with ibm corp....chapter 2. structured logs ... the file naming conventions ar e nfsfiler.log ,...

IBM Cloud Object Storage System™

Version 3.14.3

Log File Reference

IBM

This edition applies to IBM Cloud Object Storage System™ and is valid until replaced by new editions.

© Copyright IBM Corporation 2016, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Overview . . . . . . . . . 1

Chapter 2. Structured logs . . . . . . . 3Access log specification . . . . . . . . . . . 3

Applicable devices . . . . . . . . . . . 3Location and file naming convention . . . . . 3Log format . . . . . . . . . . . . . . 3HTTP access log entry fields . . . . . . . . 3HTTP request latency statistics . . . . . . . 9Container or vault retention configuration(bucket_protection) log entry fields . . . . . 11Object protection (object_protection) log entryfields . . . . . . . . . . . . . . . 12Cloud IAM (cloud_iam) log entry fields . . . . 13Key Protect (sse_kp) log entry fields . . . . . 14Storage-account usage access log entry fields . . 15Container-usage access log entry fields . . . . 15Mirror Access log entry fields . . . . . . . 17Operation codes . . . . . . . . . . . . 18Error message access log entry . . . . . . . 21Rotation policy . . . . . . . . . . . . 22

Purge policy . . . . . . . . . . . . . 22**** MISSING FILE **** . . . . . . . . . 22

HTTP log specifications . . . . . . . . . . 22Accesser Device location and file namingconvention . . . . . . . . . . . . . 22Log file format . . . . . . . . . . . . 23

Manager log specification. . . . . . . . . . 26Applicable devices . . . . . . . . . . . 26Location and file naming convention . . . . . 26Log format . . . . . . . . . . . . . 26

Chapter 3. Unstructured logs . . . . . 29

Chapter 4. Special notes . . . . . . . 33

Notices . . . . . . . . . . . . . . 35

Trademarks. . . . . . . . . . . . . 37

Homologation statement . . . . . . . 39

© Copyright IBM Corp. 2016, 2019 iii

iv Log File Reference

Chapter 1. Overview

A Splunk® agent that is deployed by using the External Agent feature can collect logs from the IBMCloud Object Storage System™.

External Agent is a service that allows the installation of custom software on IBM Cloud Object StorageSystem™ appliances. Examples include third-party monitoring agents, management agents, and loghandling services. This document discusses the deployment of a Splunk® agent by using the ExternalAgent feature, and describes the logs that are collected. External Agents run unrestricted. Care must betaken when third-party software is deployed on IBM Cloud Object Storage System™ to ensure that it doesnot interfere with standard services.

© Copyright IBM Corp. 2016, 2019 1

2 Log File Reference

Chapter 2. Structured logs

A structured log is a log file that is guaranteed both in format and content.

IBM Cloud Object Storage System™ classifies the following logs as structured.v Access logsv HTTP logs

Access log specificationAccess logs provide logs for the storage operations that are performed on the IBM Cloud Object StorageAccesser®, along with statistics associated with the operation.

Applicable devicesThis information applies to all IBM Cloud Object Storage Accesser® devices.

Location and file naming convention

Structured logs can be found at /var/log/dsnet-core.

The file naming conventions are nfsfiler.log, cassandra.log, and corosync.log.

Log formatThe logs are in JSON format.

HTTP access log entry fieldsTable 1. HTTP access log entry fields

Name Type RequiredReleaseintroduced

StandardNCSA logfield Description

type String Yes 3.9.0 No The access log entry type, which will always be "http"for entries of this type. Used for differentiation fromother access log entry types such as "s3-multi-delete","mirror", or "proxy".

server_name String Yes 3.1.0 Yes The host name of the server to which the request wassent. It is the value of the part before ":" in the "Host"header value, if any, or the resolved server name, orthe server IP address.

For requests using virtual-host style addressing, thisfield will have the bucket name in it followed by theendpoint name. When virtual-host style addressingisn't used, this field might just be the endpoint IPaddress, or DNS name. It can potentially be anythingbecause the accesser doesn't care what the value issince it can get the bucket name from the URL.

remote_address String Yes 3.1.0 Yes Returns the Internet Protocol (IP) address of the clientor last proxy that sent the request.

forwarded_for String No 3.1.0 Yes The HTTP X-Forwarded-For header field value from therequest. This is generally the IP address of theoriginating client in cases where the request has beenproxied. When the client connection mode is set to theproxy connection, and the customer plans to use IPwhitelisting capability, the rightmost proxy IP addressof the forward-for is regarded as the client originatingIP if the IP access control is enforced.


Table 1. HTTP access log entry fields (continued)



user String No 3.1.0(deprecatedin 3.4.1)

Yes Returns the login of the user who is making thisrequest, if the user is authenticated.

remote_user String No 3.4.1(replacesdeprecatedfield"user").

Yes Returns the login of the user making this request, if theuser has been authenticated. This can be any of thefollowing depending on the authentication mechanismused:

basic auth: user name

S3 auth: S3 credential key ID

IAM auth: ?

keystone auth: user ID from keystone token

This will be blank for anonymous requests.

timestamp_start long Yes 3.1.0 No The time stamp, in seconds since epoch, when therequest was received.

timestamp_finish long Yes 3.1.0 No The time stamp, in seconds since epoch, whenresponse processing was completed.

time_start String Yes 3.1.0 Yes A human-readable date string that is associated withtimestampStart (ISO 8601).

time_finish String Yes 3.1.0 No A human-readable date string that is associated withtimestampFinish (ISO 8601).

request_method String Yes 3.1.0 Yes Returns the name of the HTTP method with which thisrequest was made, for example, GET, POST, or PUT.

request_uri String Yes 3.1.0 Yes The request URI

protocol String Yes 3.1.0 Yes Returns the name and version of the protocol therequest uses in the form protocol/majorVersion.minorVersion , for example, HTTP/1.1 .

Moved into "https" field in 3.14.2.

status int Yes 3.1.0 Yes The status code that is returned in the response.

midstream_error String No 3.1.0 No If a mid-stream error occurred during the processing ofthe HTTP response, this field shows the error thatoccurred. A mid-stream response error is defined as anerror that occurs after initial HTTP response headersare sent.

response_length Long Yes 3.1.0 Yes Present for all primary access log entries

request_length Long No 3.2.0 No For PUT or POST requests, the number of bytes readfrom the request body.Note: For server-side copy requests, therequest_length indicates the number of bytes readfrom the copy source, even though no data isoriginating from the client’s request body.

referer String No 3.1.0 Yes The referrer entry from the http log.

user_agent String Yes 3.1.0 Yes The user agent from the http log.

request_latency Long Yes 3.1.0 No The time, in milliseconds, from when the request wasreceived until request processing is complete.

request_id String Yes 3.1.0 No The request ID, a unique identifier that is generated foreach request to assist with event correlation in thedebug log.

remote_request_id String No 3.13.5 No The Cleversafe request ID on the remote machine, incase a proxy is configured for the vault or container, tobe able to trace the request.

request_type String No 3.4.0 No A string that captures the S3 request type.REST.<HTTP_method>.<resource_type>

interface_type String Yes 3.1.0 No The API used to make the request.

stat BaseChannelInOutStat

No 3.1.0 No A JSON element with more latency information.

upload_id String No 3.10.1 No Upload UUID for multipart upload operations.





object_length Long No 3.1.0 No The size of the object that is associated with thisrequest. For delete requests, it is the size of the objectbefore its deletion, which is equal toprevious_object_length.Note: For 3.1, object length is not provided for deleteoperations.

