Hp MEDICAL ARCHIVE SOLUTION audit message reference

HP Medical Archive Solution
audit message reference

Part number: AG583-96009
Fourth edition: October 2007

Legal and notice information

© Copyright 2005, 2007 Hewlett-Packard Development Company, L.P.

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential
damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or
translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any
kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark of The Open Group.

HP Medical Archive Solution audit message reference

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Currency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Fonts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

HP Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Product Warranties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Subscription Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

HP Web Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Documentation Feedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Audit Message Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Overview of Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Audit Message Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Message Retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Message Level Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Audit Log File Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Access via Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Audit File Naming Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 File and Message Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Audit Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Audit Message Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Event-Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Common Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Interpreting a Sample Audit Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3 Message Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

System Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Object Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Volume Management Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

HTTP Protocol Audit Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

DICOM Audit Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

File System Gateway Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

External Audit Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Audit Message Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

ARCB—Archive Volume Retrieve Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

ARCE—Archive Volume Retrieve End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

ASCE—Archive Volume Populate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

ATCE—Staging Volume Populate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

BKSB—Backup Store Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

BKSE—Backup Store End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

CBRB—Object Receive Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

CBRE—Object Receive End. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

CBSB—Object Send Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

CBSE—Object Send End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

CDAD—DICOM Study Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

DASC—DICOM Association Close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

DASE—DICOM Association Establish. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

DASF—DICOM Association Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

HP Medical Archive Solution audit message reference 3

DCFE—DICOM C–FIND End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

DCFS—DICOM C–FIND Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

DCME—DICOM C–MOVE End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

DCMS—DICOM C–MOVE Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

DCMT—DICOM Storage Commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

DCPE—DICOM C–STORE End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

DCPS—DICOM C–STORE Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

DCSF—DICOM C–STORE Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

ETAF—Security Authentication Failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

ETCA—TCP/IP Connection Establish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

ETCC—TCP/IP Connection Close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

ETCF—TCP/IP Connection Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

ETCR—TCP/IP Connection Refused . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

FCRE—File Create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

FDEL—File Delete. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

FMFY—File Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

FRNM—File Rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

FSTG—File Store to Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

FSWI—File Swap In. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

FSWO—File Swap Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

HCPE—HTTP PUT C–STORE End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

HCPS—HTTP PUT C–STORE Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

HDEL—HTTP DELETE Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

HGEE—HTTP GET Transaction End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

HGES—HTTP GET Transaction Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

HHEA—HTTP HEAD Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

HOPT—HTTP OPTIONS Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

HPOE—HTTP POST Transaction End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

HPOS—HTTP POST Transaction Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

HPUE—HTTP PUT Transaction End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

HPUS—HTTP PUT Transaction Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

HTSC—HTTP Session Close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

HTSE—HTTP Session Establish. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

OHRP—Object Handle Repoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

RPSB—Replication Session Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

RPSE—Replication Session End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

SADD—Security Audit Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

SADE—Security Audit Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

SCMT—Object Store Commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

SREM—Object Store Remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

SVRF—Object Store Verify Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

SVRU—Object Store Verify Unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

SYSD—Node Stop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

SYSU—Node Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

TACB—Grid Task Action Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

TACE—Grid Task Action End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

TSGC—Grid Task Stage Change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

TSTC—Grid Task State Change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Figures

1 Audit Message Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Audit Message Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Default Audit Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Tables

1 Audit Message Filter Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4

2 Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 Common Elements of Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4 System Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Object Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

