Audit log contains one line per entry. The entry consists of multiple tab-delimited fields. The first N fields are of fixed meaning and order, with additional fields in a “tag=value” format. The tagged fields that are present depend on the action that is logged. Different actions will have different additional data available. For example, for an “invoke”, the tag “oper” would indicate the operation being invoked.

The order of the tab-delimited fields in an entry is:

date login ID ClientDescription pid IP user@host action [tag1=value [tag2=value […]]]

Example:

2010/03/25 12:52:21 +442ms  admin  2  dmctl   23168  127.0.0.1  [email protected]   createInstance    object=MyClass::MyInstance

The meaning of the fixed fields:

  • Date — The date and time at which the event occurred, formatted according to the setting of SM_DATETIME_FORMAT.

  • ID — The client identification number for this session.

  • Login — The login identifier used to authenticate to the domain.

  • Client Description — Information on the kind of client, eg dmctl, console, etc. This information is self-reported by the client as it cannot independently verified. A malicious user could conceivably forge this information.

  • PID — The process ID of the client on the system where the connection originated. This information is self-reported by the client as it cannot be independently verified. A malicious user could conceivably forge this information.

  • IP — The network address of the system from which the connection originated. This is obtained from the network stack. Due to the presence of NAT or other factors it may not reflect the actual IP of the client system.

  • User — The OS login name of the user on the system where the connection originated. This information is self-reported by the client as it cannot be independently verified. A malicious user could conceivably forge this information.

  • Host — The hostname of the system where the connection originated. This name is self-reported by the client and is subject to forgery. If there is any doubt, perform a reverse lookup on the IP provided instead. This field is provided as it may allow identification of individual clients behind a NAT, while a reverse lookup of the IP would resolve to a single router.

  • Action — The API operation called by the client. Most commonly, “put”, “create”, “delete”, or “invoke”.

    Actions defined include the following. It is possible new actions may be added in the future. Many actions are read-only and thus would not appear in the audit log normally, and so are not listed here. Not all of these will be commonly seen.

  • consistencyUpdate — Requests that the codebook be recomputed.

  • correlate — Causes the domain manager to begin a correlation.

  • create — Create a new object instance in the domain. Tagged values include “object”, the class name and instance name of the object to create.

  • delete — Delete the object with the given name. Tagged values include “object”, the object to be deleted.

  • exec — Causes the domain to executes a program object (.po). Tagged values include “program”.

  • insert — Add a new value to a table of an object. Tagged values include “attribute”, which identifies the object and attribute to be affected, and “value”, the desired new value.

  • invoke — Invoke a model operation. If an operation can be determined to be read-only, it will not be logged. Tagged values include “object”, the name of the object on which to invoke the operation, “oper”, the name of the operation, and “args”, the list of argument values.

  • loadLibrary — Requests that the domain manager load a shared library, such as one containing a compiled model. Tagged values include “library”.

  • loadProgram — Request to load a program object (.po) into the domain. Tagged values include “program”

  • put — Set an attribute of an object. Tagged values include “attribute”, which identifies the object and attribute to be affected, and “value”, the desired new value.

  • remove — Remove a value from a table of an object. Tagged values include “attribute”, which identifies the object and attribute to be affected, and “value”, the value to be removed.

  • removeByKey — Remove a value from a table of an object. Tagged values include “attribute”, which identifies the object and attribute to be affected, and “key”, the key of the value to be removed.

  • restore — Restore object instances from a file. Tagged values include “filename”, the file to restore from.

  • save — Store the repository to a file. Tagged values include “filename”, the file the objects will be stored in, and “class” if the request was to save a subset of instances by class.

  • shutdown — Requests that the domain manager shut down.

  • transactionAbort — Stop a previously started repository transaction.

  • transactionCommit — Commit a previously started repository transaction

  • transactionStart — Start a repository transaction.