object_id String No 3.1.0 No The object ID, included for all SOH API requests.

version_name String No 3.2.0 No The version ID that is associated with the version ofthe object created/read/deleted.

version_transient Boolean No 3.2.0 No Represents whether the indicated version is a"transient" (true) or "permanent" (false) version of anobject. Permanent versions are created on write ifversioning is "Enabled" on a particular vault. Transientversions are created when versioning is "Suspended" oroff. Transient versions can be overwritten while thecurrent retention mode is not set to "Enabled".

delete_marker Boolean No 3.2.0 No True if the corresponding version ID is a delete marker.

selective_logging_enabled Boolean No 3.5.1 No True if this request was selected for selective debuglogging. Otherwise, this field is omitted.

last_modified String (ISO8601)

No 3.8.0 No The last time the content of this object was modified. Ifno overwrites are done, the value is equal to the objectcreation time.

last_changed String (ISO8601)

No 3.8.0 No The last time the attributes of this object weremodified. If no attribute modification is done, thevalue is equal to the last_modified time.

x_trans_id String For Swift 3.9.0 No Swift transaction ID header (similar to request-id).

object_name String 3.8.2 No The object's name.

error_code String For S3 3.8.2 No For S3 API, if an error is encountered in status, thisfield contains the English-language descriptive errorcode.

proxy_enabled String No 3.8.2 No Will be true if proxy is enabled.

proxy_source String No 3.10.0 No The source vault that is specified in the proxyconfiguration.

proxy_type String No 3.10.0 No The protocol that is used for communication with thesource vault.

range String Ranged-read isperformed.

3.8.2 No The HTTP Range header, if a ranged read request wasperformed.

vault_name String No containermetadata.

3.8.2 No The name of the vault that is associated with therequest.

previous_last_modified String (ISO8601)

No 3.10.2 No Last time that the object content was modified beforethe current request. For example, if an object wascreated on March 5, 2016 at 10:01, the next contentupdate to this object would create an access log entrywith previous_last_modified set to March 5, 2016,10:01. Null for non-overwrite operations.

previous_object_length Long No 3.10.2 No Object length before the current object length. That is,before the current requested operation. Null fornon-overwrite operations.

requested_location_constraint String For PUT BUCKET 3.10.0 No The requested location constraint of a PUT BUCKET(vault or container) request; if none is specified, thenan empty String. Appears in PUT BUCKET requests.

container_vault_id UUID For StaaS 3.9.0 No UUID of the container vault (also known as "policy")that this container is storage.

storage_account_id String For StaaS 3.9.0 No The Account ID of the owner of the container

storage_location_id String For StaaS 3.9.0 No Storage Location ID

storage_account_realm String for Staas 3.11.0 no Storage Account Realm (will always be00000000-0000-0000-0000-000000000002 for 3.9.0, thusnot introduced in access log until 3.11.0)

Chapter 2. Structured logs 5




container_name String For StaaS, ifcontainermetadataexists.

3.9.0 No Container Name

container_id UUID For StaaS 3.9.0 No Container UUID

container_creator_id String For StaaS(Present incontainercreation withimpersonation)

3.10.1 No ID of the manager local user that initiated containercreation

fanout_copy_count Integer For fanoutwrites

3.7.2 No The number of copies that are requested in this fanoutrequest.

fanout_copy_index Integer For fanoutreads

3.7.2 No The zero-indexed fanout copy requested to be read.

fanout_punch_index Integer For fanoutindividualdeletes

3.7.2 No The zero-indexed fanout copy requested to be deleted(punched).

fanout_delete_all Boolean For fanoutdelete all.

3.7.2 No Indicates request to delete all copies of fanout object.

format Integer yes 3.9.0 No The current version of the HTTP request log entryformat

headers Map<String,List<String>>

No 3.8.2 No Logs request headers if enabled via advanceconfiguration.

is_secure boolean yes 3.10.2 no Indicates whether the request was made over a secureHTTPS connection

cipher_suite String no (present ifsecure request)

3.10.2 no If the request was secure, indicates the SSL cipher suitethat was used; If not secure, this will be null. Movedinto "https" field in 3.14.2.

encryption_method String no (present ifheader ispresent andrequest issuccessful, orif the requestis using keyprotect)

3.10.2 no If the request is successful, the encryption method; ifnot, it is null.

bucket_protection BucketRetentionLogObject

for PUTBUCKET_PROTECTION,GET BUCKET_PROTECTION,and bucketdeletion

3.12.0 no Relevant information when an operation is performedusing the retention configuration (protection)subresource.





object_protection ObjectRetentionLogObject

for objectupload withprotection,PUT OBJECT_PROTECTION,GET OBJECT_PROTECTION,POSTOBJECT_LEGAL_HOLD, GETOBJECT_LEGAL_HOLD,POSTOBJECT_RETENTION_EXTENSION,object deletion,any operationthat fails dueto a 451UNAVAILABLEFOR LEGALREASONS

3.12.0 no Relevant information when an operation is performedrelating to object protection.

cloud_iam CloudIamRequestInfo

for IAMrequests

3.11.0 no Information corresponding to the IAM request,specifically related to the PEP call. Information in thissection should be useful for PDP debugging.

sse_kp KeyProtectRequestInfo

for Key Protectrequests

3.12.1 no Information about the Key Protect request, specificallyrelated to the latency of the HTTP request made to keyprotect.

error_message String no 3.12.1 no This field is present when the “status” field givesinsufficient information regarding the partial orcomplete failure of an attempted operation, stemmingfrom an internal or SDK error. The error handlingsections in design documentation detail the specificscenarios in which this field should be populated.

object_count Integer for POSTOBJECT_MULTI_DELETE

3.13.0 no The number of objects deleted in a multiple objectdeletion.

object_lifecycle ObjectLifecycle for objectswith a lifecyclepolicy

3.13.3 no Information related an object's lifecycle if a policyexists. This will contain a list of lifecycle_actions whichare equivalent to the lifecycle rules associated with anobject. This structure of information will appear whenwriting an object, overwriting an object's content, orrestoring an object from the archived state.

notification_sent Boolean no 3.14.0 no Set to true if the operation attempted to send anotification using the Notification Service.

https HttpsAccessLogInfo

for secureHTTP requests

3.14.2 no Relevant information regarding an HTTPS request.Fields include:

protocol: Returns the name and version of the protocolthe request uses in the form protocol/majorVersion.minorVersion, for example, HTTP/1.1.

cipher_suite: If the request was secure, indicates theSSL cipher suite that was used; If not secure, this willbe null

ibm_client_originating_ip String no 3.14.3 no This field represents the trusted client IP that anintermediary trusted IBM service passes to COS. Thisfield applies to both S3 API and ResourceConfiguration API. It is an optional field which isrequired when a trusted-service is used for IP accesscontrol for a bucket.





ibm_trusted_service_auth_id String no 3.14.3 no This field represents the id (service id/user id)extracted from the ibm_trusted_service_auth header.This field applies to both S3 API and ResourceConfiguration API. It is an optional field which isrequired when this trusted-service is used to provideclient originating IP addresses for the IP access controlfor a bucket.

