About Event Monitoring

An event is any significant occurrence in the system (or in an application). Some critical events are noted in on-screen messages. An event that does not require immediate attention is noted in an event log. Event logging starts automatically every time you start the SunLink Server program. With an event log displayed by the SunLink Server Manager tool, you can troubleshoot various problems and monitor SunLink Server security events.

SunLink Server software records events in the following types of logs:

The system log contains events logged by SunLink Server system components. For example, the failure of a service to start during startup is recorded in the system log. The types of events that are logged by system components are determined by the SunLink Server program.
The security log can contain valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects.
The application log contains events logged by applications. For example, a database program might record a file error in the application log. Application developers decide which events to monitor.

System and application logs can be viewed by all users; security logs are accessible only to system administrators.

Interpreting an Event

Event logs consist of a header , a description of the event (based on the event type), and additional data . Most security log entries consist of the header and a description.

SunLink Server Manager displays events from each log separately. Each line shows information about one event, including date, time, source, category, Event ID, user account, and computer name.

Event Header

An event header contains the following information:

Information	Meaning
Date	The date the event occurred.
Time	The time the event occurred.
User	The user name of the user on whose behalf the event occurred. If the event is not logged by a user, then the Security ID of the logging entity is displayed.
Computer	The name of the computer on which the event occurred.
Event ID	A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems.
Source	The software module that logged the event, which can be either an application name or a component of the system or of a large application, such as a service name.
Type	A classification of the event severity: Error, Information, or Warning in the system and application logs; Success Audit or Failure Audit in the security log. In SunLink Server Manager's normal list view, these are represented by symbols.
Category	A classification of the event by the event source. This information is used primarily in the security log.

Event Description

The format and contents of the event description vary, depending on the event type. The description is often the most useful piece of information, indicating what happened or the significance of the event.

Event Types

The SunLink Server Manager logs indicate the event types:

Event Type	Meaning
Error	Significant problems, such as a loss of data or loss of functions. For example, an Error event might be logged if a service was not loaded during SunLink Server startup.
Warning	Events that are not necessarily significant, but that indicate possible future problems. For example, a Warning event might be logged that the server is low on key resources.
Information	Infrequent significant events that describe successful operations of major server services. For example, when a service starts successfully, it might log an Information event.
Success Audit	Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system might be logged as a Success Audit event.
Failure Audit	Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt might be logged as a Failure Audit event.

Additional Data

The data field contains binary data that can be displayed in bytes or words. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by someone who is familiar with the source application.

Using SunLink Server Manager to View Events

You determine which event log to view by switching between the system, security, and application logs that are available in the "Events" group within SunLink Server Manager.

Selecting a Log

Double-click the appropriate log icon for event viewing. Although the logs for the local computer appear the first time you start SunLink Server Manager, you can choose to view the logs of any SunLink Server computer after you have logged on to it.

Refreshing the View

When you first open a log file, SunLink Server Manager displays the current information for that log. This information is not updated automatically. To see the latest events and to remove overwritten entries, choose the Refresh command from the View item on the menu bar.

Viewing Specific Logged Events

After you select a log to view in SunLink Server Manager, you can perform the following tasks:

View descriptions and additional details that the event source logs.
Sort events from oldest to newest or from newest to oldest.
Filter events so that only events with specific characteristics are displayed.
Search for events based on specific characteristics or event descriptions.

Viewing Details About Events

For many events, you can view more information by double-clicking the event.

The Event Detail dialog box shows a text description of the selected event and any available binary data for the selected event. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by someone who is familiar with the source application. Not all events generate such data.

Using Event Logs to Troubleshoot Problems

Careful monitoring of event logs can help you to predict and identify the sources of system problems. Logs also can confirm problems with application software. If an application crashes, an application event log can provide a record of activity leading up to the event.

The following are guidelines for using event logs to diagnose problems:

Archive logs in log format. The binary data associated with an event is discarded if you archive data in text or comma-delimited format. .
If a particular event seems related to system problems, try searching the event log to find other instances of the same event or to judge the frequency of an error.
Note Event IDs. These numbers match a text description in a source message file. This number can be used by product-support representatives to understand what occurred in the system.

Monitoring SunLink Server Security Events

You enable auditing from the NT User Manager for Domains Auditing Policy dialog box. Through auditing, you can track SunLink Server security events. You can specify that an audit entry is to be written to the security event log whenever certain actions are performed or files are accessed.

An audit entry shows the activity that occurred, the user who performed the action, and the date and time of the activity. You can audit both successful and failed attempts. The audit trail can show who actually performed actions on the network and who tried to perform actions that are not permitted.

Events are not audited by default. If you have Administrator permission, you can specify which types of system events are audited through the NT User Manager for Domains tool.

The Audit policy determines the amount and type of security logging that SunLink Server software performs. For file and object access, you can specify which files and printers to monitor, which types of file and object access to monitor, and for which users or groups. For example, when File and Object Access auditing is enabled, you can use the Security tab in a file or folder's Properties dialog box (accessed through Explorer) to specify which files are audited and what type of file access is audited for those files.

How to Monitor Events

1. Using SunLink Server Manager, log on to, and then open, the SunLink Server system whose event logs you want to view.

For instructions, see How to Log On, Using SunLink Server Manager. To make any changes, you must log on as root.

2. Double-click Events.

The following screen appears:

3. Double-click the name of the log that you want to view.

4. Double-click any line in the log to see more details about the particular event.

For background information about interpreting events, see Interpreting an Event.

How to Monitor Events at the Command Prompt

You can use the SunLink Server elfread command to read system, security and application logs. This command is especially useful when troubleshooting an SunLink Server system that has failed to start. (Events of this type typically are written to the system log.) The elfread command should be used as a backup to the SunLink Server Manager, which is the recommended method of viewing log files when the server is running.

At the SunLink Server command prompt, type the following:

elfread [-od] logname

Replace logname with one of the following log types: system, security, or application.

To display the log file contents listing the oldest event first, use the -o option. To display detailed information about events, use the -d option.

If no options are specified, a summary of all events in the specified log is displayed in reverse chronological order.

How to View SunLink Server Status

1. Using SunLink Server Manager, log on to, and then open, the SunLink Server system whose status you want to view.