Enabling Dynamical Tracing

If the cause of the problem cannot be determined in sufficient detail from the log files, then it may be useful to temporarily turn on generation of additional log messages, through Dynamical Tracing.

The various components of TSIEM write messages to their respective log files, and checking them should provide insight into the cause of the problem.

On a TSIEM server installed in the default directory, these log files can be found in :

• <drive>:\ibm\tsiem\sim\server\log directory for Windows
• /opt/IBM/tsiem/sim/server/log for AIX
• /opt/ibm/tsiem/sim/server/log for Linux

On a TSIEM agent installed in the default directory, these log files can be found in:

• <drive>:\ibm\tsiem\sim\actuator\log directory for Windows
• /opt/IBM/tsiem/actuator/log for AIX, Solaris and HPUX

Dynamical Tracing is a mechanism by which you can choose at any time to switch the logging of some components of TSIEM between the default mode and a considerably more verbose mode.

Dynamical Tracing is available for the components listed in the following table. The “On Server” and “On Agent” columns of the table show whether the component occurs on a server system or on an agent system, respectively.

Component	Log File	On Server	On Agent
bbbin	bbbin.log	yes	no
auditctl	auditctl.log	yes	no
agent	agent.log / client.log / CeSystemLog / cesystem.log	yes	yes
actuator	actuatorXXX.log	yes	yes
bart	bart.log	yes	no

The verbosity of logging by these components is configured through the contents of a file called tracing in the run directory of the server or agent. The full path to the tracing file on a default install for TSIEM server is below:

• <drive>:\ibm\tsiem\sim\server\run\tracing for Windows
• /opt/IBM/tsiem/sim/server/run/tracing for AIX
• /opt/ibm/tsiem/sim/server/run/tracing for Linux

The tracing file must be created, if the file does not already exist.

On a default install of TSIEM agent, the full path to the tracing file is below :

• <drive>:\ibm\tsiem\sim\actuator\run\tracing for Windows
• /opt/IBM/tsiem/actuator/run/tracing for AIX, Solaris and HPUX

The tracing file must be created, if the file does not already exist.

To turn on more-verbose logging for a component, add a line like the following to the tracing file:

component=yes

where component stands for the name of the component from the above table. To turn off more-verbose logging for a component, add a line like the following to the tracing file:

component=no

If you remove the line completely, then the logging by that component reverts to its default state. (This means that dynamically tracing is turned off by default, but the software itself may decide to turn it on for some time)

There can be more than 1 line in the tracing file, with each line corresponding to the logging level of a unique component name.

Each of these components checks the tracing file once a minute to see if it is supposed to change the verbosity of its logging, so any relevant change you make to the tracing file should result in a change in the logging behavior within one minute.

For some of these components, the verbose method of logging is very verbose indeed, so we do not recommend that you select verbose logging all the time but only turn them on when indicated by Support team.