6 Volume Management Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

7 HTTP Protocol Audit Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

8 DICOM Audit Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

9 File System Gateway Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

10 ARCB—Archive Volume Retrieve Begin Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

11 ARCE—Archive Volume Retrieve End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

12 ASCE—Archive Volume Populate Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

13 ATCE—Staging Volume Populate Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

14 BKSB—Backup Store Begin Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

15 BKSE—Backup Store End Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

16 CBRB—Object Receive Begin Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

17 CBRE—Object Receive End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

18 CBSB—Object Send Begin Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

19 CBSE—Object Send End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

20 CDAD—DICOM Study Add Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

21 DASC—DICOM Association Close Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

22 DASE—DICOM Association Establish Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

23 DASF—DICOM Association Fail Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

24 DCFE—DICOM C–FIND End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

25 DCFS—DICOM C–FIND Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

26 DCME—DICOM C–MOVE End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

27 DCMS—DICOM C–MOVE Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

28 DCMT—DICOM Storage Commitment Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

29 DCPE—DICOM C–STORE End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

30 DCPS—DICOM C–STORE Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

31 DCSF—DICOM C–STORE Fail Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

32 ETAF—Security Authentication Failed Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

33 ETCA—TCP/IP Connection Establish Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

34 ETCC—TCP/IP Connection Close Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

35 ETCF—TCP/IP Connection Fail Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

36 ETCR—TCP/IP Connection Refused Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

37 FCRE—File Create Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

38 FDEL—File Delete Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

39 FMFY—File Modify Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

40 FRNM—File Rename Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

41 FSTG—File Store to Grid Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

42 FSWI—File Swap In Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

43 FSWO—File Swap Out Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

44 HCPE—HTTP PUT C–STORE End Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

45 HCPS—HTTP PUT C–STORE Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

46 HDEL—HTTP DELETE Transaction Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

47 HGEE—HTTP GET Transaction End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

48 HGES—HTTP GET Transaction Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

49 HHEA—HTTP HEAD Transaction Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

50 HOPT—HTTP OPTIONS Transaction Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

51 HPOE—HTTP POST Transaction End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

52 HPOS—HTTP POST Transaction Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

53 HPUE—HTTP PUT Transaction End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

54 HPUS—HTTP PUT Transaction Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

55 HTSC—HTTP Session Close Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

56 HTSE—HTTP Session Establish Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

57 OHRP—Object Handle Repoint Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

58 RPSB—Replication Session Begin Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

59 RPSE—Replication Session End Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

60 SADD—Security Audit Disable Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

HP Medical Archive Solution audit message reference 5

61 SADE—Security Audit Enable Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

62 SCMT—Object Store Commit Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

63 SREM—Object Store Remove Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

64 SVRF—Object Store Verify Fail Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

65 SVRU—Object Store Verify Unknown Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

66 SYSD—Node Stop Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

67 SYSU—Node Start Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

68 TACB—Grid Task Action Begin Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

69 TACE—Grid Task Action End Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

70 TSGC—Grid Task Stage Change Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

71 TSTC—Grid Task State Change Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

6

About This Guide

The Audit Management System (AMS) service stores audit messages of grid activity and events to a set of
text log files. To enable you to read and analyze the audit trail, this document provides information on the
structure and content of the text file log.

The objectives of this document are to:

• Describe how to access the current log file and archived logs

• Describe the text file format

• Provide a reference for common audit messages

Currency

The content is current with the AMS service software version 4.9.0 through 4.11, as included in the
HP Medical Archive system release 7. To find the version number of your AMS service software:

1. Using the NMS interface, select the AMS service, Overview page.

The version number is reported in the Node Information table.

2. To check the software release version, check the SSM service, Services page. The software release

version is reported in the Packages table as the storage-grid-release. The release should be 7.0 or later.

If you have an earlier version of the AMS service, contact HP Support.

Intended Audience

The content of this guide is intended for administrators responsible for producing reports of network activity
and usage that require analysis of the audit messages.

You are assumed to have a sound understanding of the nature of audited activities within the HP Medical
Archive system. To use the text log file, you are assumed to have access to the configured audit share on
the Admin Node server hosting the AMS service.

References

This document assumes familiarity with many terms related to computer operations and programming,
network communications, and operating system file operations. There is wide use of acronyms. To assist
you, there is a glossary at the back of this reference (page 59).

Conventions

This guide adheres to conventions for terminology to avoid confusion or misunderstanding. There are also
conventions for typography to enhance readability and usefulness of the text.

Terminology

There is some room for confusion between common computer network terminology for “server” and “node”
as they are used in HP Medical Archive products and documents.

A server is usually thought of as a piece of computing hardware that provides data services to requesting
network clients; a resource providing network, computational, and storage services. Within the context of
the HP Medical Archive, a server is an entity hosting one or more grid services.

Nodes in a network are usually defined as an independent entity with a unique network identity, running
on a resource. In this text, the use of the phrase “grid node” refers to an addressable entity on the grid that
provides and uses functional services within the grid to perform one or more tasks. Each grid node has a
unique “node ID”. These include: ADC, CMS and LDR. In the HP Medical Archive User Guide and other
user documents these are referred to as “services”.