The following code is an example of a Service API to config Container allowed_IP PATCH/b/<bucket.name> operation:{

"server_name": "10.137.16.68","remote_address": "9.47.30.38","remote_user": "admin","timestamp_start": "1548093957416","timestamp_finish": "1548093957517","time_start": "21/Jan/2019:18:05:57 +0000","time_finish": "21/Jan/2019:18:05:57 +0000","request_method": "PATCH","request_uri": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40","protocol": "HTTP/1.1","status": 200,"response_length": "589","user_agent": "JetEngine/1.0","request_latency": "101","request_id": "1591acac-e03d-4908-9573-6f7798c372b3","request_type": "REST.PATCH.CONTAINER","interface_type": "service","selective_logging_enabled": true,"object_name": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40","storage_account_id": "container-user93d95e64-2607-43ee-91d5-a933019b145f","storage_location_id": "449984a3-05be-783d-011b-90a1558aad65","container_id": "b64984b4-6da7-494f-a836-8c0c43ab1132","is_secure": false,"principals": {

"identity": "ad28f191-b2d7-724a-01cf-7722c2bba250@00000000-0000-0000-0000-000000000000","username": "admin@default"

},"type": "http","format": 1

}

The following code is an example of a Service API to retrieve allowed_IP using GET /b/<bucket.name>operation:{

"server_name": "10.137.16.68","remote_address": "9.47.30.38","remote_user": "admin","timestamp_start": "1548093955482","timestamp_finish": "1548093955487","time_start": "21/Jan/2019:18:05:55 +0000","time_finish": "21/Jan/2019:18:05:55 +0000","request_method": "GET","request_uri": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40","protocol": "HTTP/1.1","status": 200,"response_length": "499","user_agent": "JetEngine/1.0","request_latency": "5","request_id": "c91b941f-950f-428a-8fba-54e285b1e9cc","request_type": "REST.GET.CONTAINER",


"interface_type": "service","selective_logging_enabled": true,"object_name": "/container/container-vault-fdffec2d-e9c6-4546-b2e9-601575ce7a40","storage_account_id": "container-user93d95e64-2607-43ee-91d5-a933019b145f","storage_location_id": "449984a3-05be-783d-011b-90a1558aad65","container_id": "b64984b4-6da7-494f-a836-8c0c43ab1132","is_secure": false,"principals": {

"identity": "ad28f191-b2d7-724a-01cf-7722c2bba250@00000000-0000-0000-0000-000000000000","username": "admin@default"

},"type": "http","format": 1

}

HTTP request latency statistics

For small object writes, the latency that is recorded in the access log associated with writing the objectcontent to the stores is not counted against the storage_wait field, but instead the commit latency.

Table 2. HTTP request latency statistics

Name Mandatory Description

pre-transfer Yes The latency between the time the request was first received until whenchannel operations began.

post_transfer Yes The latency between the end of all channel operation until requestprocessing is complete.

client_wait No The cumulative amount of time spent reading from or writing to theclient channel.

storage_wait No The cumulative duration of time spent reading from or writing to thestorage channel.

digest No For PUT requests that require calculation of a message digest or MD5(for example, S3), the cumulative duration of time spent waiting for thedigest calculation.

commit No The total time that was spent waiting for close/commit processing tocomplete.

turn_around_time No Turn-around time in ms measuring the duration from the last byte ofinput from the client to the first byte of the response to the client.

total_transfer No The total time that was spent copying data from source to destinationchannel, along with any additional time spent closing the channel.

The following code is an example of an S3 PUT operation:{"type": "http","principals": {},"vault_name": "SmokeS3","request_type": "REST.PUT.OBJECT","object_name": "439722e249c74f39b07da2d7c99d35c80000","delete_marker": false,"version_transient": true,"version_name": "702aa906-9b44-4c0d-a487-9344d93f14dd","interface_type": "s3","object_length": "2048","request_uri": "/s3/SmokeS3/439722e249c74f39b07da2d7c99d35c80000","request_method": "PUT","time_finish": "29/Jan/2016:03:06:17 +0000","time_start": "29/Jan/2016:03:06:17 +0000","timestamp_finish": "1454036777986",


"timestamp_start": "1454036777890","remote_address": "127.0.0.1","server_name": "localhost","protocol": "HTTP/1.1","status": 200,"request_length": "2048","response_length": "0","user_agent": "aws-sdk-java/1.7.5 Linux/3.14.0-0.clevos.1-amd64 OpenJDK_64-Bit_Server_VM/25.45-b02/1.8.0_45-internal",

"request_latency": "96","request_id": "b3515f64-8e11-4462-a126-523be1980878","stat": {"post_transfer": 0.061,"pre_transfer": 1.358,"total_transfer": 94.04,"turn_around_time": 94.156,"commit": 93.685,"digest": 0.007,"storage_wait": 0.231,"client_wait": 0.1

},"object_length": "1572864"

}

The following code is an example of an S3 GET operation:{"type": "http","principals": {},"vault_name": "SmokeS3","request_type": "REST.GET.OBJECT","interface_type": "s3","request_uri": "/s3/SmokeS3/2ed0296fef7e405ba571de44965694620000","request_method": "GET","time_finish": "29/Jan/2016:03:06:17 +0000","time_start": "29/Jan/2016:03:06:17 +0000","timestamp_finish": "1454036777989","timestamp_start": "1454036777901","remote_address": "127.0.0.1","server_name": "localhost","protocol": "HTTP/1.1","status": 200,"response_length": "1572864","user_agent": "aws-sdk-java/1.7.5 Linux/3.14.0-0.clevos.1-amd64 OpenJDK_64-Bit_Server_VM/25.45-b02/1.8.0_45-internal",

"request_latency": "88","request_id": "a16df7d2-b7c6-49d2-ac7e-47b3606db760","stat": {"post_transfer": 0.052,"pre_transfer": 32.931,"total_transfer": 54.11,"turn_around_time": 84.977,"client_wait": 1.281,"storage_wait": 52.796

},"object_length": "1572864"}

The following code is an example of an S3 DELETE operation:{"type": "http","principals": {},"vault_name": "SmokeS3",


"request_type": "REST.DELETE.OBJECT","object_name": "463ea6aa89ac41668adb69108d2f9b570000","delete_marker": false,"version_transient": true,"version_name": "b8ad7307-81b0-4487-8f06-8aed2459b7ba","interface_type": "s3","request_uri": "/s3/SmokeS3/463ea6aa89ac41668adb69108d2f9b570000","request_method": "DELETE","time_finish": "29/Jan/2016:04:00:55 +0000","time_start": "29/Jan/2016:04:00:55 +0000","timestamp_finish": "1454040055733","timestamp_start": "1454040055570","remote_address": "127.0.0.1","server_name": "localhost","protocol": "HTTP/1.1","status": 204,"response_length": "0","user_agent": "aws-sdk-java/1.7.5 Linux/3.14.0-0.clevos.1-amd64 OpenJDK_64-Bit_Server_VM/25.45-b02/1.8.0_45-internal",

"request_latency": "163","request_id": "9474592e-b2f9-477f-8a0b-843b4ae5f4bf","stat": {"post_transfer": 0.04,"pre_transfer": 0.072,"total_transfer": 162.841,"turn_around_time": 162.882,"commit": 162.841,"digest": 0,"storage_wait": 0,"client_wait": 0

},"object_length": "1572864"}

Container or vault retention configuration (bucket_protection) log entryfieldsTable 3. Container or vault retention configuration log entry fields

Field name Type Required Description

status Status(enum)

Yes Denotes the protection state of the bucket.

Options: DISABLED, COMPLIANCE.

permanent_retention_enabled boolean Yes Indicates whether permanent retention isenabled for a bucket

minimum_retention Long No unit: milliseconds

Denotes the minimum retention periodpermitted for any object stored in the bucket.The value must be greater than the system'sminimum retention, which is configured onthe Manager.

minimum_retention >= system minimumretention configured at the manager.

