lsevent Command

Purpose

Lists event-monitoring information from the audit log.

Syntax

To list events from the audit log:

lsevent [ -O entries ] [ -B MMddhhmmyyyy ] [ -E MMddhhmmyyyy ] [ -e a │ r │ b ] [-i] [ -a │ n node1[,node2…] ] [ -w event_node ] [-h] [-TV]

To list responses from the audit log:

lsevent -r [ -O entries ] [ -B MMddhhmmyyyy ] [ -E MMddhhmmyyyy ] [ -e { a │ r │ b │ e │ A } … ] [-i] [ -a │ n node1[,node2…] ] [-h] [-TV] [ response [response…] ]

To list events for a condition from the audit log:

lsevent [ -O entries ] [ -B MMddhhmmyyyy ] [ -E MMddhhmmyyyy ] [ -e a │ r │ b ] [-i] [ -a │ n node1[,node2…] ] [ -w event_node ] [-h] [-TV] condition

To list responses for a condition from the audit log:

lsevent -R [ -O entries ] [ -B MMddhhmmyyyy ] [ -E MMddhhmmyyyy ] [ -e { a │ r │ b │ e │ A } … ] [-i] [ -a │ n node1[,node2…] ] [ -w event_node ] [-h] [-TV] condition [ response [ response… ] ]

To list events and responses for a condition from the audit log:

lsevent -A [ -O entries ] [ -B MMddhhmmyyyy ] [ -E MMddhhmmyyyy ] [ -e { a │ r │ b │ e │ A } … ] [-i] [ -a │ n node1[,node2…] ] [ -w event_node ] [-h] [-TV] condition [ response [ response… ] ]

Description

The lsevent command lists event-monitoring information from the audit log. The audit log contains information about monitored events or conditions, and responses that were run as a result. This information allows a system administrator to see how events are being processed. The lsevent command lists only the information from the audit log recorded by RSCT event response resource manager (ERRM). By using lsevent, you can list audit log information without knowing detailed information about ERRM audit log templates, as you would need using the lsaudrec command.

By default, without using options and operands, the lsevent command lists the events that are recorded in the audit log. These events describe the monitored events that occurred. To list the events for a particular condition, specify the condition name.

Response information can be listed separately or with the event information. Responses are run based on a condition or event occurring. Information about a response includes when it was run, what the response script was, the return code, the expected return code, standard error output, and standard output. To see standard output and the expected return code, the response resource must be defined to record it by mkresponse or chresponse. To list only response information, use the -r flag. You can optionally specify one or more response names to limit the number of responses listed.

To list event information and response information for a condition, you can use the -R and -A flags with a condition name. Without -R and -A, when a condition is specified, the events for the condition are listed. Specify -R to list the responses for the condition. You can specify one or more response names to limit the output to those responses. Specify -A to list the events and the responses. You can specify one or more response names to limit the response output for -A as well. If a condition and at least one response are specified without specifying the -R, -A, or -r flags, -R is assumed.

The type of event listed can be controlled using the -e flag. You can list events, rearm events, and error events for a condition. The -w flag can be used to list events that occurred on a particular node. The -w flag has meaning when it is used in listing events. Status information is displayed when the -i flag is specified. When listing conditions, the status information includes showing when the condition was registered and unregistered, and when event errors occur. For response information, the status information shows that a response is about to run.

Use the -B and -E flags if you need to specify a time to limit the command output. By default, lsevent lists all audit log entries according to the flags specified, but you can specify a beginning time or an ending time if you are interested in a certain period. The time format is described below. The -O flag is used to limit the search of the audit log to the most recent records. The value used with the -O flag determines how many of the most recent records are searched for the other lsevent criteria specified. For example, using lsevent -O 1000 causes lsevent to search the most recent 1000 records in the audit log for events. If -a or -n is used, -O cannot be used.

If Cluster Systems Management (CSM) is installed on your system, you can use CSM defined node groups as node name values to refer to more than one node. For information about working with CSM node groups and using the CSM nodegrp command, see the CSM: Administration Guide and the CSM: Command and Technical Reference.

Parameters

condition: Specifies the name of a condition for which audit log information is listed.
response: Specifies the name of a response for which audit log information is listed.

Flags

-a

Specifies that the lsevent command retrieves audit log information from all of the nodes in the cluster. The CT_MANAGEMENT_SCOPE environment variable determines the scope of the cluster. If CT_MANAGEMENT_SCOPE is not set, management domain scope is chosen first (if a management domain exists), peer domain scope is chosen next (if a peer domain exists), and then local scope is chosen, until the scope is valid for the command. The command runs once for the first valid scope it finds. For example, if a management domain and a peer domain both exist and CT_MANAGEMENT_SCOPE is not set, this command applies to the management domain. If you want this command to apply to the peer domain, set CT_MANAGEMENT_SCOPE to 2.

-A

Specifies that event and response information for a condition is to be listed.