Fonts

In contrast, the HP Medical Archive packages the grid service modules into “nodes”. For example, the
“Storage Node” usually incorporates the LDR and SSM services on one server.

To assist you in easily picking out the elements of importance, changes from the standard font are used:

HP Medical Archive Solution audit message reference 7

• Items upon which you act are shown in bold. These include:

• Sequences of selections from the navigation tree, tabs, and page options, such as: LDR X
Replication X Configuration.

• Buttons or keys to click or press, such as Apply or <Tab>.

• Radio buttons or check buttons to enable or disable, such as Reset DICOM Counts.

• Field prompts, names of windows and dialogs, messages, and other literal text in the interface is shown

as standard text, such as the LDR State pull down menu, or the Sign In... window.

• Items within the narrative that require emphasis appear in italics.

• Coding samples or interactions with a command terminal are shown in the fixed space font:

version=1.0 ?>

Any italicized portion indicates variable data you provide to meet your needs.

Keyboard keys that use words or standard abbreviations are shown within angle brackets, such as <Ctrl>
for the control key, <Tab>, <space>, and <Enter>.

HP Technical Support

Telephone numbers for worldwide technical support are listed on the HP support Web site:

http://www.hp.com/support/

Collect the following information before calling:

• Technical support registration number (if applicable)

• Product serial numbers

• Product model names and numbers

• Applicable error messages

• Operating system type and revision level

• Detailed, specific questions

<?xml

.

For continuous quality improvement, calls may be recorded or monitored.

Product Warranties

For information about HP StorageWorks product warranties, see the warranty information Web site:

http://www.hp.com/go/storagewarranty

Subscription Service

HP strongly recommends that customers sign up online using the Subscriber's choice Web site:

http://www.hp.com/go/e-updates

• Subscribing to this service provides you with e-mail updates on the latest product enhancements, newest

versions of drivers, and firmware documentation updates as well as instant access to numerous other
product resources.

• After signing up, you can quickly locate your products by selecting Business support and then Storage

under Product Category.

HP Web Sites

For other product information, see the following HP web sites:

• http://www.hp.com

• http://www.hp.com/go/storage

• http://www.hp.com/support/

• http://www.docs.hp.com

.

Documentation Feedback

HP welcomes your feedback.

8

To make comments and suggestions about product documentation, please send a message to

storagedocsfeedback@hp.com. All submissions become the property of HP.

HP Medical Archive Solution audit message reference 9

10

1 Audit Message Overview

Overview of Auditing

As services in the grid perform various activities and process events, audit messages are generated to
retain a record of grid activity. These messages are processed by the Audit Management System (AMS)
service on the Admin Node server, and are stored in the form of text log files. This document provides
information on the structure and content of the text log files to enable you to read and analyze the audit
trail of grid activity.

Audit Message Flow

Audit messages are generated internally by each grid service. All system services generate audit messages
during normal system operation. These messages are sent to all connected AMS services for processing
and storage, so that each AMS maintains a complete record of grid activity.

Some grid services can be designated as audit message relay services. They act as collection points to
reduce the need for every service to send its audit messages to all connected AMS services. Notice in
Figure 1 that each relay service must send messages to all AMS destinations, whereas services can send
messages to just one relay service.

Figure 1 Audit Message Flow

Relay services are designated at the time the grid topology is configured. In an HP Medical Archive grid,
the ADC service is designated as the audit message relay.

Message Retention

Once an audit message is generated, it is stored on the local server of the originating service until it has
been committed to all connected AMS servers, or a designated audit relay service. The relays in turn store
the message until it is committed at all AMS services. This process includes a confirmation (positive
acknowledgment) to ensure no messages are lost.

HP Medical Archive Solution audit message reference 11

Figure 2 Audit Message Retention

Messages arrive at the AMS and are stored in a queue pending confirmed write to the text log file
audit.log. Confirmation of the arrival of messages is sent to the originating service (or audit relay) to permit
the originator to delete its copy of the message.

