overview of Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Audit Message Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Message Retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Audit Log File Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
1
HP Medical Archive
HPMA Audit Message Reference

Overview of Auditing

As services in the grid perform various activities and process events, audit messages are generated to retain a record of grid activity. These messages are processed by the Audit Management System (AMS) service and stored in the form of text log files. This document provides information on the structure and content of the text log files to enable you to read and analyze the audit trail of grid activity.

Audit Message Flow

Audit messages are generated internally by each grid service. All system services generate audit messages during normal system opera­tion. These messages are sent to the connected AMS services for processing and storage.
Some grid services can be designated as audit message relay services. They act as collection points to reduce the need for every service to send its audit messages to all connected AMS services. Notice in Figure 1 that each relay service must send messages to all AMS desti­nations, whereas services can send messages to just one relay service.
Figure 1: Audit Message Flow
2
HP Medical Archive
Relay services are designated at the time the grid topology is config­ured. Any grid service (LDR, ADC, CMS, and so on) can be designated to act as an audit message relay.

Message Retention

Once an audit message is generated, it is stored on the local server of the originating service until it has been committed to all connected AMS servers, or a designated audit relay service. The relays in turn store the message until it is committed at all AMS services. This process includes a confirmation (positive acknowledgment) to ensure no messages are lost.
Audit Message Overview
Figure 2: Audit Message Retention
Messages arrive at the AMS and are stored in a queue pending con­firmed write to the text log file. Confirmation of the arrival of messages is sent to the originating service (or audit relay) to permit the originator to delete its copy of the message.
Only after a message has been committed to storage at the AMS can it be removed from the queue. This local message buffer at the AMS has an alarm (AMQS) associated with it, in the event the backlog becomes unusually large. At times of peak activity, the rate at which audit messages are arriving may be faster than they can be committed to storage, causing a temporary backlog that will clear itself when grid activity declines.
When the text log file on the Admin Node reaches a predefined size, it is automatically converted to a compressed format and a new text log file is started. Over very long periods of time, this can result in con-
3
HP Medical Archive
HPMA Audit Message Reference
sumption of the available storage on the server hosting the AMS service. Based on the requirements of your enterprise, either archive the older compressed files to some other media (such as DVD-R, or into the grid itself), or they will be automatically deleted.

Audit Log File Access

Access to the text log file at the AMS requires you to have an account and password to access the audit share on the server hosting the AMS service.
The active log file and any compressed log files are available through your configured audit share directory.
The active audit log file is named:
audit.log
Archived log files are named using the convention:
YYYY-MM-DD.txt.gz
where the file name includes a date and time stamp (in UTC) when the file was archived.
To access an archived audit log file:
1. Make a local copy of the file to work with.
2. Decompress the file. This process requires a decompression utility.
We recommend “7-Zip”, which is a free download from:
http://www.7-zip.org/
Access log files as simple text files.
The next chapter provides details of the file’s internal structure and the syntax of audit messages.
4
HP Medical Archive

File and Message Format

Chapter Contents
2
Audit Log File Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Audit Message Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Event-Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Common Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
5
HP Medical Archive
HPMA Audit Message Reference

Audit Log File Format

The audit log contains individual audit messages in the following format:
1. Date and time stamp (local time) the message was processed at the
AMS, followed by the server host name and the string “
2. The message itself, enclosed within square brackets “[]”. The
message structure is discussed in the next section on page 6.
The following is the beginning of a sample log file. Messages are wrapped within the boundaries shown, ending after the ASQN attribute and double closing brackets “]]”. The <CR><LF> characters at the end of each message are not shown.
Feb 12 02:37:34 an1-a-1 AMS: [AUDT[RSLT(FC32):'DSDN'][AVER(UI32):3][ATYP(FC32):'SYSU'][ATIM(UI64):11081758444743 62][ATID(UI64):9384121014334693630][ANID(UI32):15010119][AMID(FC32):'ARNI'][ASQN(UI
64):0]] Feb 12 02:37:34 an1-a-1 AMS: [AUDT[SEID(FC32):'RCON'][CNDR(FC32):'OUTB'][SVIP(UI32):1501][DAIP(IP32):14.1.1.13][ SAIP(IP32):14.1.1.19][CNID(UI64):1716307103][RSLT(FC32):'CRFU'][AVER(UI32):3][ATYP( FC32):'ETCF'][ATIM(UI64):1108175844660669][ATID(UI64):5503182624165676149][ANID(UI3
2):15010119][AMID(FC32):'RCON'][ASQN(UI64):1]] Feb 12 02:37:34 an1-a-1 AMS: [AUDT[SEID(FC32):'RCON'][CNDR(FC32):'OUTB'][SVIP(UI32):1501][DAIP(IP32):14.1.1.15][ SAIP(IP32):14.1.1.19][CNID(UI64):2329159112][RSLT(FC32):'CRFU'][AVER(UI32):3][ATYP( FC32):'ETCF'][ATIM(UI64):1108175854682710][ATID(UI64):7756750787035320318][ANID(UI3
2):15010119][AMID(FC32):'RCON'][ASQN(UI64):2]]
AMS:”.

Audit Message Format

Audit messages exchanged within the grid include some standard information common to all messages, and specific content for the event or activity being reported.
Each audit message is logged as a string composed of attribute elements that are:
Enclosed in square brackets “[ ]”
Introduced by the string “AUDT”, indicating an audit message
6
HP Medical Archive
File and Message Format
Do not have delimiters (no commas or spaces) between attributes
Terminated by a carriage return and line feed (<CR><LF>)
Each element includes: an attribute code, data type, and value. It takes the format:
[ATTR(type):value][ATTR(type):value]... [ATTR(type):value]<CR><LF>
Where:
ATTR is a four-character code for the attribute being reported. See
Chapter 3, starting on page 11 for a directory of message attributes and their meaning.
type is a four-character identifier of the programming data type of
the value, such as: UI64, FC32, and so on. See “Data Types” on the next page. The type is enclosed in brackets “( )”.
value is the content of the attribute, typically a numeric or text
value (text values are enclosed in single quotes). Values always follow a colon “:”.

Data Types

The number of attribute elements in the message depends on the event type of the message.

Sample Audit Message

[HSID(UI64):811028912][DIDR(CSTR):’INBO’][HSCR(FC32):’SUCS’] [AVER(UI32):2][ATYP(FC32):’HTSC’][ATIM(UI64):1099615457414746] [ATID(UI64):11174705928149966150][ANID(UI32):12130010] [AMID(FC32):’HTSM’][ASQN(UI32):49984]
The data types encountered in the audit messages are:
Table 1: Data Types
Type Description
UI32 Unsigned long integer (32 bits); it can store the numbers
0–4,294,967,295.
UI64 Unsigned double long integer (64 bits); it can store the
numbers 0–18,446,744,073,709,551,615.
FC32 Four Character Constant; a 32-bit unsigned integer value
represented as four ASCII characters such as: “ABCD”.
7
HP Medical Archive
HPMA Audit Message Reference
Table 1: Data Types (cont.)
Type Description
IP32 IP Address; a 32-bit IP address representation.
CSTR C String; a variable length array of characters.

Event-Specific Data

Following the opening “[AUDT” container that identifies the message itself, is a series of items specific to each event or action. Chapter 3, “Message Reference” on page 11 lists attributes commonly used for tracing grid activity.

Common Elements

After the event-specific information is a set of elements common to all audit messages:
Table 2: Common Elements of Audit Messages
Code Type Description
AVER UI32 Version—The version of the audit message. As the HP Medical
Archive software evolves, new versions of services may incorporate new features in audit reporting. This field enables backward com­patibility in the AMS to process messages from older versions of services.
ATYP FC32 Event Type—A four-character identifier of the event being logged.
This governs the “payload” content of the message—the attributes included.
ATIM UI64 Timestamp—The time the event was generated that triggered the
audit message, measured in microseconds since the operating sys­tem epoch (00:00:00 UTC on 1 January, 1970). Note that most avail­able tools for converting the timestamp to local date and time are based on milliseconds. Rounding or truncation of the database timestamp may be required.
ATID UI64 Trace ID—An identifier that is shared by the set of messages that
were triggered by a single event.
8
HP Medical Archive
File and Message Format
Table 2: Common Elements of Audit Messages (cont.)
Code Type Description
ANID UI32 Node ID—The grid node ID assigned to the service that generated
the message. Each service is allocated a unique identifier at the time the HP Medical Archive is configured and installed. This ID cannot be changed.
AMID FC32 Module ID—A four-character identifier of the module ID that gen-
erated the message. This indicates the code segment within which the audit message was generated.
ASQN UI64 Sequence Count—A counter that is incremented for each generated
audit message on the grid node (ANID). This counter is reset to zero at service restart. It can be used for consistency checks to ensure that no audit messages have been lost.
9
HP Medical Archive
HPMA Audit Message Reference
10
HP Medical Archive

Message Reference

A comprehensive listing of generated audit messages.
Chapter Contents
3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
System Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Object Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
HTTP Protocol Audit Messages . . . . . . . . . . . . . . . . . . . . . .14
DICOM Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
File System Gateway Audit Messages . . . . . . . . . . . . . . . . .16
Audit Message Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
11
HP Medical Archive
HPMA Audit Message Reference

Introduction

This chapter provides detailed descriptions of the attributes reported in all audit messages issued by the system.
Messages are listed alphabetically to facilitate referencing the content for a specific message of interest. To reference related messages for a given class of activity, use the tables in the subsections below.

