Open mic activity logging

© 2014 IBM CorporationPowered by IBM SmartCloud Meetings

Exploring IBM Notes/Domino Activity Logging and Activity Trends

Open MicJaved Batliwala

Staff Software Engineer

Naresh LuthraStaff Software Engineer

IBM Collaboration Solutions

2 © 2014 IBM Corporation

About Us

Vinayak Tavargeri- Support Manager – Facilitator for AP Open [email protected]

Staff Software Engineer, Smart Cloud [email protected]

Staff Software Engineer, IBM Notes / [email protected]

Ranjit Rai – Lotus Technical AdvisorFocussing on Entire Notes Domino

Hansraj Mali – Lotus Technical AdvisorFocussing on Entire Notes Domino

Jayaval Rajendran – Lotus Technical AdvisorFocussing on Entire Notes Domino


Abstract

IBM Domino Server is having an exceptional functionality and features which fit perfectly for customers and their business needs. While working in professional environment, one cannot forget or compromise in security.

Domino Server is very robust and having very high level of security. It captures different types of logs if it has been configured properly. In day to day activities, administrators may find it difficult to extract the information like IP Addrress of system from which the particular Notes database or mail file was accessed or internal mail routing session/IP details or unused mail databases etc. So let's come together for the session on Activity Logging and Activity Trends. What are the best practices for using Activity Logging and Trends ?

When to use them and when not ? What information you will find in them ? Should I enable on all servers or only one server ? We will provide answers to all those queries.

In this session its our sincere effort to enable our end customers to be more effective and confident in managing and securing their Notes/Domino environment.


Agenda

Activity Logging and Activity Trends How to configure Activity Logging Working with Activity Trends Analyzing Activity Logging Data User Activity Logging for a Database Test Cases

a) Mail b) Notes DB c) Notes session

Troubleshooting References Q&A


Activity Logging

Server tasks provide enhanced activity data

Activity data stream written to the server log (log.nsf)

Controlled via server configuration document

API provided to access the activity data stream


How to configure Activity Logging

How to check if Activity Logging feature is Enabled / Disabled: Type the console command “show server” on Domino console from the output it will

show if Activity Logging feature is Enabled / Not Enabled.

You configure activity logging by editing the Configurations Settings document. From the Domino Administrator, click the Configuration tab. In the Task pane, expand Server and click Configurations. In the Results pane, select the Configuration Settings document you want, and click

Edit Configuration.


How to configure Activity Logging (cont')

On the Configuration Settings document, click the Activity Logging tab. Select “Activity logging is enabled.” In the “Enabled logging types” field, select the types of activity you want to log. (Optional) To increase or decrease the frequency of creating Checkpoint records,

change the checkpoint interval. (Optional) To automatically create Notes session and Notes database Checkpoint records every day at midnight, select Log checkpoint at midnight. (Optional) To automatically create Notes session and Notes database Checkpoint

records every day at the beginning and end of a specific time period, select “Log checkpoints for prime shift” and then specify the times for the Prime shift interval

Click Save & Close. (Optional) If you are logging activity for LDAP Add and Modify operations and want

to change the amount of information logged in the Attributes field from the default of 4096 bytes, follow the steps in the topic “Limiting the amount of attribute information logged for LDAP Add and LDAP Modify activity.”


How to configure Activity Logging (cont')


Checkpoint The records in the log file keep track of all activity generated. Domino creates

different types of records for each type of activity. For some types of activity, Domino creates multiple records during a session; for other types of activity, Domino creates a single record.

For types of activity that could require long sessions to complete, Domino generates an Open or Authorization record when a session begins. This record indicates that a session is open and shows the time at which the session began. During the session, Domino generates Checkpoint records, which log all activity that has occurred so far duringthe session

Domino creates Checkpoint records for the following types of activity:IMAP, Notes session, Notes database, Notes passthru, POP3, and SMTP.

Checkpoint records are cumulative; each one contains all of theactivity that was logged to that point during the open session.By default, Domino creates a Checkpoint record the first time there isactivity after a 15 minute waiting period.


Activity logging recordsActivity type What this logsAgent Domino server-based agent that run successfully.