-B MMddhhmmyyyy

Specifies to list the audit log entries beginning at the time indicated. This time indicates when the audit log entry was created. Time stamps are in the form MMddhhmmyyyy, where MM is the two-digit month (01-12), dd is the two-digit day (01-31), hh is the two-digit hour (00-23), mm is the two-digit minute (00-59), and yyyy is the four-digit year. The time can be truncated from right to left, except for MM. If not all digits are specified, the year defaults to the current year, minutes to 0, hour to 0, and day to 01. At a minimum, the month must be specified.

-e a │ r │ b │ e │ A

Specifies the type of event to list from the audit log. The following parameters can be specified along with the -e flag:

a: Lists events from conditions. It is the default setting.
r: Lists rearm events from conditions.
b: List events and rearm events from conditions.
e: Lists response information that is triggered by error events. This setting is meaningful only when -r, -R, or -A is specified.
A: Lists all types of events (events, rearm events, and error events).

More than one event type can be specified, for example: -e ae.

If the -e flag is specified with the -r or -R flags, the response log entry for the batch-enabled condition is always displayed because the batched events file can contain all type of events.

-E MMddhhmmyyyy

Specifies to list the audit log entries up to or ending at the time indicated. This time indicates when the audit log entry was created. Time stamps are in the form MMddhhmmyyyy, where MM is the two-digit month (01-12), dd is the two-digit day (01-31), hh is the two-digit hour (00-23), mm is the two-digit minute (00-59), and yyyy is the four-digit year. The time can be truncated from right to left, except for MM. If not all digits are specified, the year defaults to the current year, minutes to 0, hour to 0, and day to 01. At a minimum, the month must be specified.

-i

Specifies that status information for a condition or response is to be listed. The status information includes information about event registration, event errors, and responses about to be run.

n node1[,node2…]

Specifies the node or nodes from which the audit log information is to be retrieved. If node is not specified, the local node is used. node is a node within the scope determined by the CT_MANAGEMENT_SCOPE environment variable.

-O entries

Specifies that only the latest entries in the audit log are searched for information. entries determines how many of the most recent records are search for the other lsevent criteria specified. For example, using -O 1000 causes the lsevent command to search the most recent 1000 records in the audit log for events.

-r

Specifies that all command parameters are response names and that response information is to be returned for the responses specified. There are no condition names in the parameter list. If no response names are specified, then information is listed for all responses.

-R

Specifies that only the response information for a condition is to be listed.

-w event_node

Specifies the node on which the event occurred. This flag is only meaningful in listing events.

-h

Writes this command usage statement to standard output.

-T

Writes the command trace messages to standard error. For your software service organization use only.

-V

Writes the command verbose messages to standard output.

Environment variables

CT_CONTACT

Determines the system where the session with the resource monitoring and control (RMC) daemon occurs. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the resource classes or resources that are processed.

CT_IP_AUTHENT

When the CT_IP_AUTHENT environment variable exists, the RMC daemon uses IP-based network authentication to contact the RMC daemon on the system that is specified by the IP address to which the CT_CONTACT environment variable is set. CT_IP_AUTHENT only has meaning if CT_CONTACT is set to an IP address; it does not rely on the domain name system (DNS) service.

CT_MANAGEMENT_SCOPE

Determines the management scope that is used for the session with the RMC daemon in processing the resources of the event-response resource manager (ERRM). The management scope determines the set of possible target nodes where the resources can be processed. The valid values are:

0: Specifies local scope.
1: Specifies local scope.
2: Specifies peer domain scope.
3: Specifies management domain scope.

If this environment variable is not set, local scope is used.

Standard output

When the -h flag is specified, this command usage statement is written to standard output.

Standard error

All trace messages are written to standard error.

Exit status

0: The command ran successfully.
1: An error occurred with RMC.
2: An error occurred with a command-line interface script.
3: An incorrect flag was entered on the command line.
4: An incorrect parameter was entered on the command line.
5: An error occurred that was based on incorrect command-line input.

Restrictions

If you are using the lsevent command, you must have read access to the ERRM audit log resource on each node from which records are to be listed.

Authorization is controlled by the RMC access control list (ACL) file that exists on each node.

Implementation specifics

This command is part of the rsct.core fileset for the AIX® operating system and rsct.core-v.r.m.s-0.platform.rpm package for the Linux®, Solaris, and Windows platforms, where platform is i386, ppc, ppc64, s390, or x86_64.

Location

/opt/rsct/bin/lsevent

Examples

To list the information for events that occurred, enter:
```
lsevent
```
To list the event information for a condition named Condition1, enter:
```
lsevent Condition1
```
To list the event response information, enter:
```
lsevent -r
```
To list the event response information for a response named Response1, enter:
```
lsevent -r Response1
```
To view the output of the event response named Response1, which is defined to save its output, enter:
```
lsevent -r Response1
```
To see the events found in the latest 1000 audit log records, enter:
```
lsevent -O 1000
```
To list the rearm event information for a condition named Condition1, enter:
```
lsevent -e r Condition1
```