System Audit Messages

This group of messages are for events related to:
The auditing system itself
Grid node states
Grid-wide task activity (Grid Tasks)
Service backup operations
File System Gateway (FSG) replications
Table 3: System Audit Messages
Code Description Page
ETCA TCP/IP Connection Establish—An incoming or outgoing TCP/IP
connection was successfully established.
ETCC TCP/IP Connection Close—An established connection has been
closed by either side of the connection (normally or abnormally).
ETCF TCP/IP Connection Fail—An outgoing connection attempt failed at
the lowest level, due to communication problems.
SADD Security Audit Disable—Audit message logging has been turned
off.
SADE Security Audit Enable—Audit message logging has been turned on. 57
ETAF Security Authentication Failed—A connection attempt using Trans-
port Layer Security (TLS) has failed.
SYSU Node Start—An HP Medical Archive grid service started; the nature
of the previous shutdown is indicated in the message.
SYSD Node Stop—An HP Medical Archive grid service has been grace-
fully stopped.
37
38
38
56
36
60
57
12
HP Medical Archive
Message Reference
Table 3: System Audit Messages (cont.)
Code Description Page
TSTC Grid Task State Change—A grid task has been added, started,
paused, canceled, or completed.
TSGC Grid Task Stage Change—The stage of a grid task has changed. 62
TACB Grid Task Action Begin—A grid task action has begun. 61
TACE Grid Task Action End—A grid task action has completed. 61
BKSB Backup Store Begin—A service has begun a backup operation. 17
BKSE Backup Store End—A service has completed a backup operation. 18
RPSB Replication Session Begin—A service has begun a replication opera-
tion to a secondary service.
RPSE Replication Session End—A service has completed a replication
operation to a secondary service.

Object Audit Messages

Object audit messages represent events related to the storage and man­agement of objects within the grid. These include:
Object storage/retrieval
Node-to-node transfer
Verific ation
63
55
55
Table 4: Object Audit Messages
Code Description Page
CBSB Object Send Begin—The source entity initiated a node-to-node data
transfer operation on a single piece of content.
CBSE Object Send End—The source entity completed a node-to-node data
transfer operation.
CBRB Object Receive Begin—The destination entity initiated a node-to-
node data transfer operation on a single piece of content.
CBRE Object Receive End—The destination entity completed a node-to-
node data transfer operation.
SCMT Object Store Commit—A content block was completely stored and
verified, and can now be requested.
13
HP Medical Archive
21
22
19
20
57
HPMA Audit Message Reference
Table 4: Object Audit Messages
Code Description Page
SREM Object Store Remove—A content block was deleted from a node,
and can no longer be requested directly.
SVRF Object Store Verify Fail—A content block failed verification checks. 59
SVRU Object Store Verify Unknown—Unexpected file(s) detected in the
object store.

HTTP Protocol Audit Messages

HTTP Protocol audit messages represent events related to interactions with internal and external system components using the HTTP proto­col. These include:
Session establishment/breakdown
Object storage
Retrieval
Query
Table 5: HTTP Protocol Audit Messages
Code Description Page
58
59
HTSE HTTP Session Establish—A remote host successfully established an
HTTP session to the node.
HTSC HTTP Session Close—An HTTP client closed a previously-estab-
lished HTTP session.
HHEA HTTP HEAD Transaction—Information about a piece of content
was requested by an HTTP client.
HGES HTTP GET Transaction Start—A request for a GET transaction to
transfer content to an HTTP client was initiated.
HGEE HTTP GET Transaction End—A GET transaction to transfer content
to an HTTP client completed.
HPUS HTTP PUT Transaction Start—A PUT transaction to transfer content
from an HTTP client was initiated.
HPUE HTTP PUT Transaction End—A PUT transaction to transfer content
from an HTTP client completed.
54
53
48
47
46
53
52
14
HP Medical Archive
Message Reference
Table 5: HTTP Protocol Audit Messages
Code Description Page
HPOS HTTP POST Transaction Start—An HTTP client initiated a query for
stored content.
HPOE HTTP POST Transaction End—An HTTP client completed a query
for stored content.
HDEL HTTP DELETE Transaction—Logs the result of a request to delete
content.
HOPT HTTP OPTIONS Transaction—Logs the result of a request for infor-
mation about the transactions that can be performed on content.
HCPS HTTP PUT C–STORE Start—A PUT transaction to transfer content
between hosts was initiated.
HCPE HTTP PUT C–STORE End—A PUT transaction to transfer content
between hosts completed.

DICOM Audit Messages

This set of messages log activity related to interactions with external systems using the DICOM protocol. These include:
Association establishment
C–STORE
C–FIND
C–MOVE
N–ACTION (storage commitment)
51
50
45
49
45
44
Table 6: DICOM Audit Messages
Code Description Page
DASE DICOM Association Establish—A successful inbound or outbound
DICOM association was established with a remote host.
DASC DICOM Association Close—An established DICOM association
with a remote host closed.
DASF DICOM Association Fail—An association attempt failed (remote
host cannot process the DICOM protocol, or the request was rejected).
DCPS DICOM C–STORE Start—A transfer of content between hosts over a
DICOM association has started.
15
HP Medical Archive
24
24
25
34
HPMA Audit Message Reference
Table 6: DICOM Audit Messages
Code Description Page
DCPE DICOM C–STORE End—A transfer of content between hosts over a
DICOM association has completed.
DCSF DICOM C–STORE Fail—A transfer of content between hosts over a
DICOM association has failed.
DCFS DICOM C–FIND Start—A remote DICOM host initiated a query for
DICOM-related content.
DCFE DICOM C–FIND End—A remote DICOM host completed a query
for DICOM-related content.
DCGS DICOM C–GET Start—A remote DICOM host initiated a query/
retrieve for DICOM-related content.
DCGE DICOM C–GET End—A remote DICOM host completed a query/
retrieve for DICOM-related content.
DCMS DICOM C–MOVE Start—A remote DICOM host initiated a transfer
of DICOM instances to a remote Application Entity.
DCME DICOM C–MOVE End—A remote DICOM host completed a
transfer of DICOM instances to a remote Application Entity.
DCMT DICOM Storage Commitment—A remote DICOM host initiated an
operation to check if content was previously stored.
32
34
27
26
29
28
31
29
32
CDAD DICOM Study Add—A new study (not previously recorded by the
CMS) or a new instance (image) to a known study has been added.
23

File System Gateway Audit Messages

This set of messages log activity related to interactions with external systems via the File System Gateway (FSG) interface to the grid.
Table 7: File System Gateway Audit Messages
Code Description Page
FCRE File Create—Logs the addition of new files (not directories) to the
FSG.
FDEL File Delete—Logs deletion of a file from the FSG directory tree (not
from the grid).
FRNM File Rename—Logs changes to the name or path of an existing file. 41
16
HP Medical Archive
40
40
Message Reference
Table 7: File System Gateway Audit Messages
Code Description Page
FMFY File Modify—Logs changes to the content of an existing file. 41
FSTG File Store to Grid—Logs the storage of content from the FSG local
cache to the grid.
FSWO File Swap Out—Logs the deletion of a file from the FSG local cache
(but not from the directory tree or grid).
FSWI File Swap In—Logs the retrieval of a file from the grid to the FSG
local cache.
As content is added to the grid via the FSG, the content is first stored locally in a cache on the FSG server. The FSG manages ingesting the content to the grid. The content in the cache can be purged if space is needed for new content, either inbound or outbound. As the cache content is changed, additional audit messages are logged.
Any changes made to the name or content of a file previously entered in the FSG are also logged, as are file deletions from the FSG. Note that deletions to the FSG result in removal of the entry from the FSG direc­tory tree; however the file content is retained in the grid and can be directly accessed via the assigned content block ID.
42
43
42