Record the name of the agent , The name of the database that contains the agent The amount of time it took to run the agent Name of the person who last saved the agent

Note : The record does not show the types of activities the agent perform , Agent which run on web server

HTTP Name of the Web server Name of the user accessing the Web Server The URL the user Clicked The Number of bytes returned Time to process the request Http status code

IMAP Tracks IMAP session activity such as user name , server name , the IP address , number of bytes the client sent and read from the server and the duration of session

Type of records for IMAP Sessions Authorization records Checkpoints record Closed record


Activity logging records (cont')Activity type What this logsLDAP Records information about every LDAP request

Each LDAP request has different structure , generate a different activity logging record for each type

Type of requests are Abandon , Add , Bind, Compare, Delete, Modify, Extended, ModifyDN, Search, Unbind

Mail Tracks mail that is sent from and received by a server Records name of the server that created the record ,

originator and recipient of the message , message ID , preceding and the next hope on the delivery route and size of the message

Type of activity records are Deposit , delivery, delivery failure Transfer , Transfer failure

Notes Database Tracks notes database activity that occur during the server session

Name of the Database , name and address of the database user , number of document read and written , the number of bytes read and written , total number of transactions executed in the database , length of time Db was opened

Type of records are Open records , Checkpoints records , Close records , ClosedEnd record , mailDepoist records


The information in the log file (cont')Activity type What this logs

Notes Passthru Tracks activity that is generated by a client or a server through a passthru connection.

Information as the number of bytes sent and received, the number of documents read and written, the number of transactions executed, and the duration of the passthru session.

Type of Activity records are Open records , Checkpoint records and close records

Notes Session Tracks network traffic that occurs during a server session with a Notes client or with another Domino server acting as a client

Records include such information as the name and network address of the session user, the number of documents read and written, the number of bytes read and written, the total number of transactions executed during the session, and the duration of the session.

Servers, users, and API programs can all generate session activity.


Activity logging records (cont')

Activity type What this logsPOP3 The name of the user,

The IP address of the client, The number of bytes the client sends to and reads

from the server The number of messages sent to the client, The number of messages deleted from the client, and

the duration of the session.

Type of records are Authorization records , Checkpoint records, Close records

Replica The names of the source and Destination servers, The replicaID of the database The number of bytes replicated in each direction.

SMTP Record information such as the IP address of the connected client

The number of messages the client sends to the server, The number of bytes the client sends to and receives

from the server, the number of recipients to whom messages are sent The duration of the session.


Activity Trends Core Domino Functionality Trend user Activity

- Identity (Person or DB) - Database - Access Protocol Statistic for

- Current Observation- Historical Trends- Load on Server

Store it in Activity.nsf

Data Flow


Working with Activity Trends


Resource Balancing


Running activity analysis In the Domino Administrator, make the server on which you want to run activity

analysis current. Click the Server - Analysis tab. In the Tools pane, expand Analyze, and then click Activity.


Running activity analysis (cont') Do one of the following to select the types of activity you want to log: To log all the types of activity, skip this step. By default, all activity types are selected. To deselect a type of activity to log, click the activity type in the “Selected types of activity”

pane, and then click Remove. To deselect all the types of activity, click Remove All. To select a type of activity to log, click the activity type in the “Select server activity types to

search for” pane; and then click Add. To add all the types of activity, click Add All Choose the starting and ending dates and times of the activity you want to view. (Optional) To write the analysis results to a database other than the Log Analysis database,

click Results Database and specify a different database. Then click OK.


Viewing the data in the Log Analysis database If the Log Analysis database is not already open, do the following: On your local computer, choose File - Database - Open. Select the Log Analysis database, and then click Open. (By default,the database

title is “Log Analysis” and the file name is LOGA4.NSF.) In the Task pane, expand Server Activity; and then click the view for the type of

activity you want to view. (Optional) In the Results pane, double-click the record you want to view.


Test Case – Track the IP Address of mail In the below example we are trying to capture the IP address of the sender

machine from where the email was generated. Perform the Activity analysis for the date you want to track the email. Click on Mail → Deposited (Sender is “Test User21/Training” who has sent the

email to “Test User22/Training”) Locate the email, as we need the Session ID to get the IP Address.