Present solely if bucket’s protection state isset to COMPLIANCE.


Table 3. Container or vault retention configuration log entry fields (continued)


maximum_retention Long No unit: milliseconds

Denotes the maximum retention periodpermitted for any object stored in the bucket.The value must be less than the system'smaximum retention, which is confused on theManager.


default_retention Long No unit: milliseconds

Denotes the default retention period assignedto a newly uploaded object when the object isnot uploaded with a retention periodheader.The value must be greater than orequal to minimum_retention, and less than orequal to maximum_retention.

For non-negative values, retention_perioddenotes the default retention period of thebucket in days. For negative values,retention_period is not a period of time, butrather a special case indicator:

-2: permanent retention period


Object protection (object_protection) log entry fieldsTable 4. Object protection log entry fields


retention_period long Yes For non-negative values, retention_perioddenotes the retention period of the object inmilliseconds. For negative values,retention_period is not a period of time, butrather a special case indicator:

-1: indefinite retention period

-2: permanent retention period

The value of retention_period must fallbetween the minimum_retention andmaximum_retention setting of the bucket inwhich it is stored. To determine theexpiration time of the retention_period, addthe retention_period to the last_modifiedfield.

legal_hold_count int Yes Denotes the number of legal holds.


Table 4. Object protection log entry fields (continued)


legal_hold LegalHold

for POSTLEGAL_HOLD(add orremove),PUTOBJECTwithlegalhold

Information about the relevant legal hold,with three sub-fields

action - ObjectRetentionAction (enum) - ADDor REMOVE; always present

id - the id of the current legal hold; alwayspresent

timestamp - the timestamp of the legal;present if adding a legal hold

Cloud IAM (cloud_iam) log entry fieldsTable 5. Cloud IAM log entry fields


subject_ibm_id String Yes The ibmId of the user making the request.This id is decoded from the JWT used forauthentication in IAM requests. This isprovided to the PEP client.

subject_type String Yes The subject type, such as "user", that isprovided to the PEP client.

decision String Yes The resulting decision from the PDP. If"PERMIT", IAM made the decision that thisuser has permission to perform this operationon this resource. Possible values are -"PERMIT", "DENY" & "UNKNOWN".

is_stale boolean Yes Indicates whether the PEP request wasauthorized from the stale cache by the PEPSDK. Platform log would have more detailsabout why a stale authorization was done.

is_throttling boolean Yes If true, indicates that no request was sent tothe PDP because the PEPClient detected thatthere are network availability issues. Hencethe PEPClient either approved, denied orreturned a response with an unknowndecision, without the request being sent toPDP. See Handling PEP Client exceptions fordetails.

op_code String Yes The COS operation code. This is provided tothe PEP client.

pdp_status Integer No In case of error, the actual HTTP responsecode returned by PDP in response to a PEPrequest. It is passed down to core by the PEPclient.

crn String Yes The Cloud Resource Name which representsthis resource. This is provided to the PEPclient.

pdp_elapsed_time Long Yes The time it took to make the request to thePDP.

pdp_request_tx_id String Yes The transaction id that is unique to thisrequest. This is returned in the PEP call.


Table 5. Cloud IAM log entry fields (continued)


num_attempts Integer Yes The number of times that the request wasattempted when connecting to PDP. Initialrequest is included in this count.

subject String Yes The subject that is provided to the PEP client.This is typically an email address for a usertype, and is a sub-string of the subject_ibm_idfor services.

Key Protect (sse_kp) log entry fieldsTable 6. Key Protect log entry fields


cache_latency String No This is the latency returned by the KeyProtect SDK for Key Protect Cache. Thisvalue represents the time to retrieve the DEKfrom the cache. This parameter should belogged if it is returned by the SDK, elseomitted.

kp_latency String No This is the latency returned by the KeyProtect SDK for Key Protect operations. Thisvalue represents the time to retrieve datafrom the Key Protect Server. This parametershould be logged if it is returned by the SDK,else omitted. The unit for this parameter isnanoseconds.

service_instance_token_iam_latency String No This is the latency encountered by the SDK toobtain a COS service instance token to give toKey Protect. This parameter should be loggedif it is returned by the SDK, else omitted. Theunit for this parameter is nanoseconds.

correlation_id String No This is the correlation_id returned the KPSDK. This parameter should be logged if it isreturned by the SDK else omitted. Thisparameter should be equal to the requestIdfor the S3 operation that resulted in therequest to Key Protect SDK.

crk_crn_status String No This parameter will indicate the status of thecrk_crn status as known to COS. It will onlybe included for S3 Operations during whichCOS learns from the Key Protect SDK that aCustomer Root Key CRN has been deleted.Allowed values for this parameter are:

1. "Deleted" - It will be set when there is a410 error code from KP.

2. "Rotated" - It will be set to "Rotated"when the unwrap request results in adifferent WDEK from the one that isalready stored by COS in ContainerMetadata.

num_attempts Integer Yes The number of times that the request wasattempted when connecting to Key ProtectPDP. Initial request is included in this count.


Storage-account usage access log entry fieldsTable 7. Storage-account usage access log entry fields

Field name Required Description

type Yes The access log entry type, which is always"storage_account_usage" for entries of this type.Used for differentiation from other access logentry types such as http, mirror, or proxy.

format Yes The current version of the"storage_account_usage" log entry format.

storage_account_id Yes Storage Account ID

storage_location_id Yes Storage account usage aggregated for this StorageLocation ID (the container vault).

timestamp_finish Yes The timestamp, in seconds since epoch, when theusage numbers in this access log entry werecalculated.

time_finish No A human-readable date string associated withtimestamp_finish (ISO 8601).

partial_storage_account_bytes_used Yes Storage Account Bytes Used: Total bytes used bythis storage account in this particular vault at thetime of this request - converted to String fromBigInteger.

partial_storage_account_object_count Yes Storage Account Object Count: Total number ofobjects in this storage account in this particularvault at the time of this request - converted toString from BigInteger.

may_contain_non_active_bytes No Added in 3.13.3. If set to "false", indicates that thestorage location for which usage is being reportedonly contains active data. If set to "true", indicatesthat the storage location for which usage is beingreported may contain a mix of active and archivedata. Once this flag is set to true it will nevertransition back to false.

The following code is an example of storage account usage:{

"partial_storage_account_bytes_used": "1248305490","partial_storage_account_object_count": "254","storage_account_id": "container-user","storage_location_id": "4365dd00-8ada-75a8-004b-12ef097f2b65","time_finish": "08/Nov/2016:20:46:55 +0000","timestamp_finish": "1478638015792","type": "storage_account_usage","may_contain_non_active_bytes": false,"format": 1

}

Container-usage access log entry fieldsTable 8. Container-usage access log entry fields


type Yes The access log entry type, which will always be "container_usage"for entries of this type. Used for differentiation from other access logentry types such as "http", "mirror", or "proxy".


Table 8. Container-usage access log entry fields (continued)


format Yes The current version of the "container_usage" log entry format.

storage_account_id Yes Storage Account ID

container_name Yes Container Name

container_id Yes Container UUID

storage_location_id Yes Storage Location ID (the container vault where this containerresides).

timestamp_finish Yes The timestamp, in seconds since epoch, when the usage numbers inthis access log entry were calculated.

time_finish No A human-readable date string associated with timestamp_finish (ISO8601).

container_bytes_used Yes Container Bytes Used: Total Number of Bytes in the Container at thetime of this request - converted to String from BigInteger.

container_object_count Yes Storage Account Object Count: Total number of objects in thisstorage account in this particular vault at the time of this request -converted to String from BigInteger.