Audit Message Reference

BKSB—Backup Store Begin
When a service begins a backup operation—storing private structured data to the grid—this message is generated.
Table 8: BKSB—Backup Store Begin Fields
Code Field Description
BKSI Backup Session ID The unique identifier of the backup session that is being
started.
BKOI Backup Source
Entity
17
HP Medical Archive
The type of entity that is performing the backup; typi­cally one of: BFSG, BCMS, or BNMS.
HPMA Audit Message Reference
Table 8: BKSB—Backup Store Begin Fields (cont.)
Code Field Description
BKEE Entries to Backup The number of entries (objects) the entity expects to
include in this backup session. If the value is unknown, this field is set to zero (0).
RSLT Backup Initiation
Status
This message marks the time of a backup session. It allows you to match the message with a corresponding BKSE end message to deter­mine that backups are happening as planned and whether they are successful.
This field indicates status at the time the backup store was initiated: SUCS—the backup store started successfully.
BKSE—Backup Store End
When a service completes a backup operation, this message is generated.
Table 9: BKSE—Backup Store End Fields
Code Field Description
BKSI Backup Session ID The unique identifier of the backup session that has been
completed.
BKOI Backup Source
Entity
The type of entity that performed the backup; typically one of: BFSG, BCMS, or BNMS.
BKEA Entries Backed Up The actual number of entries (objects) that were included
in this backup session. You can compare this to BKEE in the BKSB message.
UUID Backup UUID The Universal Unique IDentifier assigned to the backup
by the grid. If the backup session fails or is aborted, this value is the NULL UUID.
RSLT Backup Result The completion status of the backup session:
SUCS—The backup completed successfully. ABRT—The backup was aborted. FAIL—The backup failed before completion. STFL—The backup data could not be stored in the grid.
Matching this message with the corresponding BKSB message can indicate the time it took to perform the backup. This message indicates
18
HP Medical Archive
whether the backup was successful and the UUID of the backup data within the grid, should a restoration be needed.
CBRB—Object Receive Begin
During normal system operations, content blocks are continuously transferred between different nodes as data is accessed, replicated and retained. When transfer of a content block from one node to another is initiated, this message is issued by the destination entity.
Table 10: CBRB—Object Receive Begin Fields
Code Field Description
Message Reference
CNID Connection
Identifier
CBID Content Block
Identifier
CTDR Transfer Direction Indicates if the CBID transfer was push-initiated or pull-
CTSR Source Entity The node ID of the source (sender) of the CBID transfer.
CTDS Destination Entity The node ID of the destination (receiver) of the CBID
CTSS Start Sequence
Count
CTES Expected End
Sequence Count
The unique identifier of the node-to-node content block transfer.
The unique identifier of the content block being transferred.
initiated: PUSH—the transfer operation was requested by the sending entity. PULL—the transfer operation was requested by the receiving entity.
transfer.
Indicates the first sequence count requested. If success­ful, the transfer begins from this sequence count.
Indicates the last sequence count requested. If successful, the transfer is considered complete when this sequence count has been received.
RSLT Transfer Start
Status
This audit message means a node-to-node data transfer operation was initiated on a single piece of content, as identified by its Content Block Identifier. The operation requests data from “Start Sequence Count” to “Expected End Sequence Count”. Sending and receiving nodes are identified by their node IDs. This information can be used to track
19
HP Medical Archive
Status at the time the transfer was started: SUCS—transfer started successfully.
HPMA Audit Message Reference
system data flow, and when combined with storage audit messages, to verify replica counts.
CBRE—Object Receive End
When transfer of a content block from one node to another is com­pleted, this message is issued by the destination entity.
Table 11: CBRE—Object Receive End Fields
Code Field Description
CNID Connection
Identifier
CBID Content Block
Identifier
CTDR Transfer Direction Indicates if the CBID transfer was push-initiated or pull-
CTSR Source Entity The node ID of the source (sender) of the CBID transfer.
CTDS Destination Entity The node ID of the destination (receiver) of the CBID
CTSS Start Sequence
Count
CTAS Actual End
Sequence Count
The unique identifier of the node-to-node content block transfer.
The unique identifier of the content block being transferred.
initiated: PUSH—the transfer operation was requested by the sending entity. PULL—the transfer operation was requested by the receiving entity.
transfer.
Indicates the sequence count on which the transfer started.
Indicates the last sequence count successfully trans­ferred. If the Actual End Sequence Count is the same as the Start Sequence Count, and the Transfer Result was not successful, no data was exchanged.
RSLT Transfer Result The result of the transfer operation (from the perspective
of the sending entity): SUCS—transfer successfully completed; all requested sequence counts were sent.
CONL—connection lost during transfer CTMO—connection timed-out during establishment UNRE—destination node ID unreachable CRPT—transfer ended due to reception of corrupt or
invalid data (may indicate tampering)
20
HP Medical Archive
This audit message means a node-to-node data transfer operation was completed. If the Transfer Result was successful, the operation trans­ferred data from “Start Sequence Count” to “Actual End Sequence Count”. Sending and receiving nodes are identified by their node IDs. This information can be used to track system data flow and to locate, tabulate, and analyze errors. When combined with storage audit mes­sages, it can also be used to verify replica counts.
CBSB—Object Send Begin
During normal system operations, content blocks are continuously transferred between different nodes as data is accessed, replicated and retained. When transfer of a content block from one node to another is initiated, this message is issued by the source entity.
Table 12: CBSB—Object Send Begin Fields
Code Field Description
Message Reference
CNID Connection
Identifier
CBID Content Block
Identifier
CTDR Transfer Direction Indicates if the CBID transfer was push-initiated or pull-
CTSR Source Entity The node ID of the source (sender) of the CBID transfer.
CTDS Destination Entity The node ID of the destination (receiver) of the CBID
CTSS Start Sequence
Count
CTES Expected End
Sequence Count
RSLT Transfer Start
Status
The unique identifier of the node-to-node content block transfer.
The unique identifier of the content block being transferred.
initiated: PUSH—the transfer operation was requested by the sending entity. PULL—the transfer operation was requested by the receiving entity.
transfer.
Indicates the first sequence count requested. If success­ful, the transfer begins from this sequence count.
Indicates the last sequence count requested. If successful, the transfer is considered complete when this sequence count has been received.
Status at the time the transfer was started: SUCS—transfer started successfully.
21
HP Medical Archive
HPMA Audit Message Reference
This audit message means a node-to-node data transfer operation was initiated on a single piece of content, as identified by its Content Block Identifier. The operation requests data from “Start Sequence Count” to “Expected End Sequence Count”. Sending and receiving nodes are identified by their node IDs. This information can be used to track system data flow, and when combined with storage audit messages, to verify replica counts.
CBSE—Object Send End
When transfer of a content block from one node to another is com­pleted, this message is issued by the source entity.
Table 13: CBSE—Object Send End Fields
Code Field Description
CNID Connection
Identifier
CBID Content Block
Identifier
CTDR Transfer Direction Indicates if the CBID transfer was push-initiated or pull-
CTSR Source Entity The node ID of the source (sender) of the CBID transfer.
CTDS Destination Entity The node ID of the destination (receiver) of the CBID
CTSS Start Sequence
Count
CTAS Actual End
Sequence Count
The unique identifier of the node-to-node content block transfer.
The unique identifier of the content block being transferred.
initiated: PUSH—the transfer operation was requested by the sending entity. PULL—the transfer operation was requested by the receiving entity.
transfer.
Indicates the sequence count on which the transfer started.
Indicates the last sequence count successfully trans­ferred. If the Actual End Sequence Count is the same as the Start Sequence Count, and the Transfer Result was not successful, no data was exchanged.
22
HP Medical Archive
Message Reference
Table 13: CBSE—Object Send End Fields (cont.)
Code Field Description
RSLT Transfer Result The result of the transfer operation (from the perspective
of the sending entity): SUCS—transfer successfully completed; all requested sequence counts were sent.
CONL—connection lost during transfer CTMO—connection timed-out during establishment UNRE—destination node ID unreachable CRPT—transfer ended due to reception of corrupt or
invalid data (may indicate tampering)
This audit message means a node-to-node data transfer operation was completed. If the Transfer Result was successful, the operation trans­ferred data from “Start Sequence Count” to “Actual End Sequence Count”. Sending and receiving nodes are identified by their node IDs. This information can be used to track system data flow and to locate, tabulate, and analyze errors. When combined with storage audit mes­sages, it can also be used to verify replica counts.
CDAD—DICOM Study Add
When a new DICOM study ID is ingested, or when new images are added to an existing study, this logs the addition.
Table 14: CDAD—DICOM Study Add Fields
Code Field Description
STDY Study GUID The unique DICOM study identifier.
SIMC Number of Images The number of instances (images) in the study.
This audit message appears for each new study instance (image) that is added to the grid. As a new study appears, the message indicates the new study is now known to the grid. As images are added to the study, the message appears with the new count of images.
23
HP Medical Archive
HPMA Audit Message Reference
DASC—DICOM Association Close
When an established DICOM association with a remote host is closed, this message is issued.
Table 15: DASC—DICOM Association Close Fields
Code Field Description
ASID Association
Identifier
RSLT Closing State Indicates how the association closed:
This audit message means the DICOM association specified by the Association Identifier is no longer established. The DASC message always corresponds with a previous DASE (Association Establish) message. DASC should be monitored to determine if there are exces­sive problems during attempts to establish an association. Problems could indicate communications or interoperability issues related to DICOM implementation.
The unique identifier assigned to the DICOM association.
SUCS—closed normally without errors TOUT—timed-out by the node due to inactivity ERRC—lost connection ABRT—aborted GERR—general data processing error
DASE—DICOM Association Establish
When a DICOM association is established between a node and a host, this message is issued.
Table 16: DASE—DICOM Association Establish Fields
Code Field Description
CNID Connection
Identifier
ASID Association
Identifier
24
The unique identifier assigned to the connection over which the DICOM association was established.
The unique identifier assigned to the DICOM association.
HP Medical Archive
Table 16: DASE—DICOM Association Establish Fields (cont.)
Code Field Description
Message Reference
DIDR Association
Direction
RMAE External Applica-
tion Entity
GRAE Grid Application
Entity
This audit message means a successful inbound or outbound DICOM association was established with a remote host. It can be used to track hosts communicating with the system via DICOM.
The Grid Application Entity field allows identification of related con­figuration and coerce tag profiles, if applicable.
Indicates whether the association was opened by the grid node or by a remote host: INBO—initiated by a remote host connecting to the grid node OUTB—initiated by the grid node connecting to a remote host
The Application Entity Title of the remote device.
The Application Entity Title of the grid.
DASF—DICOM Association Fail
When an attempt by a DICOM service to establish an association fails, this message is issued. This can occur if the remote host cannot process the DICOM protocol, or when either side of the communication rejects the association request.
Table 17: DASF—DICOM Association Fail Fields
Code Field Description
CNID Connection
Identifier
ASID Association
Identifier
DIDR Association
Direction
25
HP Medical Archive
The unique identifier assigned to the connection over which the DICOM association was established.
The unique identifier assigned to the DICOM association.
Indicates whether the association was opened by the grid node or by a remote host: INBO—initiated by a remote host connecting to the grid node OUTB—initiated by the grid node connecting to a remote host
HPMA Audit Message Reference
Table 17: DASF—DICOM Association Fail Fields (cont.)
Code Field Description
RMAE External Applica-
tion Entity
GRAE Grid Application
Entity