Test Case – Track the IP Address of mail (cont')Also you can verify the Message ID from the console.log to confirm if it is the same email.

Once you have got the Session ID, click on Notes → Session and search for the document with Session ID.

It will return the result if the document is found.


Test Case – Track the IP Address of mail (cont') Client Address field will give the IP Address of the machine from where the email

was generated. It give some additional information like which database used to send the email, bytes transferred etc.


Test Case – Track the IP Address of database In an organization we have generic ID's configured on multiple machines and if

we want to track if a particular database has been accessed from which all IP Addresses either it could be through its own ID file or through access delegation.

The Basic purpose is to capture from which all IP addresses a particular database has been accessed.

Run the Activity Analysis for date you want to capture. From Activity Analysis result database goto Notes → Database


Test Case – Track the IP Address of database (cont')

Capture the Session ID

Goto → Notes → Session. Search the document using Session ID.


Test Case – Track the IP Address of database (cont') Client Address field will give the IP Address of the machine from where the

database was accessed.


User Activity Logging for a Database By default Domino logs user activity for a database in each database.

However, user activity logging is a great tool for monitoring unauthorized access to certain data, so you should maintain it on vital application data.

To access user activity logging, open the database properties, select the information tab an then click on the button "user detail"

Note: ODS 48 have additional column of deletes


Last Active Databases To know the last active database, open the Activity.nsf → Databases →

Inactivity, it will list all the databases.


TroubleshootingSince enabling Activity Logging and setting up Activity Trends, the size of your server's log.nsf is 3 to 4 times larger than before. How can you reduce the size of the log when activity trends are being collected?

The overall purge interval for the log.nsf is determined by the third number in the notes.ini variable "log=log.nsf, 1, 0,7,40000". You can set a purge interval specifically for activity trends data by tacking on a number to the end of this value.

For example, if you want to purge activity trends documents not modified after two days, you would set the variable to:

log=log.nsf, 1, 0,7,40000 ,2

Note: The activity trends purge value can be set to 1 through 6. The default purge for the overall log.nsf is 7 days.


TroubleshootingSince enabling Activity Logging and setting up Activity Trends, the size of your server's activity.nsf will grow in larger size. In order to control the size of activity.nsf use the retention option.

By default it stores the data for 10 days

To customize the days setting un-check the default option and can set the days option.


Troubleshooting

Title: User activity logging is automatically reenabled after being disabledDoc #: 1096282URL: http://www.ibm.com/support/docview.wss?uid=swg21096282

Title: Examples of events that trigger Read/Write entries in the User Activity log for a database

Doc #: 1096117URL: http://www.ibm.com/support/docview.wss?uid=swg21096117

Title: How to reduce log file size when activity trends are being collectedDoc #: 1230016URL: http://www.ibm.com/support/docview.wss?uid=swg21230016

Title: STATLOG does not display all databases in Database Size viewDoc #: 1285394URL: http://www.ibm.com/support/docview.wss?uid=swg21285394


References

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/activity-logging-and-activity-trends

Activity Logginghttp://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_BILLING_OVERVIEW_7158_OVERVIEW.html

Activity Trendshttp://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_TIVOLI_ACTIVITY_TRENDS_STEPS.html

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/activity-logging-and-activity-trends

35 | © 2014 IBM Corporation

Thank you Q & A

Visit our Support Technical Exchange page or our Facebook page for details on future events.

To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2

IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport

ICS Supporthttp://twitter.com/IBM_ICSSupport

http://www.ibm.com/support/entry/portal/scheduled_tech_exchanges/software/lotus/lotus_brand_support_(general)

http://www.ibm.com/support/entry/portal/scheduled_tech_exchanges/software/lotus/lotus_brand_support_(general)

http://www.facebook.com/WebSpherePortalSupport

http://www.facebook.com/WebSpherePortalSupport

https://ibm.biz/BdxqB2

http://www.facebook.com/IBMLotusSupport

http://twitter.com/IBM_ICSSupport

Open mic activity logging

Technology

Transcript of Open mic activity logging