Only after a message has been committed to storage at the AMS can it be removed from the queue. The
local message buffer at the audit relay service (ADC) and the AMS each have an alarm (AMQS)
associated with it, in the event the backlog becomes unusually large. At times of peak activity, the rate at
which audit messages are arriving may be faster than they can be relayed to the audit repository on the
AMS or committed to storage in the audit log file, causing a temporary backlog that will clear itself when
grid activity declines.

Once a day the active audit log audit.log is saved to a file named for the date the file is saved (in the
format YYYY-MM-DD.txt) and a new audit.log file is started. Audit logs are compressed when they are
seven days old and are renamed YYYY-MM-DD.txt.gz (where the original date is preserved).

Over very long periods of time, this can result in consumption of the 50 GB of storage available for audit
logs on the server hosting the AMS. Once the audit directory on the AMS is full, the oldest log files in the
directory are automatically deleted until the directory contains less than 50 GB. Depending upon the
regulatory or administrative requirements of your enterprise, you may want to archive the compressed audit
log files to some other media such as DVD-R, or into the grid itself.

Message Level Filtering

The AMS service filters incoming audit messages based on settings made in the CMN X Audit component.

Figure 3 Default Audit Settings
Table 1 Audit Message Filter Levels

Level Description

Off No audit messages from the category are logged.

Error Only error messages are logged; those for which the result

12 Audit Message Overview

code was not “successful” (SUCS).

Table 1 Audit Message Filter Levels

Level Description

Normal Standard transactional messages are logged; all messages

listed in this guide for the category.

Debug Trace messages are logged; for troubleshooting only.

The messages included for any particular level in this table includes those that would be logged at the
higher levels. Therefore, the Normal level includes all of the Error messages.

The “Introduction” section of Chapter 3 (page 19) includes tables that sort the audit messages into the
categories shown in the table (that is, System Messages, Object Storage Messages, Volume Management
Messages, DICOM Messages, HTTP Messages, and File System Gateway Messages). The Volume
Management category of audit messages is used only by Enterprise installations of the HP Medical
Archive. The External category of audit message is only used by external custom applications that submit
audit messages using the HPMA HTTP API.

NOTE: Debug level messages are not included in this reference guide.

Audit Log File Access

The audit file share configured on your Admin Node contains the active audit.log file and any compressed
audit log files. Depending upon the configuration at your site, you can access this file share with either an
NFS or CIFS client.

Access via Microsoft Windows

If using Windows to access network file shares, be aware that some versions of Windows do not support
using two different logins (user name and password combinations) to access the same device (IP address).
That means that if you have one login authentication to access the managed file system of a secondary
FSG service on a combined Admin/Gateway Node, and a different login to access the Audit Log on the
same combined Admin/Gateway Node, you may not be able to have both file shares connected at the
same time. You may be required to disconnect the secondary FSG share before you can connect to the
Audit Log, and vice versa.

Audit File Naming Convention

The active audit log file is named:

audit.log

Once a day, the active audit log is closed and saved to an archived log file named:

YYYY-MM-DD.txt

where date stamp in the file name indicates when the file was archived. If more than one audit log file is
manually created in a single day, subsequent files are named YYYY-MM-DD.txt.1,
YYYY-MM-DD.txt.2, etc.

After seven days, these archived log files are compressed, and saved to a file named:

YYYY-MM-DD.txt.gz

where the original date that the file was created is preserved in the file name.

To access a compressed audit log file:

1. Make a local copy of the file to work with.

2. Decompress the file. This process requires a decompression utility. We suggest “7-Zip”, wh ich i s a free

download from:

http://www.7-zip.org/

The next chapter provides details of the file’s internal structure and the syntax of audit messages.

HP Medical Archive Solution audit message reference 13

14 Audit Message Overview

2 File and Message Format

Audit Log File Format

The audit log file at the AMS contains a collection of individual audit messages. Each audit message
contains:

• the UTC time of the event that triggered the audit message (ATIM) in ISO 8601 format (that is,

YYYY-MM-DDTHH:MM:SS.UUUUUU where UUUUUU are microseconds), followed by a space.