RSLT Failure Code Reason for the failure:
This audit message should be monitored to determine if there are repetitive or excessive problems during attempts to establish an associ­ation. Problems could indicate communications or interoperability issues related to DICOM implementation, or incorrectly configured external DICOM devices.
The Grid Application Entity field allows identification of related con­figuration and coerce tag profiles, if applicable.
The Application Entity Title of the remote device (if unknown, this field contains a null string).
The Application Entity Title of the grid.
ERRC—connection closed by remote host before an association could be established
TOUT—timeout period expired REJT—association rejected PERM—calling AE Title denied permission to connect CONF—unexpected remote AE Title COMP—suitable presentation context could not be
negotiated GERR—unknown data received from remote host
DCFE—DICOM C–FIND End
When a DICOM association completes a C–FIND operation to query available content, this message is issued.
Table 18: DCFE—DICOM C–FIND End Fields
Code Field Description
ASID Association
Identifier
DIDR C–FIND Direction Indicates whether the C–FIND was initiated by the grid
26
The unique identifier assigned to the DICOM association.
node or by a remote host: INBO—initiated by a remote host
HP Medical Archive
Table 18: DCFE—DICOM C–FIND End Fields (cont.)
Code Field Description
Message Reference
ROOT DICOM Query
Root
LEVL DICOM Query
Level
RSFD Results Found The number of DICOM objects found matching the
RSLT Result Code The result of the C–FIND operation:
This audit message means a remote DICOM host initiated and com­pleted a query for DICOM-related content. It can be monitored to determine the content being queried. The “Result Code” field can be used to determine when errors occur.
The time interval between the C–FIND Start and C–FIND End audit messages tells you how long the related C–FIND operations are taking to complete.
The query root specified in the C–FIND.
The query level specified in the C–FIND.
query.
SUCS—successful CANC—cancelled by the Service Class User GERR—general error processing the C–FIND command
DCFS—DICOM C–FIND Start
When a DICOM association initiates a C–FIND operation to query available content, this message is issued.
Table 19: DCFS—DICOM C–FIND Start Fields
Code Field Description
ASID Association
Identifier
DIDR C–FIND Direction Indicates whether the C–FIND was initiated by the grid
ROOT DICOM Query
Root
LEVL DICOM Query
Level
The unique identifier assigned to the DICOM association.
node or by a remote host: INBO—initiated by a remote host
The query root specified in the C–FIND.
The query level specified in the C–FIND.
27
HP Medical Archive
HPMA Audit Message Reference
This audit message means a remote DICOM host initiated a query for DICOM-related content. It can be monitored to determine the content being queried.
The time interval between the C–FIND Start and C–FIND End audit messages tells you how long the related C–FIND operations are taking to complete.
DCGE—DICOM C–GET End
When a DICOM association completes a C–GET operation to query and retrieve found content, this message is issued.
Table 20: DCGE—DICOM C–GET End Fields
Code Field Description
ASID Association
Identifier
DIDR C–GET Direction Indicates whether the C–GET was initiated by the grid
ROOT DICOM Query
Root
LEVL DICOM Query
Level
RSFD Results Found The number of DICOM objects retrieved matching the
RSLT Result Code The result of the C–GET operation:
This audit message means a remote DICOM host initiated and com­pleted a query/retrieve for DICOM-related content. It can be monitored to determine the content being retrieved. The “Result Code” field can be used to determine when errors occur.
The unique identifier assigned to the DICOM association.
node or by a remote host: INBO—initiated by a remote host
The query root specified in the C–GET.
The query level specified in the C–GET.
query.
SUCS—successful CANC—cancelled by the Service Class User GERR—general error processing the C–GET command
The time interval between the C–GET Start and C–GET End audit messages tells you how long the related C–GET operations are taking to complete.
28
HP Medical Archive
DCGS—DICOM C–GET Start
When a DICOM association initiates a C–GET operation to query and retrieve DICOM content, this message is issued.
Table 21: DCGS—DICOM C–GET Start Fields
Code Field Description
Message Reference
ASID Association
Identifier
DIDR C–GET Direction Indicates whether the C–GET was initiated by the grid
ROOT DICOM Query
Root
LEVL DICOM Query
Level
This audit message means a remote DICOM host initiated a query/ retrieve for DICOM-related content. It can be monitored to determine the content being retrieved. The C–STORE audit messages on the same association (i.e. C–STORE audit messages with the same Association Identifier) between the C–GET Start and C–GET End messages corre­spond to the retrieved objects associated with the initial query.
The time interval between the C–GET Start and C–GET End audit messages tells you how long the related C–GET operations are taking to complete.
The unique identifier assigned to the DICOM association.
node or by a remote host: INBO—initiated by a remote host
The query root specified in the C–GET.
The query level specified in the C–GET.
DCME—DICOM C–MOVE End
When a DICOM association completes a C–MOVE operation to query and retrieve found content over a second association, this message is issued.
Table 22: DCME—DICOM C–MOVE End Fields
Code Field Description
ASID Association
Identifier
29
HP Medical Archive
The unique identifier assigned to the DICOM association.
HPMA Audit Message Reference
Table 22: DCME—DICOM C–MOVE End Fields (cont.)
Code Field Description
DIDR C–MOVE Direction Indicates whether the C–MOVE was initiated by the grid
node or by a remote host:
INBO—initiated by a remote host
ROOT DICOM Query
The query root specified in the C–MOVE.
Root
LEVL DICOM Query
The query level specified in the C–MOVE.
Level
SAET Source Application
The source AE-Title for the C–MOVE operation.
Entity (AE) Title
DAET Destination
The destination AE-Title for the C–MOVE operation.
AE-Title
RSFD Results Found The number of DICOM objects retrieved matching the
query.
RSLT Result Code The result of the C–MOVE operation:
SUCS—successful CANC—cancelled by the Service Class User GERR—general error processing the C–MOVE
command
This audit message means a remote DICOM host initiated and com­pleted a a C–MOVE operation to transfer DICOM content. It can be monitored to determine the content being queried/transferred. The “Result Code” field can be used to determine when errors occur.
The time interval between the C–MOVE Start and C–MOVE End audit messages tells you how long the related C–MOVE operations are taking to complete.
30
HP Medical Archive
DCMS—DICOM C–MOVE Start
When a DICOM association initiates a C–MOVE operation to query and transfer DICOM content over a second association, this message is issued.
Table 23: DCMS—DICOM C–MOVE Start Fields
Code Field Description
Message Reference
ASID Association
Identifier
DIDR C–MOVE Direction Indicates whether the C–MOVE was initiated by the grid
ROOT DICOM Query
Root
LEVL DICOM Query
Level
SAET Source Application
Entity (AE) Title
DAET Destination
AE-Title
This audit message means a remote DICOM host initiated a C–MOVE operation to transfer DICOM instances to a remote Application Entity. It can be monitored to determine the content being retrieved. The C– STORE audit messages on the same association (i.e. C–STORE audit messages with the same Association Identifier) resulting from the C– MOVE correspond to the retrieved objects.
The unique identifier assigned to the DICOM association.
node or by a remote host: INBO—initiated by a remote host
The query root specified in the C–MOVE.
The query level specified in the C–MOVE.
The source AE-Title for the C–MOVE operation.
The destination AE-Title for the C–MOVE operation.
The time interval between the C–MOVE Start and C–MOVE End audit messages tells you how long the related C–MOVE operations are taking to complete.
31
HP Medical Archive
HPMA Audit Message Reference
DCMT—DICOM Storage Commitment
When a DICOM association initiates a Storage Commitment operation to determine if content has been successfully received and stored, this message is issued.
Table 24: DCMT—DICOM Storage Commitment Fields
Code Field Description
ASID Association
Identifier
ISTR Items Requested The number of items requested for storage verification.
ISTS Items Stored The number of items requested for verification which
ISTN Items not Stored The number of items requested for verification which
RSLT Result Code Result of the Storage Commitment operation:
This audit message means a remote DICOM host initiated a Storage Commitment operation to check whether content has been previously stored. It can be used to discover situations where a discrepancy exists between content storage requests and what was in fact successfully stored.
The unique identifier assigned to the DICOM association.
have been successfully stored.
have not been successfully stored.
SUCS—successful GERR—an error occurred during Storage Commitment
processing
DCPE—DICOM C–STORE End
When a DICOM association completes a C–STORE operation to transfer content from one host to another, this message is issued.
Table 25: DCPE—DICOM C–STORE End Fields
Code Field Description
ASID Association
Identifier
DIDR C–STORE
Direction
32
The unique identifier assigned to the DICOM association.
Indicates whether the C–STORE was initiated by the grid node or by a remote host:
INBO—initiated by a remote host OUTB—initiated by the node
HP Medical Archive
Message Reference
Table 25: DCPE—DICOM C–STORE End Fields (cont.)
Code Field Description
STUG Study Instance UID The Study Identifier of the data being transferred.
SERG Series Instance UID The Series Identifier of the data being transferred.
IMGG SOP Instance UID The Image Identifier of the data being transferred.
STCL SOP Class The SOP Class of the instance.
STTX Transfer Syntax The Transfer Syntax of the instance.
CBID Content Block
The identifier of the content block being transferred.
Identifier
CSIZ Content Size The size of the original content stored, in bytes.
BSIZ Object Size The size of the managed fixed content object (after com-
pression), in bytes.
RSLT Result Code The result of the C–STORE operation:
SUCS—successful CANC—canceled TOUT—timed-out due to inactivity COMP—presentation contexts not accepted ERRC—lost connection ERFH—failure message sent by remote application
entity
CTNF—content to be transferred was not found CVRF—content to be transferred failed verification GERR—general error processing content
This audit message means a transfer of content between hosts over a DICOM association completed. The message can be monitored to determine the content sent to particular systems. The “Result Code” field can be used to determine when errors occurred.
33
HP Medical Archive
HPMA Audit Message Reference
DCPS—DICOM C–STORE Start
When a DICOM association initiates a C–STORE operation to transfer content from one host to another, this message is issued.
Table 26: DCPS—DICOM C–STORE Start Fields
Code Field Description
ASID Association
Identifier
DIDR C–STORE
Direction
STUG Study Instance UID The Study Identifier of the data being transferred.
SERG Series Instance UID The Series Identifier of the data being transferred.
IMGG SOP Instance UID The Image Identifier of the data being transferred.
STCL SOP Class The SOP Class of the instance.
STTX Transfer Syntax The Transfer Syntax of the instance.
CBID Content Block
Identifier
This audit message means a transfer of content between hosts over a DICOM association has started. The message can be monitored to determine the content sent to particular systems.
The unique identifier assigned to the DICOM association.
Indicates whether the C–STORE was initiated by the grid node or by a remote host:
INBO—initiated by a remote host OUTB—initiated by the node
The identifier of the content block being transferred.
DCSF—DICOM C–STORE Fail
When a an association to perform a requested C–STORE cannot be established, or the information required to establish an association to perform a C–STORE cannot be located, the C–STORE operation fails, and this message is issued.
Table 27: DCSF—DICOM C–STORE Fail Fields
Code Field Description
SVIP Destination Service
Port
34
The destination port for the C–STORE operation. If unknown, this field is omitted from the audit message output.
HP Medical Archive
Table 27: DCSF—DICOM C–STORE Fail Fields (cont.)
Code Field Description
Message Reference
DAIP Destination IP
Address
The destination IP address for the C–STORE operation. If unknown, this field is omitted from the audit message output.
RMAE External Applica-
tion Entity (AE)
DIDR C–STORE
Direction
The AE-Title of the destination device. If unknown, this field is omitted from the audit message output.
Indicates whether the C–STORE was initiated by the grid node or by a remote host:
INBO—initiated by a remote host OUTB—initiated by the node
STUG Study Instance UID The Study Identifier of the data being transferred. If
unknown, this field is omitted from the audit message output.
SERG Series Instance UID The Series Identifier of the data being transferred. If
unknown, this field is omitted from the audit message output.
IMGG SOP Instance UID The Image Identifier of the data being transferred. If
unknown, this field is omitted from the audit message output.
STCL SOP Class The SOP Class of the instance. If unknown, this field is
omitted from the audit message output.
CBID Content Block