The following code is an example of container usage:{

"container_bytes_used": "1248305490","container_id": "d2b2c182-14e1-460a-b81d-5cbc57b4b3c7","container_name": "cleanupserviceusagevalidationslicestorcrash","container_object_count": "254","storage_account_id": "container-user","storage_location_id": "4365dd00-8ada-75a8-004b-12ef097f2b65","time_finish": "08/Nov/2016:20:47:00 +0000","timestamp_finish": "1478638020204","type": "container_usage","format": 1

}

The following code is an example of normal deletes:{

"type": "s3-multi-delete","format": 1,"request_id": "a10a9ca5-16be-4aa0-aaf6-d4422d3a4180","object_count": 3,"s3_delete_result": {

"results": [{

"key": "test1"},{

"key": "test"},{

"key": "test2"}

]}

}

The following code is an example of Multi-Delete Access Log Entry (Versioning):{

"type": "s3-multi-delete","format": 1,


"request_id": "fb7e6201-37e8-4d91-84ed-2c4a868eadcf","object_count": 3,"s3_delete_result": {

"results": [{

"delete_marker_version_id": "78b4adc5-6522-4aa6-8b98-3bd22fc97d97","delete_marker": true,"key": "test1"

},{

"delete_marker_version_id": "518a4819-c4a4-46ff-a0df-633dc3920a70","delete_marker": true,"key": "test"

},{

"delete_marker_version_id": "601835ee-05e9-4567-9212-10386bb85a0e","delete_marker": true,"key": "test2"

}]

}}

The following code is an example of Multi-Delete Access Log Entry (Failures):{

"type": "s3-multi-delete","format": 1,"request_id": "c6282549-eb0d-4021-b451-7ca8a770f8e1","object_count": 3,"s3_delete_result": {

"results": [{

"message": "Internal Error.","code": "InternalError","key": "test1"

},{

"message": "Internal Error.","code": "InternalError","key": "test"

},{

"message": "Internal Error.","code": "InternalError","key": "test2"

}]

},}

Mirror Access log entry fieldsTable 9. Mirror Access log entry fields


format Integer Yes The current version of the "container_usage"log entry format.

type String yes The access log entry type, which will alwaysbe "container_usage" for entries of this type.Used for differentiation from other access logentry types such as "http", "mirror", or"proxy."


Table 9. Mirror Access log entry fields (continued)


timestamp_start long yes The timestamp, in milliseconds since epoch,when the request was initiated to the mirror.

timestamp_result long yes The timestamp, in milliseconds since epoch,for when it was decided which vault withinthe mirror to return the request's outcomefrom.

timestamp_finish long yes The timestamp, in milliseconds since epoch,for when it is determined that the remainingoperations to the vaults within the mirror canoccur in the background.

time_start String yes A human-readable date string associated withtimestamp_start (ISO 8601)

time_result String yes A human-readable date string associated withtimestamp_result (ISO 8601)

time_finish String yes A human-readable date string associated withtimestamp_finish (ISO 8601)

request_id String no The COS request ID, a unique identifiergenerate for each request to assist with eventcorrelation in the debug log. This request_idwill match the corresponding http type accesslog entry the mirror type access log entrypertains to.

object_name String yes The object's name

blocking_time Double yes The difference between the timestamp_resultand timestamp_start

background_time Double yes The difference between the timestamp_finishand the timestamp result

Operation codesTable 10. Operation Codes (request_type)

Resource type Operation Operation Code (request_type)

System (Impersonate)Note: Currently unsupported

System PUT System metadataNote: Currently unsupported

REST.PUT.SYSTEM_METADATA

System GET System metadataNote: Currently unsupported

REST.GET.SYSTEM_METADATA

Management PUT Storage Account REST.PUT.ACCOUNT

Management POST Storage Account REST.POST.ACCOUNT

Management GET Specific Account Listing(Management)

REST.GET.ACCOUNT

Management GET Storage Accounts (Management) REST.GET.ACCOUNTS

Management HEAD Storage Account REST.HEAD.ACCOUNT

Management GET Account QuotaNote: Currently unsupported

REST.GET.ACCOUNT_QUOTA


Table 10. Operation Codes (request_type) (continued)


Management PUT Account QuotaNote: Currently unsupported

REST.PUT.ACCOUNT_QUOTA

Management Enable Storage Account REST.POST.ACCOUNT

Management Disable Storage Account REST.POST.ACCOUNT

Management DELETE Storage Account REST.DELETE.ACCOUNT

Management PATCH Access Credential Key REST.PATCH.CREDENTIAL

Management GET Access Credential Key REST.GET.CREDENTIAL

Management GET Access Credential Keys REST.GET.CREDENTIALS

Management POST Access Credential Keys REST.POST.CREDENTIALS

Management DELETE Access Credential Keys REST.DELETE.CREDENTIAL

Storage Account GET Storage Account (ListContainers)