• the audit message itself, enclosed within square brackets “[]” and beginning with “AUDT:”. The

message structure is discussed in more detail in the next section.

The following is part of a sample log file. Messages are wrapped within the boundaries shown, ending
after the ASES attribute and double closing brackets “]]”. The “\n” (line feed) characters at the end of each
message are not shown.

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5ddbc/0/44a198def43f13f69f4649980193f7a
9_254"][UUID(CSTR):"F2485A1A-9E84-49C6-98A1-1FF59D500E1B"][RSLT(FC32):SUCS][AVER(UI

32):5][ATIM(UI64):1146620437775242][ATYP(FC32):FSWO][ANID(UI32):9990056][AMID(FC32)
:FSGC][ATID(UI64):619557531566285967][ASQN(UI64):13657][ASES(UI64):1146600838125065
]]
2006-05-03T01:40:37.787159
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5ddbc/0/44a198def43f13f69f4649980193f7a
9_249"][UUID(CSTR):"11BA3243-AC7A-43CC-B925-178528780365"][RSLT(FC32):SUCS][AVER(UI

32):5][ATIM(UI64):1146620437787159][ATYP(FC32):FSWO][ANID(UI32):9990056][AMID(FC32)
:FSGC][ATID(UI64):1940194281971359843][ASQN(UI64):13658][ASES(UI64):114660083812506
5]]
2006-05-03T01:40:37.799230
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5ddbc/0/44a198def43f13f69f4649980193f7a
9_257"][UUID(CSTR):"B93B1D96-22E9-47D8-B099-8F32A1A94FB9"][RSLT(FC32):SUCS][AVER(UI

Audit Message Format

Audit messages exchanged within the grid include some standard information common to all messages,
and specific content describing the event or activity being reported.

The following is a sample audit message as it might appear in the audit.log file:

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5ddbc/0/44a198def43f13f69f4649980193f
7a9_254"]
[UUID(CSTR):"F2485A1A-9E84-49C6-98A1-1FF59D500E1B"]
[RSLT(FC32):SUCS][AVER(UI32):5][ATIM(UI64):1146620437775242]
[ATYP(FC32):FSWO][ANID(UI32):9990056][AMID(FC32):FSGC]
[ATID(UI64):619557531566285967][ASQN(UI64):13657][ASES(UI64):1146600838125065]]

Each audit message is logged as a string composed of attribute elements that are:

• Enclosed in square brackets “[ ]”

• Introduced by the string “AUDT”, indicating an audit message

• Do not have delimiters (no commas or spaces) between attributes

• Terminated by a line feed character (“\n”)

Each element includes: an attribute code, data type, and value. It takes the format:

[ATTR(type):value][ATTR(type):value]...
[ATTR(type):value]\n

Where:

HP Medical Archive Solution audit message reference 15

The number of attribute elements in the message depends on the event type of the message.

See “Interpreting a Sample Audit Message” on page 17 for a step-by-step description of how to interpret
an audit message.

Data Types

The data types encountered in the audit messages are:

Table 2 Data Types

Type Description

UI32 Unsigned long integer (32 bits); it can store the numbers

UI64 Unsigned double long integer (64 bits); it can store the numbers

FC32 Four Character Constant; a 32-bit unsigned integer value

• ATTR is a four-character code for the attribute being reported. These attributes can either be related
to event-specific messages (as described in Chapter 3, starting on page 19), or may be attributes
common to all audit messages (as described later in this chapter, on page 17).

•

type is a four-character identifier of the programming data type of the value, such as: UI64, FC32,

and so on. See “Data Types” on page 16. The type is enclosed in brackets “( )”.

•

value is the content of the attribute, typically a numeric or text value. Values always follow a colon

“:”. Values of data type CSTR are surrounded by double quotes “ “.

0–4,294,967,295.

0– 18,446,744,073,709,551,615.

represented as four ASCII characters such as: “ABCD”.

IP32 IP Address; a 32-bit IP address representation.