The identifier of the content block being transferred.
Identifier
RSLT Result Code Why the C–STORE was unable to complete:
CBLK—the CBID associated with the image could not be
referenced CBNM—CBID associated with the image did not contain metadata, or had invalid metadata in the CMS ASOF—an association could not be established for the C-STORE request. CSDI—extraction error while processing incoming C-STORE transaction data.
This audit message means a transfer of content between hosts over a DICOM association failed. This can be symptomatic of network prob­lems, or indicate attempts to send data to systems that do not support the image SOP Class.
35
HP Medical Archive
HPMA Audit Message Reference
ETAF—Security Authentication Failed
A connection attempt using Transport Layer Security (TLS) has failed.
Table 28: ETAF—Security Authentication Failed Fields
Code Field Description
CNID Connection
Identifier
RUID User Identity A service dependent identifier representing the identity
RSLT Reason Code The reason for the failure:
When a connection is established to a secure service that uses TLS, the credentials of the remote entity are verified using the TLS profile and additional logic built into the service. If this authentication fails due to invalid, unexpected, or disallowed certificates or credentials, an audit message is logged. This enables queries for unauthorized access attempts and other security-related connection problems.
The unique grid identifier for the TCP/IP connection over which the authentication failed.
of the remote user.
SCNI—Secure connection establishment failed. CERM—Certificate was missing. CERT—Certificate was invalid. CERE—Certificate was expired. CERR—Certificate was revoked. CSGN—Certificate signature was invlid. CSGU—Certificate signer was unknown. UCRM—User credentials were missing. UCRI—User credentials were invalid. UCRU—User credentials were disallowed. TOUT—Authentication timed out.
The message could result from a remote entity having an incorrect configuration, or from attempts to present invalid or disallowed cre­dentials to the system. This audit message should be monitored to detect attempts to gain unauthorized access to the system.
36
HP Medical Archive
Message Reference
ETCA—TCP/IP Connection Establish
When a connection to a service running on a node is permitted, this message is generated.
Table 29: ETCA—TCP/IP Connection Establish Fields
Code Field Description
SEID Service Identifier The unique identifier of the service to which the connec-
tion was established.
CNDR Connection
Direction
SVIP Destination Service
Port
DAIP Destination IP
Address
SAIP Source IP Address The IP address the connection was established from
CNID Connection
Identifier
RSLT Result Code Connection status:
This audit message means an incoming or outgoing TCP/IP connection was successfully established. This does not indicate the corresponding user was permitted to use the service - just that they were not rejected. Typically, each service implements additional authentication mecha­nisms specific to the service type (DICOM, HTTP etc.).
Indicates whether the connection was opened by the grid node or by a remote host: INBO—connection initiated by a remote host, which con­nected to the node OUTB—connection initiated by the grid node, which connected to a remote host
The port the connection was established to.
The IP address the connection was established to.
(local IP address).
The unique identifier of the connection.
SUCS—connection successfully established
This message can be used to report on external hosts communicating with the system, and to correlate higher level protocol messages back to the IP address initiating the activity. The “Connection Identifier” field allows correlation of audit messages related to actions performed during a session.
37
HP Medical Archive
HPMA Audit Message Reference
ETCC—TCP/IP Connection Close
When the system on either side of an established connection closes the connection (either normally or abnormally), this message is generated.
Table 30: ETCC—TCP/IP Connection Close Fields
Code Field Description
CNID Connection
Identifier
INIE Initiating Entity The entity causing the connection to be closed:
RSLT Result Code Why the connection was closed:
This audit message means a TCP/IP connection was closed. When this message is generated, the corresponding connection ID no longer exists, and the associated TCP/IP connection is no longer established.
This message can be used to detect problems within the system, such as network issues over a WAN, or interoperability problems between systems. The “Connection Identifier” field allows correlation of audit messages related to actions performed during a session.
The unique identifier of the connection.
LOCL—the node closed the connection RMOT—the remote entity closed the connection
SUCS—connection closed at an expected point CLIN—client (remote side) closed the connection at an
expected point LOST—connection closed by the remote entity at an unexpected point TOUT—connection timed-out and was closed
ETCF—TCP/IP Connection Fail
When an attempt to establish a connection to a remote service fails during establishment, this message is generated.
Table 31: ETCF—TCP/IP Connection Fail Fields
Code Field Description
SEID Service Identifier The unique identifier of the service to which the connec-
tion was attempted.
38
HP Medical Archive
Table 31: ETCF—TCP/IP Connection Fail Fields (cont.)
Code Field Description
Message Reference
CNDR Connection
Direction
Indicates the connection attempt was made to a remote host: OUTB—connection initiated by the grid node, which attempted a connection to a remote host
SVIP Destination Service
The port to which the connection attempt was made.
Port
DAIP Destination IP
Address
The IP address to which the connection attempt was made (remote IP address).
SAIP Source IP Address The IP address from which the connection attempt was
made (local IP address).
CNID Connection
The unique identifier of the attempted connection.
Identifier
RSLT Result Code Why the attempted connection failed:
CRFU—outgoing connection refused by remote host UNRE—destination (remote host) unreachable ATHF—TCP/IP connection level authentication failure
This audit message means an outgoing connection attempt failed at the lowest level, due to communication problems - the corresponding service was unable to access the remote host, and the TCP/IP connec­tion was not established.
This message can be used to detect system problems such as configu­ration errors where content is being pushed to unreachable hosts, or where routing problems result in inaccessibility of hosts.
The message can also be used to report on the hosts to which content was pushed. The “Connection Identifier” field allows correlation of audit messages related to actions performed during a session.
39
HP Medical Archive
HPMA Audit Message Reference
FCRE—File Create
When a new file is created on the FSG, this logs the creation.
Table 32: FCRE—File Create Fields
Code Field Description
FPTH File Path The complete path and name of the file that has been
created.
This audit message means a new file entry has been added to the FSG directory tree. The content of the file resides on the local FSG cache, and the process of storing it within the grid has initiated.
Directory creation operations on the FSG do not generate audit messages.
FDEL—File Delete
When an existing file entry in the FSG is deleted, this logs the deletion.
Table 33: FDEL—File Delete Fields
Code Field Description
FPTH File Path The complete path and name of the file that has been
deleted.
This audit message means an existing file entry has been deleted from the FSG directory tree. The content of the file residing within the grid is not affected, however the file becomes inaccessible through the FSG.
Deletion of empty directories on the FSG do not generate audit messages.
Deleting a directory triggers an audit message for each enclosed file that is deleted.
40
HP Medical Archive
Message Reference
FMFY—File Modify
When an existing file entry in the FSG is modified (overwritten), this logs the change.
Table 34: FMFY—File Modify Fields
Code Field Description
FPTH File path The complete path and name of the file being modified.
UUID Universal Unique IDThe identifier of the original version of the file within the
grid.
The original content of the file being changed is retained within the grid at the UUID provided, but can no longer be accessed through the FSG. The content is available through other direct grid interfaces by referencing the UUID number.
The new content of the file is cached in the local FSG, and the process of storing it within the grid is initiated.
FRNM—File Rename
When an existing file entry in the FSG is renamed, this logs the change.
Table 35: FRNM—File Rename Fields
Code Field Description
OLDP Original file path The complete path and name of the (original) file being
renamed.
NEWP New file path The complete path and name being assigned to the file.
An existing file entry in the FSG directory tree is changing. The content of the file residing within the grid is not affected, however metadata associating the file path and name is changed.
Renaming a directory does not trigger any audit messages. The metadata recorded for any enclosed files remains unchanged, indicat­ing the original ingest location only.
41
HP Medical Archive
HPMA Audit Message Reference
FSTG—File Store to Grid
When new content is stored via the FSG, the content is cached locally by the FSG server and is copied into the grid. When the grid confirms it has stored the copy (and is processing it under its business rules for replication), this message is issued.
Table 36: FSTG—File Store to Grid Fields
Code Field Description
FPTH File path The complete path and name of the file being stored.
FLTP File Type Indicates the type of object storage, as processed by the
grid’s file type detection.
UUID Universal Unique IDThe identifier of the file content within the grid.
RSLT Result Code The result of the storage operation:
SUCS—Successfully stored. FTER—Failed extended type verification (will be re-
ingested as a generic object).
TOUT—Failed due to timeout. ERRC—Failed due to lost connection. GERR—A general error occurred while storing content.
If a failure is logged, the FSG initiates a new storage attempt. Retries continue until successful.
FSWI—File Swap In
A file has been retrieved from the grid for storage in the FSG local cache. Content still resides in the grid.
Table 37: FSWI—File Swap In Fields
Code Field Description
FPTH File path The complete path and name of the file added to the FSG
local cache.
UUID Universal Unique IDThe identifier of the file content within the grid.
42
HP Medical Archive
Table 37: FSWI—File Swap In Fields (cont.)
Code Field Description
RSLT Result Code The result of the file retrieve operation:
SUCS—Successfully retrieved. TOUT—Failed due to timeout. ERRC—Failed due to lost connection. GERR—A general error occurred while retrieving the
content.
The original content of the file (along with its associated path and file name metadata) is retained within the grid at the UUID provided.
This message indicates that a file not stored in the FSG local cache has been accessed using the FSG. That access may be for the purpose of modification, in which case the FMFY message should also appear in the audit log.
Message Reference
FSWO—File Swap Out
A file has been purged from the FSG local cache. Content still resides in the grid and can be accessed using the FSG.
Table 38: FSWO—File Swap Out Fields
Code Field Description
FPTH File path The complete path and name of the file dropped from
the FSG local cache.
UUID Universal Unique IDThe identifier of the file content within the grid.
The original content of the file (along with its associated path and file name metadata) is retained within the grid at the UUID provided. The FSG interface can be used to retrieve the content from the grid.
43
HP Medical Archive
HPMA Audit Message Reference
HCPE—HTTP PUT C–STORE End
An object can be stored into the /DICOM namespace over an estab­lished HTTP session by initiating a PUT transaction to process and store the content as a DICOM object in the grid. When DICOM object storage has completed, this message is issued.
Table 39: HCPE—HTTP PUT C–STORE End Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
STUG Study Instance UID The Study Identifier of the data being stored.
SERG Series Instance UID The Series Identifier of the data being stored.
IMGG SOP Instance UID The Image Identifier of the data being stored.
STCL SOP Class The SOP Class of the instance.
STTX Transfer Syntax The Transfer Syntax of the instance.
CBID Content Block
Identifier
UUID Content UUID The Universal Unique IDentifier assigned to the success-
CSIZ Content Size The size of the original content stored, in bytes.
BSIZ Object Size The size of the managed fixed content object (after com-
RSLT Result Code The result of the DICOM Store operation:
This audit message means a transfer of content between hosts over an HTTP session completed. This message is generated prior to, and in addition to, the “HTTP PUT Transaction End” audit message.
The identifier of the corresponding content block for the successfully stored content. If the store operation was not successful, this field is set to 0.
fully stored content. If the UUID was not specified, or the store operation failed, this field is set to the NULL UUID.
pression), in bytes.
SUCS—successful TOUT—timed-out due to inactivity ERRS—session closed or lost while the C–STORE trans-
action was being performed
CTNF—content to be transferred was not found CVRF—content to be transferred failed verification GERR—general error processing content