REST.GET.ACCOUNT_CONTAINERS

Storage Account GET Service (List Containers) REST.GET.ACCOUNT_CONTAINERS

Container PUT Bucket REST.PUT.CONTAINER

Container POST Bucket REST.POST.CONTAINER

Container DELETE Bucket REST.DELETE.CONTAINER

Container GET Bucket (List Objects) REST.GET.CONTAINER

Container HEAD Bucket REST.HEAD.CONTAINER

Container GET Bucket Object versions REST.GET.CONTAINER_VERSIONS

Container List Multipart Uploads REST.GET.CONTAINER_UPLOADS

Container GET Container QuotaNote: Currently unsupported

REST.GET.CONTAINER_QUOTA

Container PUT Container QuotaNote: Currently unsupported

REST.PUT.CONTAINER_QUOTA

Container Subresource GET Bucket ACL REST.GET.CONTAINER_ACL

Container Subresource PUT Bucket ACL REST.PUT.CONTAINER_ACL

Container Subresource GET Bucket CORS REST.GET.CONTAINER_CORS

Container Subresource PUT Bucket CORS REST.PUT.CONTAINER_CORS

Container Subresource DELETE Bucket CORS REST.DELETE.CONTAINER_CORS

Container Subresource GET Bucket Versioning REST.GET.CONTAINER_VERSIONING

Container Subresource PUT Bucket Versioning REST.PUT.CONTAINER_VERSIONING

Container Subresource GET Bucket RequestPaymentNote: Currently unsupported

REST.GET.CONTAINER_REQUEST_PAYMENT

Container Subresource PUT Bucket RequestPaymentNote: Currently unsupported

REST.PUT.CONTAINER_REQUEST_PAYMENT

Container Subresource GET Bucket LocationNote: Currently unsupported

REST.GET.CONTAINER_LOCATION

Container Subresource GET Bucket PolicyNote: Currently unsupported

REST.GET.CONTAINER_POLICY

Container Subresource DELETE Bucket PolicyNote: Currently unsupported

REST.DELETE.CONTAINER_POLICY

Container Subresource PUT Bucket PolicyNote: Currently unsupported

REST.PUT.CONTAINER_POLICY




Container Subresource GET Bucket NotificationNote: Currently unsupported

REST.GET.CONTAINER_NOTIFICATION

Container Subresource PUT Bucket NotificationNote: Currently unsupported

REST.PUT.CONTAINER_NOTIFICATION

Container Subresource GET Bucket LoggingNote: Currently unsupported

REST.GET.CONTAINER_LOGGING

Container Subresource PUT Bucket LoggingNote: Currently unsupported

REST.PUT.CONTAINER_LOGGING

Container Subresource GET Bucket TaggingNote: Currently unsupported

REST.GET.CONTAINER_TAGGING

Container Subresource PUT Bucket TaggingNote: Currently unsupported

REST.PUT.CONTAINER_TAGGING

Container Subresource GET Bucket websiteNote: Currently unsupported

REST.GET.CONTAINER_WEBSITE

Container Subresource PUT Bucket websiteNote: Currently unsupported

REST.PUT.CONTAINER_WEBSITE

Container Subresource DELETE Bucket websiteNote: Currently unsupported

REST.DELETE.CONTAINER_WEBSITE

Container Subresource GET Bucket ReplicationNote: Currently unsupported

REST.GET.CONTAINER_REPLICATION

Container Subresource PUT Bucket ReplicationNote: Currently unsupported

REST.PUT.CONTAINER_REPLICATION

Container Subresource DELETE Bucket ReplicationNote: Currently unsupported

REST.DELETE.CONTAINER_REPLICATION

Container Subresource GET FASP Connection Info REST.GET.VAULT_FASP

Container Subresource GET Bucket CRNNote: Currently unsupported

REST.GET.CONTAINER_CRN

Object GET Object REST.GET.OBJECT

Object HEAD Object REST.HEAD.OBJECT

Object GET Object TorrentNote: Currently unsupported

REST.GET.OBJECT_TORRENT

Object GET Object Tagging REST.GET.OBJECT_TAGGING

Object PUT Object Tagging REST.PUT.OBJECT_TAGGING

Object DELETE Object Tagging REST.DELETE.OBJECT_TAGGING

Object GET Object (Version) REST.GET.OBJECT_VERSION

Object HEAD Object (Version) REST.HEAD.OBJECT_VERSION

Object GET Object Torrent (Version)Note: Currently unsupported

REST.GET.OBJECT_TORRENT_VERSION

Object PUT Object REST.PUT.OBJECT

Object POST Object (Forms) REST.POST.OBJECT

Object POST Object (Metadata Update) REST.POST.OBJECT_MD

Object Initiate Multipart Upload REST.POST.INITIATE_UPLOAD

Object Upload Part REST.PUT.PART




Object Upload Part (Copy) REST.COPY.PART

REST.COPY.PART_GET

Object Complete Multipart Upload REST.POST.COMPLETE_UPLOAD

Object PUT Object (Copy) REST.COPY.OBJECT

REST.COPY.OBJECT_GET

Object GET Object ACL REST.GET.OBJECT_ACL

Object GET Object ACL (Version) REST.GET.OBJECT_ACL_VERSION

Object PUT Object ACL REST.PUT.OBJECT_ACL

Object PUT Object ACL (Version) REST.PUT.OBJECT_ACL_VERSION

Object DELETE Object ACL REST.DELETE.OBJECT

Object DELETE Object ACL (Version) REST.DELETE.OBJECT_VERSION

Object List Parts REST.GET.UPLOADS

Object Abort Multipart Upload REST.DELETE.UPLOAD

Object GET Object TorrentNote: Currently unsupported

REST.GET.OBJECT_TORRENT

Object GET Object Torrent (Version)Note: Currently unsupported

REST.GET.OBJECT_TORRENT.VERSION_ID

Object POST Object RestoreNote: Currently unsupported

Object DELETE Multiple Objects REST.POST.OBJECT_MULTI_DELETE

BATCH.DELETE.OBJECT

Object POST Object Legal Hold REST.POST.OBJECT_LEGAL_HOLD

Object GET Object Legal Hold REST.GET.OBJECT_LEGAL_HOLD

Object POST Object Retention Extension REST.POST.OBJECT_RETENTION_EXTENSION

Note: Upload Part (Copy), PUT Object (Copy), and DELETE Multiple Objects produce multiple accesslog entries per HTTP request. "COPY" is shorthand for getting and writing an object/part; therefore, eachCOPY request produces a GET (REST.COPY.OBJECT_GET/REST.COPY.PART_GET) and a PUT(REST.COPY.OBJECT/REST.COPY.PART). A DELETE Multiple Objects request starts the multi-delete actionand produce a REST.POST.OBJECT_MULTI_DELETE log entry. Each object that is deleted produces a uniqueBATCH.DELETE.OBJECT.

Error message access log entryTable 11. Error message access log entry


type Yes The access log entry type, which is always error for entries of thistype. Used for differentiation from other access log entry types such ashttp, mirror, or proxy.

format Yes The current version of the error log entry format

time Yes A human-readable date string that is associated with this message (ISO8601).

message Yes The error message.


The following code is an example of Multi-Delete Access Log Entry (Failures):{

"type":"error","format": 1,"time":"18/Oct/2015:21:13:20 +0000","message":"Dropping access log entries due to full queue"

}

Rotation policyEach access.log file is compressed and archived ("rotation") when its size reaches a defined size limit, orwhen sufficient time passed since the last rotation. Both the maximum file size and the maximum timeinterval can be set by using the Manager. By default, maximum file size is set to 500 MB, and theminimum time interval is set to 0, indicating no time-based rollover.

The compressed files are placed in /var/log/dsnet-core and are named as access.log-<YYYY>-<MM>-<DD>T<hh><mm><seconds><milliseconds>.gz.

Purge policyThe oldest compressed access log is purged when the total access log size reaches 1 GB. The oldestcompressed file is purged.

**** MISSING FILE ****This file was generated during the publishing process



**** MISSING FILE ****: This file was generated during the publishing process

**** MISSING FILE ****: This file was generated during the publishing process

HTTP log specificationsHTTP Logs provide access and error information about the HTTP operations that are performed on thevarious HTTP servers in the system.

Accesser® Device location and file naming conventionThis table provides the location of the log files on the system. The Traffic Source field indicates whetherthe logged access is external to the system or internal to the system.

Table 12. Location and file naming convention

Device Location Log TypeNaming Convention of theCurrent File Log Format Traffic Source

v IBM CloudObject StorageAccesser®

v IBM CloudObject StorageManager™

v IBM CloudObject StorageSlicestor®

/var/log/dsnet-core

Access log http.logNote: This file is written onlywhen the device performsAccesser® Device functions.

NCSA commonlog format

External


Table 12. Location and file naming convention (continued)

Device Location Log TypeNaming Convention of theCurrent File Log Format Traffic Source

v Accesser®

Device

v Manager

v Slicestor®

Device

/var/log/dsnet-md/http-cnc.log

Access log http-cnc.log NCSA commonlog format

Internal

v Accesser®

Device

v Manager

v Slicestor®

Device

/var/log/dsnet-md/http

Access log http-request.log NCSA commonlog format

Internal

v Accesser®

Device

v Manager

v Slicestor®

Device

/var/log/dsnet-md

Access log http-device-api.log NCSA commonlog format

Internal

v Manager /var/log/apache2

Error log error.log NCSA commonlog format

External

v Manager /var/log/manager

Access log <YYYY_MM_DD>./request.log.Where YYYY denotes current Year,MM denotes current Month, andDD denotes current day.

NCSA commonlog format

External

v Manager /var/log/apache2

Access log ssl_access.log NCSA commonlog format

External

Log file formatLog files have specific formats.

HTTP access logTable 13. HTTP access log

Field Description

Hostname Denotes the IP address from which the request originates.

User Identity Identity of the user who is determined by identd (not reliable). Thesystem sets it to "-".