CSTR A string; a variable length array of UTF-8 characters. In brief, the

most relevant escaping rules state:

• characters may be replaced by their hexadecimal equivalents

• double quotes are represented as \"

• backslashes are represented as \\

Event-Specific Data

Following the opening “[AUDT:” container that identifies the message itself, the next set of attributes are
items related to the event or action described by the audit message. These attributes are identified in italics
in the sample message below:

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshareCT_1200_1_5ddbce950bc640d1ed6a21d5005fb802/044a1

98def43f13f69f4649980193f7a9_254"][UUID(CSTR):"F2485A1A-9E84-49C6-98A1-1FF59D500E
1B"][RSLT(FC32):SUCS]

[AVER(UI32):5][ATIM(UI64):1146620437775242][ATYP(FC32):FSWO][ANID(UI32):9990056][
AMID(FC32):FSGC][ATID(UI64):619557531566285967][ASQN(UI64):13657][ASES(UI64):1146
600838125065]]

The event that these attributes describe is identified using the ATYP element described in “Common
Elements” below. The attributes for each event are described in Chapter 3, “Message Reference” on
page 19.

(in the format \xHH, where HH is the hexadecimal value
representing the character)

16 File and Message Format

Common Elements

After the event-specific information is a set of elements common to all audit messages:

Table 3 Common Elements of Audit Messages

Code Type Description

AVER UI32 Version—The version of the audit message. As the HP Medical Archive

ATYP FC32 Event Type—A four-character identifier of the event being logged. This governs

ATIM UI64 Timestamp—The time the event was generated that triggered the audit

software evolves, new versions of services may incorporate new features in
audit reporting. This field enables backward compatibility in the AMS to
process messages from older versions of services.

the “payload” content of the message—the attributes which are included.

message, measured in microseconds since the operating system epoch
(00:00:00 UTC on 1 January, 1970). Note that most available tools for
converting the timestamp to local date and time are based on milliseconds.
Rounding or truncation of the logged timestamp may be required.

The human-readable time that appears at the beginning of the audit message
in the audit.log file is the ATIM attribute in ISO 8601 format. (That is, the date
and time is represented as YYYY-MM-DDTHH:MM:SS.UUUUUU, where the T is
a literal string character indicating the beginning of the time segment of the
date. UUUUUU are microseconds).

ATID UI64 Trace ID—An identifier that is shared by the set of messages that were

triggered by a single event.

ANID UI32 Node ID—The grid node ID assigned to the service that generated the

message. Each service is allocated a unique identifier at the time the
HP Medical Archive is configured and installed. This ID cannot be changed.

AMID FC32 Module ID—A four-character identifier of the module ID that generated the

message. This indicates the code segment within which the audit message was
generated.

ASQN UI64 Sequence Count—A counter that is incremented for each generated audit

message on the grid node (ANID). This counter is reset to zero at service
restart. It can be used for consistency checks to ensure that no audit messages
have been lost.

ASES UI64 Audit Session Identifier—Indicates the time at which the audit system was

initialized after the service started up. This time value is measured in
microseconds since the operating system epoch (00:00:00 UTC on 1 January,

1970). It can be used to identify which messages were generated during a
given runtime session.

Interpreting a Sample Audit Message

The following is a sample audit message, as it might appear in the audit.log file:

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5d/044a198def43f1_254"][UUID(CSTR):"F
2485A1A-9E84-49C6-98A1-1FF59D500E1B"][RSLT(FC32):SUCS][AVER(UI32):5]
[ATIM(UI64):1146620437775242][ATYP(FC32):FSWO][ANID(UI32):9990056][AMID(FC32):FSG
C][ATID(UI64):619557531566285967][ASQN(UI64):13657][ASES(UI64):1146600838125065]]

The audit message contains information about the event being recorded, as well as information about the
audit message itself.