44
HP Medical Archive
Message Reference
HCPS—HTTP PUT C–STORE Start
An object can be stored into the /DICOM namespace over an estab­lished HTTP session by initiating a PUT transaction to process and store the content as a DICOM object in the grid. When DICOM object storage has been initiated, this message is issued.
Table 40: HCPS—HTTP PUT C–STORE Start Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
STUG Study Instance UID The Study Identifier of the data being stored.
SERG Series Instance UID The Series Identifier of the data being stored.
IMGG SOP Instance UID The Image Identifier of the data being stored.
STCL SOP Class The SOP Class of the instance.
STTX Transfer Syntax The Transfer Syntax of the instance
RSLT Result Code Status at the time the C–STORE operation was initiated:
SUCS—C–STORE transaction successfully initiated
This audit message means a transfer of content between hosts over an HTTP session has been initiated. This message is generated after, and in addition to, the “HTTP PUT Transaction Start” audit message.
HDEL—HTTP DELETE Transaction
When an HTTP client issues a DELETE transaction, a request is made to remove the specified stored content, and this message is issued.
Table 41: HDEL—HTTP DELETE Transaction Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the object to be removed
resides.
OBPA Object Path The path to the object to be removed.
OBNA Object Name The name of the object to be removed.
45
HP Medical Archive
HPMA Audit Message Reference
Table 41: HDEL—HTTP DELETE Transaction Fields (cont.)
Code Field Description
UUID Content UUID The Universal Unique IDentifier assigned to the content
requested for removal.
RSLT Result Code Result of the DELETE transaction:
SUCSsuccessful RONL—failed (read-only object) ERRS—session closed or lost while the DELETE transac-
tion was being performed
CTNF—content to be deleted not found AUTH—transaction terminated due to authorization
failure
BRQT—malformed DELETE transaction GERR—general error processing content
This audit message indicates the result of a request to delete content. If the specified content exists, it can be identified via the “Content UUID” field. The “Result Code” field can be used to determine when errors occurred.
HGEE—HTTP GET Transaction End
When an HTTP client completes a GET transaction to transfer content from the HTTP server to the HTTP client, this message is issued.
Table 42: HGEE—HTTP GET Transaction End Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the requested object
resides.
OBPA Object Path The path to the requested object.
OBNA Object Name The name of the requested object.
CBID Content Block
Identifier
UUID Content UUID The Universal Unique IDentifier corresponding to the
The unique identifier of the corresponding content block requested. If the CBID is unknown, this field is set to 0.
requested content. If the UUID is unknown, this field is set to the NULL UUID.
46
HP Medical Archive
Table 42: HGEE—HTTP GET Transaction End Fields (cont.)
Code Field Description
RSLT Result Code Result of the GET transaction:
SUCSsuccessful TOUT—timed-out due to inactivity ERRS—session closed or lost while the GET transaction
was being performed CTNF—content to be transferred not found or generated (404) error CTRD—content requested resulted in a redirect operation
CVRF—content to be transferred failed validation AUTH—transaction terminated due to authorization
failure GERR—general error processing content
This audit message means a transfer of content to an HTTP client com­pleted. It can be monitored to determine the content sent to particular systems. The “Result Code” field can be used to determine when errors occurred.
Message Reference
HGES—HTTP GET Transaction Start
When an HTTP client initiates a GET transaction to transfer content from the HTTP server to the HTTP client, this message is issued.
Table 43: HGES—HTTP GET Transaction Start Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the requested object
resides.
OBPA Object Path The path to the requested object.
OBNA Object Name The name of the requested object.
CBID Content Block
Identifier
UUID Content UUID The Universal Unique IDentifier corresponding to the
The unique identifier of the corresponding content block requested. If the CBID is unknown, this field is set to 0.
requested content. If the UUID is unknown, this field is set to the NULL UUID.
47
HP Medical Archive
HPMA Audit Message Reference
Table 43: HGES—HTTP GET Transaction Start Fields (cont.)
Code Field Description
RSLT Result Code Status at the time the request for the GET transaction was
initiated:
SUCS—GET transaction successfully initiated BRQT—GET transaction malformed
This audit message means a request for transfer of content to an HTTP client has been initiated. It can be monitored to determine the content sent to particular systems.
HHEA—HTTP HEAD Transaction
When an HTTP client initiates a HEAD transaction to request informa­tion about stored content, this message is issued.
Table 44: HHEA—HTTP HEAD Transaction Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the requested object
resides.
OBPA Object Path The path to the requested object.
OBNA Object Name The name of the requested object.
CBID Content Block
Identifier
UUID Content UUID The Universal Unique IDentifier corresponding to the
The unique identifier of the corresponding content block about which information is being requested. If the CBID is unknown, this field is set to 0.
content about which information is being requested. If the UUID is unknown, this field is set to the NULL UUID.
48
HP Medical Archive
Table 44: HHEA—HTTP HEAD Transaction Fields (cont.)
Code Field Description
RSLT Result Code Result of the HEAD transaction:
SUCSsuccessful CTNF—specified content was not found, or generated
(404) error CTRD—content requested resulted in a redirect operation AUTH—transaction terminated due to authorization failure ERRS—session closed or lost while the HEAD transac­tion was being performed
BRQT—HEAD transaction malformed GERR—general error processing content
This audit message means information about a given piece of content was requested by an HTTP client. It can be monitored to determine the content inspected by clients. The “Result Code” field can be used to determine when errors occurred.
Message Reference
HOPT—HTTP OPTIONS Transaction
When an HTTP client initiates an OPTIONS transaction to discover which HTTP transactions can be performed on a given piece of content, this message is issued.
Table 45: HOPT—HTTP OPTIONS Transaction Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the specified object resides.
OBPA Object Path The path to the specified object.
OBNA Object Name The name of the specified object.
49
HP Medical Archive
HPMA Audit Message Reference
Table 45: HOPT—HTTP OPTIONS Transaction Fields (cont.)
Code Field Description
RSLT Result Code Result of the OPTIONS transaction:
SUCSsuccessful ERRS—session closed or lost while the OPTIONS trans-
action was being performed AUTH—transaction terminated due to authorization failure
BRQT—OPTIONS transaction malformed GERR—general error processing content
This audit message indicates the result of a request for information about the transactions that can be performed on content. The OPTIONS transaction is typically performed to discover if content can be deleted, created, and so on.
HPOE—HTTP POST Transaction End
When a POST transaction initiated by an HTTP client to query avail­able content completes, this message is issued.
Table 46: HPOE—HTTP POST Transaction End Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the query is performed.
RSFD Results Found The number of found objects matching the query.
RSLT Result Code Result of the POST query operation:
SUCSsuccessful TOUT—timed-out due to inactivity ERRS—session closed or lost while the POST transac-
tion was being performed CMLF—malformed query parameters received from client AUTH—transaction terminated due to authorization failure
BRQT—invalid POST query (bad request) GERR—general error processing content
50
HP Medical Archive
This audit message means an HTTP client has initiated and completed a query for stored content in the specified namespace. It can be moni­tored to determine the content being queried. The “Result Code” field can be used to determine when errors occurred.
The time between the “HTTP POST Transaction Start” and “HTTP POST Transaction End” audit messages tells you how long particular query operations are taking to complete.
HPOS—HTTP POST Transaction Start
When a POST transaction is initiated by an HTTP client to query avail­able content, this message is issued.
Table 47: HPOS—HTTP POST Transaction Start Fields
Code Field Description
Message Reference
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the query is performed.
RSLT Result Code Status at the time the request for the POST transaction
was initiated:
SUCSPOST transaction initiated successfully BRQT—malformed POST transaction
This audit message means an HTTP client initiated a query for stored content in the specified namespace. It can be monitored to determine the content being queried.
The time between the “HTTP POST Transaction Start” and “HTTP POST Transaction End” audit messages tells you how long particular query operations are taking to complete.
51
HP Medical Archive
HPMA Audit Message Reference
HPUE—HTTP PUT Transaction End
When an HTTP client completes a PUT transaction to transfer content from the HTTP client to the HTTP server (the node), this message is issued.
Table 48: HPUE—HTTP PUT Transaction End Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the stored object was
handled.
OBPA Object Path The path used to store the object.
OBNA Object Name The name of the stored object.
CBID Content Block
Identifier
UUID Content UUID The Universal Unique IDentifier assigned to the success-
CSIZ Content Size The size of the original content stored, in bytes.
BSIZ Object Size The size of the managed fixed content object (after com-
RSLT Result Code The result of the PUT transaction:
The identifier of the corresponding content block for the successfully-stored content. If the store operation was not successful, this field is set to 0.
fully stored content. If the UUID was not specified, or the store operation failed, this field is set to the NULL UUID.
pression), in bytes.
SUCS—successful TOUT—timed-out due to inactivity ERRS—session closed or lost while the PUT transaction
was being performed
CMLF—malformed content received from the client STER—storing the content failed AUTH—transaction terminated due to authorization
failure GERR—general error processing content
This audit message means a transfer of content from an HTTP client completed. If content was successfully stored, the CBID and/or UUID fields identify it.
52
HP Medical Archive
Message Reference
This audit message can be monitored to determine the content sent to particular systems. The “Result Code” field can be used to determine when errors occurred.
HPUS—HTTP PUT Transaction Start
When an HTTP client initiates a PUT transaction to transfer content from the HTTP client to the HTTP server (the node), this message is issued.
Table 49: HPUS—HTTP PUT Transaction Start Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
OBNS Object Namespace The namespace within which the stored object should be
handled.
OBPA Object Path The path to use when storing the object.
OBNA Object Name The name of the object to store.
RSLT Result Code The status at the time the request for the PUT transaction
was initiated:
SUCS—PUT transaction initiated successfully BRQT—malformed PUT transaction
This audit message means a transfer of content from an HTTP client has initiated. It can be monitored to determine the content stored using HTTP.
HTSC—HTTP Session Close
When an HTTP client finishes communicating with a remote host and closes the previously-established HTTP session, this message is issued.
Table 50: HTSC—HTTP Session Close Fields
Code Field Description
HSID Session Identifier The unique identifier assigned to the HTTP session
established to the node.
53
HP Medical Archive
HPMA Audit Message Reference
Table 50: HTSC—HTTP Session Close Fields (cont.)
Code Field Description
RSLT Result Code Why the session was closed:
SUCS—session closed normally, without errors TOUT—timed-out by the node, due to inactivity ERRC—lost the connection over which the session was
established ERRT—session terminated due to an error occurring on a transaction AUTH—session terminated due to a failed transaction authorization GERR—a general error occurred, causing the session to close
This audit message means an HTTP client closed a previously-estab­lished HTTP session. “HTTP Session Close” always corresponds with a previously-issued “HTTP Session Establish” message.
This message should be monitored to determine if there are any repet­itive or excessive problems in attempting to establish a session. This could indicate potential communications or interoperability problems related to HTTP client or server implementations.
HTSE—HTTP Session Establish
When an HTTP client establishes an HTTP session, this message is issued.
Table 51: HTSE—HTTP Session Establish Fields
Code Field Description
CNID Connection
Identifier
HSID Session Identifier The unique identifier assigned to the HTTP session
RSLT Result Code Status at the time the session was established:
The unique identifier for the connection over which the HTTP session was established.
established to the node.
SUCS—session successfully established