User Name User name that is determined by authentication. Time Stamp Time therequest was received.

Time Stamp Time the request was received.

Request Request Line from the client.

Status Code HTTP standard HTTP code that indicates the state of the request.

Response Size Size of the response in bytes sent back to the client.

User Agent Client Identification string.

Request Latency Latency in milliseconds for the request to be processed.


HTTP access log examples:

Table 14. Example - HTTP access log

Device Location File name

v IBM Cloud Object StorageAccesser®

v IBM Cloud Object StorageManager™

v IBM Cloud Object StorageSlicestor®

/var/log/dsnet-core http.log

Sample entry -127.0.0.1 - "" - [01/Feb/2016:19:12:22 +0000] "GET/s3/SmokeS3/2d9482ead66d4e748ff06ea4a0bb98490000 HTTP/1.1" 200 3145728 "-" "aws-sdk-java/1.7.5Linux/3.14.0-0.clevos.1-amd64 OpenJDK_64-Bit_Server_VM/25.45-b02/1.8.0_45-internal" 50


v Accesser® Device

v Manager

v Slicestor® Device

/var/log/dsnet-md http-deviceapi.log

Sample entry -127.0.0.1 - - [02/Feb/2016:18:27:46 +0000] "GET /state HTTP/1.1" 200 - "-""curl/7.43.0" - 539


v Accesser® Device

v Manager


/var/log/dsnet-md http-cnc.log

Sample entry -127.0.0.1 - - [01/Feb/2016:18:00:00 +0000] "POST /cnc/command/dump-logHTTP/1.1" 200 - "-" "Apache-HttpAsyncClient/4.0.2 (java 1.5)" - 15


v Accesser® Device

v Manager


/var/log/dsnet-md/http http-request.log

Sample entry -127.0.0.1 - - [31/Jan/2016:05:53:38 +0000] "GET /registry?id=1a4b5e8c-b67e-47f4-bb04-a9dc5b2dffa4HTTP/1.1" 200 - "-" "Apache-HttpClient/4.3.3 (java 1.5)" - 0


v Manager /var/log/manager <YYYY_MM_DD>.request.log

Sample entry -


192.168.88.30 - - [01/Feb/2016:00:00:05 +0000] "POST /manager/api/manager/status HTTP/1.1" 20039496 "-" "Cleversafe MD/1.1" - 15

HTTP error logTable 15. HTTP error log

Field Description

Time Stamp Time when an error is logged.

Severity Indicates the severity of the error. Possible values are:

v Error

v Notice

v Warning

Error Message Message about the error.

HTTP error log example:


v IBM Cloud Object StorageManager™

/var/log/apache2 error.log

Sample entry -[Sun Jan 31 06:25:02 2016] [notice] Apache/2.2.22 (Debian) mod_ssl/2.2.22 OpenSSL/1.0.1econfigured -- resuming normal operations`

Retention and purge policyTable 16. Retention and purge policy

Device Location Rotation policy Purge policyNaming conventionof the current file

v IBM Cloud ObjectStorage Accesser®

v IBM Cloud ObjectStorage Manager™

v IBM Cloud ObjectStorage Slicestor®

/var/log/dsnet-core The http.log files arecompressed and archivedwhen the size reaches 200MB. The compressed files areplaced in/var/log/dsnet-core and arenamed ashttp.log-<YYYY>-<MM>-<DD>T<hh><mm><seconds><millisecon ds>.gz.

The oldest compressedaccess log is purged whenthe total access log sizereaches 2 GB. The oldestcompressed file is purged.

http.log

v Accesser® Device

v Manager


/var/log/dsnet-md/http

The http-request.log filesare compressed when thesize reaches 30 MB. Thecompressed files are placedin /var/log/dsnet-md/archive and are named ashttp-request.log-<YYYY>-<MM>-<DD>T<hh><mm><seconds><milliseconds>.gz.

The files are purged whenthe count of the archivedfiles reaches 32.

http-request.log


Table 16. Retention and purge policy (continued)

Device Location Rotation policy Purge policyNaming conventionof the current file

v Accesser® Device

v Manager


/var/log/dsnet-md/ The http-cnc.log files arecompressed when the sizereaches 30 MB. Thecompressed files are placedin /var/log/dsnet-md/archiveand are named ashttp-cnc.log-<YYYY>- <MM>-<DD>T<hh><mm><seconds><milliseconds>.gz. The files are alsocompressed upon start-up.


http-cnc.log

v Accesser® Device

v Manager


/var/log/dsnet-md/ The http-device-api.logfiles are compressed whenthe size reaches 30 MB. Thecompressed files are placedin /var/log/dsnet-md/archive and are named ashttp-device-api.log-<YYYY>-<MM>-<DD>T<hh><mm><seconds><millisecon ds>.gz. Thefiles are also compressedupon start-up.


http-deviceapi.log

v Manager /var/log/apache2 The error logs (error.log.1)are rotated daily, and arestored in /var/log/apache2.

The rotated logs areremoved from the systemafter 90 days.

error_log

v Manager /var/log/manager The request log file iscompressed daily and isstored in var/log/manager. Itis named <YYYY_MM_DD>.request.log.gz.

The compressed log files aredeleted after 40 days.

<YYYY_MM_DD>./request.log, whereYYYY = current year,MM = current month,and DD = currentday.

v Manager /var/log/apache2 The SSL access logs(ssl_access.log.1) arerotated daily and are storedin /var/log/apache2

The rotated logs areremoved from the systemafter 90 days.

ssl_access.log

Manager log specification

Manager logs provide logs for the storage operations that are performed with the IBM Cloud ObjectStorage Manager™ application.

Applicable devices

This information applies to the IBM Cloud Object Storage Manager™ device.

Location and file naming convention

Structured logs can be found at /var/log/manager.

The file naming convention is authenticated_access.log.<date>, where <date> is a rotating time stampthat changes every 6 hours.

Log formatThe logs are in JSON format.


Log format examples

All requests into the Manager application are captured by using an access log in a format that is similarto the core access log. Every request is captured as a single JSON object. Each request is separated by anewline.

Example of a request by using session-based authentication -{"auth": { "sessionId": "d276kh9glshwurt6yedr2w5r", "scheme": "session" },"principal": { "uuid": "8b9e9711-275a-4583-b216-38f475e6d0fb", "type": "account" },"status": 200,"referer": "https://192.168.14.38/manager/home.adm","userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7","protocol": "HTTP/1.1","remoteAddress": "9.47.27.193","timestampStart": 1476114152223,"timestampFinish": 1476114158048,"timeStart": "10/Oct/2016:15:42:32 +0000","timeFinish": "10/Oct/2016:15:42:38 +0000","requestId": "V-u26MCoDiYAACZmGcwAAADQ","method": "GET","requestUri": "/manager/monitorDevice.adm"}

Example of a successful request by using HTTP Basic -{"auth": { "username": "admin", "scheme": "basic" },"principal": { "uuid": "8b9e9711-275a-4583-b216-38f475e6d0fb", "type": "account" },"status": 200,"referer": null,"userAgent": "curl/7.26.0","protocol": "HTTP/1.1","remoteAddress": "127.0.0.1","timestampStart": 1476114615868,"timestampFinish": 1476114615987,"timeStart": "10/Oct/2016:15:50:15 +0000","timeFinish": "10/Oct/2016:15:50:15 +0000","requestId": null,"method": "GET","requestUri": "/manager/api/json/1.0/viewSystem.adm"}