HP Medical Archive Solution audit message reference 17

To identify which event is recorded by the audit message, look for the ATYP attribute (highlighted below):

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5d/0/44a198def43f1_254"][UUID(CSTR):"
F2485A1A-9E84-49C6-98A1-1FF59D500E1B"][RSLT(FC32):SUCS][AVER(UI32):5]
[ATIM(UI64):1146620437775242][ATYP(FC32):FSWO][ANID(UI32):9990056][AMID(FC32):FSGC]
[ATID(UI64):619557531566285967][ASQN(UI64):13657][ASES(UI64):1146600838125065]]

The value of this attribute is FSWO. Consult Chapter 3 to discover that FSWO represents a File Swap Out
event, which logs the removal of a file from the FSG local cache. The table in “FSWO—File Swap Out” on
page 43 documents the attributes reported for FSWO. From this list you can discover, for example, that the
UUID attribute in the audit message records the unique identifier of the file that was swapped out of the
FSG cache:

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5d/0/44a198def43f1_254"][UUID(CSTR):"F24
85A1A-9E84-49C6-98A1-1FF59D500E1B"][RSLT(FC32):SUCS]
[AVER(UI32):5][ATIM(UI64):1146620437775242][ATYP(FC32):FSWO][ANID(UI32):9990056][
AMID(FC32):FSGC][ATID(UI64):619557531566285967][ASQN(UI64):13657][ASES(UI64):1146
600838125065]]

To discover when the swap-out event occurred, look at the UTC time stamp at the beginning of the audit
message. This value is a human-readable version of the ATIM attribute of the audit message itself
(described in “Common Elements” on page 17):

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5d/0/44a198def43f1_254"][UUID(CSTR):"
F2485A1A-9E84-49C6-98A1-1FF59D500E1B"][RSLT(FC32):SUCS][AVER(UI32):5]
[ATIM(UI64):1146620437775242][ATYP(FC32):FSWO][ANID(UI32):9990056][AMID(FC32):FSGC][A
TID(UI64):619557531566285967][ASQN(UI64):13657][ASES(UI64):1146600838125065]]

ATIM records the time, in microseconds, since the beginning of the UNIX epoch. The value
1146620437775242 translates to Wed, 03 May 2006 01:40:37 UTC.

18 File and Message Format

3 Message Reference

A comprehensive listing of generated audit messages.

Introduction

This chapter provides detailed descriptions of event-specific audit messages, and the attributes reported for
these messages.

Each audit message is first listed in a table that groups related messages by the class of activity that the
message represents. These groupings are useful both for understanding the types of activities that are
audited, and for selecting the desired type of audit message filtering (as described on page 12).

The audit messages are also listed alphabetically by their four-character codes (starting on page 23). This
alphabetic listing facilitates finding information about a specific message of interest.

The four-character codes used throughout this chapter are the ATYP values found in the audit messages, as
shown in the sample message below:

2006-05-03T01:40:37.775242
[AUDT:[FPTH(CSTR):"/fsg/cifsshare/CT_1200_1_5d/0/44a198def43f1_
254"][UUID(CSTR):"F2485A1A-9E84-49C6-98A1-1FF59D500E1B"][RSLT(F
C32):SUCS][AVER(UI32):5]
[ATIM(UI64):1146620437775242][ATYP(FC32):FSWO][ANID(UI32):99900
56][AMID(FC32):FSGC][ATID(UI64):619557531566285967][ASQN(UI64):

System Audit Messages

This group of messages belong to the System audit category and are for events related to:

• The auditing system itself

• Grid node states

• Grid-wide task activity (Grid Tasks)

• Service backup operations

• File System Gateway (FSG) replications
Table 4 System Audit Messages

Code Description Page

ETCA TCP/IP Connection Establish—An incoming or outgoing TCP/IP connection

was successfully established.

ETCC TCP/IP Connection Close—An established connection has been closed by

either side of the connection (normally or abnormally).

ETCF TCP/IP Connection Fail—An outgoing connection attempt failed at the lowest

level, due to communication problems.

ETCR TCP/IP Connection Refused— An incoming TCP/IP connection attempt was

not allowed.

SADD Security Audit Disable—Audit message logging has been turned off. 53

38

39

39

40

SADE Security Audit Enable—Audit message logging has been turned on. 54

ETAF Security Authentication Failed—A connection attempt using Transport Layer

Security (TLS) has failed.

SYSU Node Start—An HP Medical Archive grid service started; the nature of the

previous shutdown is indicated in the message.

HP Medical Archive Solution audit message reference 19

37

56