This audit message means a remote host (client) successfully estab­lished an HTTP session to the node. It can be used to track which hosts the system is communicating with via the HTTP protocol.
54
HP Medical Archive
Message Reference
RPSB—Replication Session Begin
When a service begins a replication operation—replicating private structured data to a secondary service—this message is generated.
Table 52: RPSB—Replication Session Begin Fields
Code Field Description
RPSI Replication Session IDThe unique identifier of the replication session being
started.
RPPI Previous Session
ID
RPSE Replication Source
Entity
RPDE Replication Desti-
nation Entity
RPSC Start Sequence
Count
RSSS Session Start
Reason
RSLT Operation Result The status of the replication operation:
This message indicates a replication session is either starting or being resumed. It identifies the primary (originating) and secondary (accept­ing) services by their node IDs. Both the source and destination services report this message.
The identifier of the previous replication session (if one exists); zero otherwise.
The node ID of the service that is generating the replica­tion session.
The node ID of the service that is accepting the replica­tion session.
The replication sequence count of FSG transactionsat which the session starts or resumes.
The status of the replication session:
NEWS—A new session is being established. CONT—A new session is being resumed. RSUM—A previous session is being resumed.
SUCS—The replication session started successfully.
RPSE—Replication Session End
When a service completes a replication session, this message is generated.
Table 53: RPSE—Replication Session End Fields
Code Field Description
RPSI Replication Session IDThe unique identifier of the replication session that has
ended.
55
HP Medical Archive
HPMA Audit Message Reference
Table 53: RPSE—Replication Session End Fields (cont.)
Code Field Description
RPPI Next Session ID The identifier of the next replication session (if known).
If the next session ID is not known, this value is zero (0).
RPSE Replication Source
Entity
RPDE Replication Desti-
nation Entity
RPSC End Sequence
Count
RSSS Session End Reason The completion status of the replication session:
RSLT Session Result The result of the replication session:
Matching this message with the corresponding RPSB message can indicate the time it took to perform the replication. This message indi­cates whether the replication session closed normally. Both the source and destination services report this message.
The node ID of the service that is generating the replica­tion session.
The node ID of the service that is accepting the replica­tion session.
The replication sequence count of FSG transactionsthat would be the next value (in another session).
SUCS—The replication session was closed successfully. UNEX—The session was closed unexpectedly. PAUS—The session was paused (the FSG was shut
down). CKPT—The session was stopped for a checkpoint such as a backup. A new session handles remaining replication.
SUCS—The replication session completed successfully. FAIL—The replication session did not complete
successfully.
SADD—Security Audit Disable
This message indicates the originating service (node ID) has turned off audit message logging; audit messages are no longer being collected or delivered.
Table 54: SADD—Security Audit Disable Fields
Code Field Description
AETM Enable Method The method used to disable the audit.
56
HP Medical Archive
Message Reference
Table 54: SADD—Security Audit Disable Fields (cont.)
Code Field Description
AEUN User Name The user name that executed the command to disable
audit logging.
The message implies that logging was previously enabled but has now been disabled. This is typically only used during bulk ingest to improve system performance. Following the bulk activity, auditing is restored (SADE) and the capability to disable auditing is then perma­nently blocked.
SADE—Security Audit Enable
This message indicates that the originating service (node ID) has restored audit message logging; audit messages are again being col­lected and delivered.
Table 55: SADE—Security Audit Enable Fields
Code Field Description
AETM Enable Method The method used to enable the audit.
AEUN User Name The user name that executed the command to enable
audit logging.
The message implies that logging was previously disabled (SADD) but has now been restored. This is typically only used during bulk ingest to improve system performance. Following the bulk activity, auditing is restored and the capability to disable auditing is then permanently blocked.
SCMT—Object Store Commit
Grid content is not made available or recognized as being stored until it has been committed - meaning it has been stored persistently. Persis­tently-stored content has been completely written to disk, and has
57
HP Medical Archive
HPMA Audit Message Reference
passed related integrity checks. When a content block is committed to storage, this message is issued.
Table 56: SCMT—Object Store Commit Fields
Code Field Description
CBID Content Block
Identifier
RSLT Result Code Status at the time the object was stored to disk:
This message means a given content block has been completely stored and verified, and can now be requested. It can be used to track data flow within the system.
The unique identifier of the content block committed to permanent storage.
SUCS - object successfully stored
SREM—Object Store Remove
When grid content is removed, it is either downgraded to transient status (“removed”) or completely wiped from the system such that no parts of the content remain (“purged”). If content is downgraded to transient status, it may still be accessed until purged from the system.
When a content block is deleted from permanent storage (either removed or purged), this message is issued.
Table 57: SREM—Object Store Remove Fields
Code Field Description
CBID Content Block
Identifier
RSLT Result Code How the content was deleted:
This audit message means a given content block has been deleted from a node and can no longer be requested directly. The message can be used to track the flow of deleted content within the system.
58
The unique identifier of the content block deleted from permanent storage.
SUCS - content removed (downgraded to transient status)
PURG -content purged from the node INTL - the operation succeeded and the content is no
longer accessible - but not erased, as the purge interlock is enabled
HP Medical Archive
SVRF—Object Store Verify Fail
Each time content is read from or written to disk, several verification and integrity checks are performed to ensure data being sent to the requesting user is identical to the data originally ingested into the system. If any of these checks fail, the system automatically removes the corrupt data to prevent it from being retrieved again.
When a content block fails the verification process, this message is issued.
Table 58: SVRF—Object Store Verify Fail Fields
Code Field Description
Message Reference
CBID Content Block
Identifier
RSLT Result Code Verification failure type:
The “SVRF - Object Store Verify Fail” audit message should be monitored closely. It means a given content block failed verification checks, which can indicate attempts to tamper with content or impending hardware failures.
The unique identifier of the content block which failed verification.
CRCF - content CRC checks failed HMAC - content HMAC checks failed EHSH - unexpected encrypted content hash PHSH - unexpected original content hash SEQC - incorrect data sequence on disk PERR - invalid structure of disk file DERR - disk error
SVRU—Object Store Verify Unknown
The Local Distribution Router (LDR) storage component continuously scans all files in the object store to schedule content verification. If it detects a file or directory does not match expected naming conven­tions, it moves the unexpected file(s) to the “garbage” directory, where they can be automatically or manually removed (depending on LDR configuration).
59
HP Medical Archive
HPMA Audit Message Reference
When an unknown or unexpected file is detected in the object store and moved to the “garbage” directory, this message is issued.
Table 59: SVRU—Object Store Verify Unknown Fields
Code Field Description
FPTH File Path The full path to the unexpected file’s original location.
The “SVRU - Object Store Verify Unknown” audit message should be moni­tored closely. It means unexpected files were detected in the object store. This situation should be investigated immediately to determine how the files were created, as it can indicate attempts to tamper with content or impending hardware failures.
SYSD—Node Stop
When an HP Medical Archive grid service is stopped gracefully, this message is generated to indicate the shutdown was requested.
Table 60: SYSD—Node Stop Fields
Code Field Description
RSLT Clean Shutdown The nature of the shutdown:
SUCS—System was cleanly shutdown.
The message does not indicate if the host server is being stopped, only the reporting service.
SYSU—Node Start
When an HP Medical Archive grid service is started, this message is generated and indicates if the previous shutdown was clean (com­manded) or disorderly (unexpected).
Table 61: SYSU—Node Start Fields
Code Field Description
RSLT Clean Shutdown The nature of the shutdown:
SUCS—System was cleanly shutdown. DSDN—System was not cleanly shutdown.
60
HP Medical Archive
Message Reference
The message does not indicate if the host server was started, only the reporting service.
This message can be used to:
Detect discontinuity in the audit trail.
Determine if a service is failing during operation (as the distrib-
uted nature of the grid can mask these failures). The Server Manager restarts a failed service automatically.
TACB—Grid Task Action Begin
When a grid task action begins, this message is generated.
Table 62: TACB—Grid Task Action Begin Fields
Code Field Description
TSID Task ID The unique identifier of the task used to manage the task
over its life cycle.
TTYP Task Type The type of task.
TSFC Task Stage The current stage of the task.
ACNT Task Act ion Node IDThe service node ID being requested to perform the task.
ACTT Task Action The action being started.
RSLT Action Status Status at the time the task action begins:
SUCS—The task stage started successfully.
Matching this message with the corresponding TA CE message can indicate the time it took to perform a task action.
TACE—Grid Task Action End
When a grid task action completes, this message is generated.
Table 63: TACE—Grid Task Action End Fields
Code Field Description
TSID Task ID The unique identifier of the task used to manage the task
over its life cycle.
TTYP Task Type The type of task.
61
HP Medical Archive
HPMA Audit Message Reference
Table 63: TACE—Grid Task Action End Fields (cont.)
Code Field Description
TSFC Task Stage The current stage of the task.
ACNT Task Action Node IDThe service node ID being requested to perform the task.
ACTT Task Action The action that is being ended.
RSLT Action Result The completion status of the task action:
SUCS—completed successfully ABRT—aborted FAIL—failed before completion
Matching this message with the corresponding TAC B message can indicate the time it took to perform a task action.
TSGC—Grid Task Stage Change
This message indicates the stage of a grid task has changed; either the task is progressing to the next stage, was aborted, or has failed.
Table 64: TSGC—Grid Task Stage Change Fields
Code Field Description
TSID Task ID The unique identifier of the task used to manage the task
over its life cycle.
TTYP Task Type The type of task.
TSDC Task Stage
Description
TSFC Task Stage The current stage of the task.
RSLT Task Stage Result The completion status of the previous task stage:
All actions within a task stage must complete before the stage can complete.
A text description of the next task stage (starting).
SUCS—completed successfully ABRT—aborted FAIL—failed before completion
When a new grid task starts, this message is generated with RSLT = SUCS.
62
HP Medical Archive
Message Reference
TSTC—Grid Task State Change
When a grid task is added, started, paused, canceled, or completed, this message is issued to audit the change in task state.
Table 65: TSTC—Grid Task State Change Fields
Code Field Description
TSID Task ID The unique identifier of the task used to manage the task
over its life cycle.
TTYP Task Type The type of task.
TDSC Task Description A text description of the task.
TSRC Task Source A text identification of the issuer of the task.
TSTS Task State The current state of the task:
NEWT—Newly added. PEND—Pending. ACTV—Active (running) PAUS—Paused. ROLA—Aborting; performing a rollback. ROLF—Rollback failed. HIST—Historical (task completed, cancelled, or expired). RMVD—Task is now removed.
RSLT Task Status The status of the grid task:
SUCS—The task successfully entered the current state. ABRT—The task was aborted (rollback if possible). FAIL—The task has failed (rollback if possible). CANC—The task was cancelled (never started). EXPR—The task expired (never started). IVLD—The task is invalid. AUTH—The task is unauthorized. DUPL—The task is a duplicate.
This message is used to determine what tasks have been added, run, and completed, and the result of the completion.
The Task Status serves to indicate why the task is in the current state. If a task ends abnormally (is aborted or fails) and requires a rollback, the reason is retained in the task status (TCTS). The status of the rollback itself is noted within the state (TSTS). The sequence of messages would indicate either:
ROLA > HIST if the rollback is successful, or
ROLA > ROLF > HIST if the rollback failed.
63
HP Medical Archive
HPMA Audit Message Reference
64
HP Medical Archive