Example of a wrong password by using HTTP Basic -{"auth": { "username": "foo", "scheme": "basic" },"principal": null,"status": 401,"referer": null,"userAgent": "curl/7.26.0","protocol": "HTTP/1.1","remoteAddress": "127.0.0.1","timestampStart": 1476114623053,"timestampFinish": 1476114623056,"timeStart": "10/Oct/2016:15:50:23 +0000","timeFinish": "10/Oct/2016:15:50:23 +0000","requestId": null,"method": "GET","requestUri": "/manager/api/json/1.0/viewSystem.adm"}

Example of authentication by using client-provided certificates -


{"remoteAddress":"9.47.27.193","timestampStart":1475864485059,"timestampFinish":1475864490753,"timeStart":"07/Oct/2016:18:21:25 +0000","timeFinish":"07/Oct/2016:18:21:30 +0000","requestId":"V-fnpcCoDiYAAHKaAn4AAACM","method":"GET","requestUri":"/manager/home.adm","protocol":"HTTP/1.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0","referer":null,"status":200,"principal":{"type":"account","uuid":"9c751232-3a43-4b9f-b9f9-4732ae37ea62"},"auth":{"scheme":"x509","subjectDN":"C=US,ST=Illinois,O=Cleversafe,CN=foo.com"}}


Chapter 3. Unstructured logsTable 17. Unstructured logs

Device Log file or directory Comments

v Accesser® Device

v Manager


/var/log/storagecontroller/stdout.log

stdout capture for the storagecontroller application.

v Accesser® Device

v Manager


/var/log/storagecontroller/stderr.log

stderr capture for the storagecontroller application.

v Accesser® Device

v Manager


/var/log/storagecontroller/debug.log

Application log for storage controller.

v Accesser® Device

v Manager


/var/log/platform-debug.log Application log for the platform.

v Accesser® Device

v Manager


/var/log/auth PAM standard format.

v Accesser® Device

v Manager


Audit of the nut commands that areexecuted on the system.

v Accesser® Device

v Manager


/var/log/messages syslog of the host.

v Accesser® Device

v Manager


/var/log/gdi/<Timestamp>.log Contains the periodic gather of thesystem.

v Accesser® Device

v Manager


/var/log/dsnet-md/console.log stdout capture for the dsnet-mdprocess.

v Accesser® Device

v Manager


/var/log/dsnet-md/gc.log Industry standard Java GarbageCollection logs. The log formatdepends on the GC type configured.

v Accesser® Device

v Manager


/var/log/dsnet-md/md.log Application logs for the dsnet-mdprocess.

v Accesser® Device

v Manager


/var/log/dsnet-core/debug.log This log is populated when debug isturned on the dsnet-core process.


Table 17. Unstructured logs (continued)


v Accesser® Device

v Manager


/var/log/dsnet-core/audit.log Logs the IBM Cloud Object StorageVault™access audit events.

v Accesser® Device

v Manager


/var/log/dlm/ This directory contains the DLM logs(frontend.log is the most importantlog).

v Accesser® Device


/var/log/dsnet-core/sync.log Logs for mirror synchronization.

v Accesser® Device


/var/log/dsnet-core/intent_cleanup.log

Logs for intent processing and cleanup.

v Accesser® Device


/var/log/dsnet-core/stdout.log stdout logs for the dsnet-coreapplication.

v Accesser® Device


v Manager

/var/log/dsnet-core/platform.log Application logs for the dsnet-coreprocess.

v Accesser® Device

v Manager


/var/log/dsnet-core/gc.log Industry standard Java GarbageCollection logs. The log formatdepends on the GC type configured.

v Accesser® Device

v Manager


/var/log/dsnet-core/report.log Contains the resource usage for thedsnet-core process.

v Accesser® Device

v Manager


/var/log/dsnet-core/reportlet.log A structured log that captures timelyinfo and other metrics that includesub-components for use bydevelopers.

v Slicestor® Device /var/log/dsnet-core/disk.log Contains daily dump of the df andvault storage output.

v Manager /var/log/mysql.log MYSQL database log files.

v Manager /var/log/mysql.err MYSQL database error files.

v Manager /var/log/manager/console.log Console logs for dsnet-manager.

v Manager /var/log/manager/<date>.stderr.log Application logs for thedsnet-manager.

v Manager /var/log/manager/postrequest.log.<epoch>

Logs the incoming POST request tothe manager.

v Manager /var/log/manager/rotateManagerLogs.log

Log rotation logs for thedsnet-manager logs.

v Manager /var/log/dsnet-manager/gc.log Industry standard Java GarbageCollection logs. The log formatdepends on the GC type configured.

v Accesser® Device

v Manager


/lib/live/mount/medium/install-logs

This directory contains the copy of/var/log from the installationenvironment.


Table 17. Unstructured logs (continued)


v File Accesser® Device /var/log/nfsfiler/ This directory contains the nfsfilerlogs (nfsfiler.log is the mostimportant log).

v File Accesser® Device

v IBM Cloud Object Storage SMCAccesser®

/var/log/cassandra/ This directory contains the Cassandralogs (system.log is the mostimportant log).

v File Accesser® Device /var/log/corosync/ This directory contains the Corosynclogs (corosync.log is the mostimportant log).

v File Accesser® Device /var/log/dsnet-core/notifications.log

A structured log that captures thestatus of each send done by the COSNotification Service

Chapter 3. Unstructured logs 31

Chapter 4. Special notes

IBM Cloud Object Storage System™ uses the /var/log directory for storing artifacts that are not log files.They should not be considered as application log files.v /var/log/dump-log/

v /var/log/crash/


Notices

This information was developed for products and services offered in the US. This material might beavailable from IBM® in other languages. However, you may be required to own a copy of the product orproduct version in that language in order to access it.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply thatonly that IBM product, program, or service may be used. Any functionally equivalent product, program,or service that does not infringe any IBM intellectual property right may be used instead. However, it isthe user's responsibility to evaluate and verify the operation of any non-IBM product, program, orservice.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.

The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.

The performance data discussed herein is presented as derived under specific operating conditions.Actual results may vary.

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject to change before theproducts described become available.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to the names and addresses used by anactual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programsin any form without payment to IBM, for the purposes of developing, using, marketing or distributingapplication programs conforming to the application programming interface for the operating platform forwhich the sample programs are written. These examples have not been thoroughly tested under allconditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

If you are viewing this information softcopy, the photographs and color illustrations may not appear.


Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the web atCopyright and trademark information at www.ibm.com/legal/copytrade.shtml.

Accesser®, Cleversafe®, ClevOS™, Dispersed Storage®, dsNet®, IBM Cloud Object Storage Accesser®, IBMCloud Object Storage Dedicated™, IBM Cloud Object Storage Insight™, IBM Cloud Object StorageManager™, IBM Cloud Object Storage Slicestor®, IBM Cloud Object Storage Standard™, IBM Cloud ObjectStorage System™, IBM Cloud Object Storage Vault™, SecureSlice™, and Slicestor® are trademarks orregistered trademarks of Cleversafe, an IBM Company and/or International Business Machines Corp.

Other product and service names might be trademarks of IBM or other companies.


http://www.ibm.com/legal/copytrade.shtml

Homologation statement

This product may not be certified in your country for connection by any means whatsoever to interfacesof public telecommunications networks. Further certification may be required by law prior to making anysuch connection. Contact an IBM representative or reseller for any questions.


IBM®

Printed in USA

with ibm corp....chapter 2. structured logs ... the file naming conventions ar e nfsfiler.log ,...

Documents