A.3 Managing Event Data

Novell Audit provides several variables that are used to determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.

The event variables are constructed by specifying a dollar sign ($), followed by a two-character code representing the variable format (F) and event field value (V). For example: 

$FV

The event field variable (V) references a specific field within a logged event. The format variable (F) determines how the data from the event field is displayed.

For example, event field R returns the IP address of the Platform Agent. Using different format variables, the IP address appears as follows:

$XR returns 1B043982

$NR returns 453261698

$iR returns 130.57.4.27

The Argument Builder simplifies the process of defining your event variables. It provides a graphical interface from which you can select which event fields you want to display in the translated log file and how you want the field data to display. Based on your selections, the Argument Builder defines the event schema using the event field and format variables.

The following sections review the event_field and format variables and how you can use the Argument Builder to define the event schema:

A.3.1 Event Field Variables (V)

IMPORTANT:Event variables are case sensitive and all variable strings must be preceded by a dollar sign ($).

Table A-5 Event Field Variables

Variable

Event Field

O

Component

I

EventID

G

GroupID

L

Log Level (Severity)

R

IP Address

C

Client Timestamp

A

Server Timestamp

S

Text1

NOTE:To use the $S variable in the SMTP Channel object’s Recipient field, this value must be an e-mail address. For more information, see SMTP Channel Object .

T

Text2

NOTE:To use the $T variable in the SMTP Channel object’s Recipient field, this value must be an e-mail address. For more information, see SMTP Channel Object .

F

Text3

NOTE:To use the $F variable in the SMTP Channel object’s Recipient field, this value must be an e-mail address. For more information, see SMTP Channel Object .

1

Value1

2

Value2

3

Value3

M

Mime hint

U

Target

V

Target Type

Y

Sub Target

B

Originator

H

Originator Type

X

Data Size

D

Data

SE

Description

This variable returns the value of the Notification object’s Description field.The value is unique in that it is not provided by the logging application, but by the Notification object that directed the event to the current Channel driver. The Notification object’s description is sent with the event to the Channel driver. For more information on Notification object’s Description field, see Section 5.3, Application Object Attributes or Section 7.4, Heartbeat Objects .

A.3.2 Format Variables (F)

IMPORTANT:Format variables are case sensitive and all variable strings must be preceded by a dollar sign ($).

Table A-6 Format Variables

Variable

Format

Description

T

Local Time

Displays the time in the format defined on the local computer (UTC localized).

D

Local Date

Displays the date in the format defined on the local computer (UTC localized).

N

Numeric Format

Displays the current value in standard numeric format (32bit unsigned).

n

Signed Numeric Format

Displays the current value in standard numeric format (32bit signed). However, if the value is greater than 2 billion, it is displayed as a negative number.

S

String Format

Displays string values.

IMPORTANT:This format variable can only be used with the O (Component), S (Text1), T (Text2), F (Text3), D (data), B (Originator), U (Target), and SE (Description) event variables.

X

Hexadecimal Number

Displays the current value in hexadecimal format.

R

RFC-822

Displays the current value in RFC-822 format. This variable is used to format time and date values.

NOTE:RFC-822 is the Internet standard format for electronic mail message headers. All time values are expressed in UTC.

r

RFC-822 local

Displays the current value in RFC-822 format; however, the time and date values are expressed in local time rather than UTC.

I

IPv4 internet Address (network order)

Displays the current value as an IP address.

This variable assumes the value is in network byte order.

NOTE:By default, Novell Audit stores IP address values in network byte order.

i

IPv4 Internet Address (host order)

Displays the current value as an IP address.

This variable assumes the value is in host byte order.

B

Boolean Yes/No

If the value of the field is 0, this variable returns No. If the value is not 0, this variable returns Yes.

b

Boolean True/False

If the value of the field is 0, this variable returns False. If the value is not 0, this variable returns True.

A.3.3 Using the Argument Builder to Define Event Schema

The Argument Builder is a tool that simplifies the process of defining the event schema. The event schema determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.

The Argument Builder provides a graphical interface from which you can select which event fields you want to display in the translated log file and how you want the field data to display. Based on your selections, the Argument Builder defines the event schema using a series of event field and format variables. For information on the event schema syntax, see Section A.3, Managing Event Data.

To define an event’s schema:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Product Events.

  3. Open the event menu:

    • In the Product Events page, select the logging application to which you want to add an event, click New, then click OK to confirm you want to create a new event.
    • Click the plus icon iManager Expand icon next to the product name to display the application’s log events, select the event you want to modify, then click Edit.

  4. In the event menu, click the Argument Builder button Argument Builder button to open the Argument Builder.

  5. To add a text field to the event schema:

    1. In the Noun frame, select Text, then click Add.

    2. In the Editor frame, specify the text string in the Text field.

    3. In the Noun frame, click Add.

      The new text field appears in the Expression frame.

  6. To add an event field to the event schema:

    1. In the Noun frame, select Event Field, then click Add.

    2. In the Editor frame, select an event field from the Field Name drop-down list.

    3. Select the event field’s associated format from the Field Format drop-down list.

    4. In the Noun frame, click Add.

      The new event field appears in the Expression frame.

  7. To remove an item from the event schema:

    1. In the Expression frame, select the text or event field you want to remove.

    2. Click the Remove Token button Remove Token button in the Expression frame.

      The text or event field is removed from the Expression frame.

  8. To modify the item order in the event schema:

    1. In the Expression frame, select the text or event field you want to move.

    2. Click the Up Move Up button or Down Move Up button buttons in the Expression frame to modify the item order.

  9. When you have completed the event schema definition, click OK to save your changes.

    iManager returns you to the event menu.

    The defined event schema appears in the Schema field as a series of event field and format variables. For information on the event schema syntax, see Section A.3, Managing Event Data.