Glossary

ADC Administrative Domain Controller—a unit of the HP Medical Archive
software that authenticates grid nodes (certificates) and manages interconnections. It maintains grid topology information.
AE title Application Entity Title—the identifier of a DICOM node communi-
cating with other DICOM AEs.
AMS Audit Management System—a unit of the HP Medical Archive
software that monitors and logs all audited system events and transactions.
CBID Content Block Identifier—A number that uniquely identifies a piece of
content within the HP Medical Archive system.
CIDR Classless Inter-Domain Routing—a method of routing traffic between
IP networks that improves flexibility when dividing ranges of IP Addresses into separate networks. CIDR is defined in RFC 1519. Standard notation for a CIDR address range begins with the network address, padded with zero bits on the right, followed by a slash “/” character and a number representing the length in bits of the subnet mask (prefix), thus defining the size of the network. For example:
192.168.120.0/24 represents the 256 addresses 192.168.120.0
through 192.168.120.255 inclusive. The “/24” indicates a 24-bit subnet mask, leaving 8 bits (0–255) of subnet address space.
192.168.212.0/22 represents the 1024 addresses 192.168.212.0
through 192.168.215.255 inclusive. The left-most 22 bits form the mask, leaving 10 bits (0.0–3.255) of subnet address space.
CIFS Common Internet File System—a file system protocol based on
SMB (Server Message Block, developed by Microsoft) intended to complement existing protocols such as HTTP, FTP, and NFS.
CLB Connection Load Balancer—a unit of the HP Medical Archive software
that directs incoming DICOM traffic based on factors from an ADC.
CMN Configuration Management Node—a unit of the HP Medical Archive
software for performing system-wide reconfiguration and Grid Tasks.
CMS Content Management System—a unit of the HP Medical Archive
software managing a distributed database catalog of the grid content (metadata) and data duplication according to business rules to provide Information Lifecycle Management (ILM).
65
HP Medical Archive
HPMA Audit Message Reference
content block ID See “CBID”.
DICOM Digital Imaging and COmmunications in Medicine—a standard devel-
oped by ACR-NEMA (an alliance of the American College of Radiology and the National Electrical Manufacturer’s Association) for communications between medical imaging devices.
DR Disaster Recovery.
FCS Fixed Content Storage—A class of stored data where the data, once
captured, is rarely changed and must be retained for long periods of time in its original form. Typically this includes images, documents, and other data where alterations would reduce the value of the stored information.
flywheeling A clock is running on its own, without tracking a reference source.
FSG File System Gateway—a unit of the HP Medical Archive software that
enables standard network file systems to interface with the grid.
Grid Task A managed sequence of actions that are coordinated across a grid to
perform a specific function (such as adding new node certificates). Grid Tasks are typically long-term operations that span many entities within the grid.
HPMA HP Medical Archive—a fixed-content storage system from Hewlett-
Packard. The solution is sold under the HP brand and is serviced and supported by the HP services/support organization worldwide. The HPMA Solution is powered by Bycast
®
StorageGRID™ software.
ILM Information Lifecycle Management—a process of managing data by
applying business rules to determine storage accessibility and longev­ity. Software implementing ILM manages data replication, storage resources, distribution, and retention to meet business and regulatory objectives.
instance A DICOM term for an image. One or more instances for a single
patient are collected in a “study”.
LAN Local Area Network—a network of interconnected computers that is
restricted to a small area, such as a building or campus. A LAN may be considered a node to the Internet or other wide area network.
latency Time duration for processing a transaction or transmitting a unit of
data from end to end. When evaluating system performance, both throughput and latency need to be considered. See also: “throughput”.
66
HP Medical Archive
Glossary
LDR Local Distribution Router—a unit of the HP Medical Archive software
to manage the storage and transmission of content within the grid.
metadata Data that provides information about other data.
namespace A set whose elements are unique names. There is no guarantee that a
name in one namespace is not repeated in a different namespace.
NFS Network File System—a protocol (developed by SUN Microsystems)
that enables access to network files as if they were on local disks.
NMS Network Management System—a unit of the HP Medical Archive
software for alarm monitoring and system administration. It provides a web-based interface for managing and monitoring the HPMA system, as well as viewing and reporting on statistics regarding network, DICOM, storage, and many other related attributes for each of the various services and servers.
object store A configured file system on a disk volume. The configuration includes
a specific directory structure and resources initialized at system installation.
PACS Picture Archiving and Communication System—a computerized
system of patient records management responsible for short and long term (archival) storage of images. Communication with PACS is via DICOM.
PDF Portable Document Format—a file format (developed by Adobe
Systems and based on the postscript language) for exchanging docu­ments between computer systems that may have differing operating systems. It is designed to preserve the appearance of the document regardless of the system used to render it.
release The edition of the complete HP Medical Archive system. Contrast with
“version” and “revision”.
revision The edition of a document. Contrast with “version” and “release”.
Samba A suite of programs that implement the Server Message Block (SMB)
protocol. It allows files and printers on the host operating system to be shared with other clients. For example, instead of using telnet to log into a Unix machine to edit a file there, a Windows user might connect a drive in Windows Explorer to a Samba server on the Unix machine and edit the file in a Windows editor.
SQL Structured Query Language—an industry standard interface language
for managing relational databases. An SQL database is one that supports the SQL interface.
67
HP Medical Archive
HPMA Audit Message Reference
SSM Service Status Monitor—a unit of the HP Medical Archive software
that monitors hardware conditions and reports to the NMS. Every server in the grid runs an instance of the SSM.
study A DICOM term for a collection of images (instances) related to an indi-
vidual patient or subject.
SVG Scalable Vector Graphic—a format for digital images that can be scaled
without loss of resolution.
TCP/IP Transmission Control Protocol / Internet Protocol—a process for
encapsulating and transmitting packet data over a network. It includes positive acknowledgement of transmissions.
throughput The amount of data that can be transmitted or the number of transac-
tions that can be processed by a system or subsystem in a given period of time. See also: “latency”.
URI Universal Resource Identifier—A generic set of all names or addresses
used to refer to resources that can be served from a computer system. These addresses are represented as short text strings.
URL Universal Resource Location—A URI that can be typed into a browser
or other client program in order to retrieve/access an object, such that the client software is able to understand how to perform the requested action. (The client, typically a “browser”, often uses a Domain Name Server (DNS) to resolve a URL into an IP address and URI combination.)
UTC A language-independent international abbreviation, UTC is neither
English nor French. It means both “Coordinated Universal Time” and “Temps Universel Coordonné”.
UTC refers to the standard time common to every place in the world. It is derived from International Atomic Time (TAI) by the addition of a whole number of “leap seconds” to synchronize it with Universal Time (UT1). UTC is expressed using a 24-hour clock and uses the Gre­gorian calendar.
UUID Universal Unique IDentifier—A 128-bit number which is guaranteed
to be unique.
version The edition of a service within the HP Medical Archive system.
Contrast with “release” and “revision”.
WAN Wide Area Network—a network of interconnected computers that
covers a large geographic area such as a country. Contrast with LAN.
68
HP Medical Archive
Loading...