© 2014 IBM CorporationPowered by IBM SmartCloud Meetings
Exploring IBM Notes/Domino Activity Logging and Activity Trends
Open MicJaved Batliwala
Staff Software Engineer
Naresh LuthraStaff Software Engineer
IBM Collaboration Solutions
2 © 2014 IBM Corporation
About Us
Vinayak Tavargeri- Support Manager – Facilitator for AP Open [email protected]
Staff Software Engineer, Smart Cloud [email protected]
Staff Software Engineer, IBM Notes / [email protected]
Ranjit Rai – Lotus Technical AdvisorFocussing on Entire Notes Domino
Hansraj Mali – Lotus Technical AdvisorFocussing on Entire Notes Domino
Jayaval Rajendran – Lotus Technical AdvisorFocussing on Entire Notes Domino
3 © 2014 IBM Corporation
Abstract
IBM Domino Server is having an exceptional functionality and features which fit perfectly for customers and their business needs. While working in professional environment, one cannot forget or compromise in security.
Domino Server is very robust and having very high level of security. It captures different types of logs if it has been configured properly. In day to day activities, administrators may find it difficult to extract the information like IP Addrress of system from which the particular Notes database or mail file was accessed or internal mail routing session/IP details or unused mail databases etc. So let's come together for the session on Activity Logging and Activity Trends. What are the best practices for using Activity Logging and Trends ?
When to use them and when not ? What information you will find in them ? Should I enable on all servers or only one server ? We will provide answers to all those queries.
In this session its our sincere effort to enable our end customers to be more effective and confident in managing and securing their Notes/Domino environment.
4 © 2014 IBM Corporation
Agenda
Activity Logging and Activity Trends How to configure Activity Logging Working with Activity Trends Analyzing Activity Logging Data User Activity Logging for a Database Test Cases
a) Mail b) Notes DB c) Notes session
Troubleshooting References Q&A
5 © 2014 IBM Corporation
Activity Logging
Server tasks provide enhanced activity data
Activity data stream written to the server log (log.nsf)
Controlled via server configuration document
API provided to access the activity data stream
6 © 2014 IBM Corporation
How to configure Activity Logging
How to check if Activity Logging feature is Enabled / Disabled: Type the console command “show server” on Domino console from the output it will
show if Activity Logging feature is Enabled / Not Enabled.
You configure activity logging by editing the Configurations Settings document. From the Domino Administrator, click the Configuration tab. In the Task pane, expand Server and click Configurations. In the Results pane, select the Configuration Settings document you want, and click
Edit Configuration.
7 © 2014 IBM Corporation
How to configure Activity Logging (cont')
On the Configuration Settings document, click the Activity Logging tab. Select “Activity logging is enabled.” In the “Enabled logging types” field, select the types of activity you want to log. (Optional) To increase or decrease the frequency of creating Checkpoint records,
change the checkpoint interval. (Optional) To automatically create Notes session and Notes database Checkpoint records every day at midnight, select Log checkpoint at midnight. (Optional) To automatically create Notes session and Notes database Checkpoint
records every day at the beginning and end of a specific time period, select “Log checkpoints for prime shift” and then specify the times for the Prime shift interval
Click Save & Close. (Optional) If you are logging activity for LDAP Add and Modify operations and want
to change the amount of information logged in the Attributes field from the default of 4096 bytes, follow the steps in the topic “Limiting the amount of attribute information logged for LDAP Add and LDAP Modify activity.”
8 © 2014 IBM Corporation
How to configure Activity Logging (cont')
9 © 2014 IBM Corporation
Checkpoint The records in the log file keep track of all activity generated. Domino creates
different types of records for each type of activity. For some types of activity, Domino creates multiple records during a session; for other types of activity, Domino creates a single record.
For types of activity that could require long sessions to complete, Domino generates an Open or Authorization record when a session begins. This record indicates that a session is open and shows the time at which the session began. During the session, Domino generates Checkpoint records, which log all activity that has occurred so far duringthe session
Domino creates Checkpoint records for the following types of activity:IMAP, Notes session, Notes database, Notes passthru, POP3, and SMTP.
Checkpoint records are cumulative; each one contains all of theactivity that was logged to that point during the open session.By default, Domino creates a Checkpoint record the first time there isactivity after a 15 minute waiting period.
10 © 2014 IBM Corporation
Activity logging recordsActivity type What this logsAgent Domino server-based agent that run successfully.
Record the name of the agent , The name of the database that contains the agent The amount of time it took to run the agent Name of the person who last saved the agent
Note : The record does not show the types of activities the agent perform , Agent which run on web server
HTTP Name of the Web server Name of the user accessing the Web Server The URL the user Clicked The Number of bytes returned Time to process the request Http status code
IMAP Tracks IMAP session activity such as user name , server name , the IP address , number of bytes the client sent and read from the server and the duration of session
Type of records for IMAP Sessions Authorization records Checkpoints record Closed record
11 © 2014 IBM Corporation
Activity logging records (cont')Activity type What this logsLDAP Records information about every LDAP request
Each LDAP request has different structure , generate a different activity logging record for each type
Type of requests are Abandon , Add , Bind, Compare, Delete, Modify, Extended, ModifyDN, Search, Unbind
Mail Tracks mail that is sent from and received by a server Records name of the server that created the record ,
originator and recipient of the message , message ID , preceding and the next hope on the delivery route and size of the message
Type of activity records are Deposit , delivery, delivery failure Transfer , Transfer failure
Notes Database Tracks notes database activity that occur during the server session
Name of the Database , name and address of the database user , number of document read and written , the number of bytes read and written , total number of transactions executed in the database , length of time Db was opened
Type of records are Open records , Checkpoints records , Close records , ClosedEnd record , mailDepoist records
12 © 2014 IBM Corporation
The information in the log file (cont')Activity type What this logs
Notes Passthru Tracks activity that is generated by a client or a server through a passthru connection.
Information as the number of bytes sent and received, the number of documents read and written, the number of transactions executed, and the duration of the passthru session.
Type of Activity records are Open records , Checkpoint records and close records
Notes Session Tracks network traffic that occurs during a server session with a Notes client or with another Domino server acting as a client
Records include such information as the name and network address of the session user, the number of documents read and written, the number of bytes read and written, the total number of transactions executed during the session, and the duration of the session.
Servers, users, and API programs can all generate session activity.
13 © 2014 IBM Corporation
Activity logging records (cont')
Activity type What this logsPOP3 The name of the user,
The IP address of the client, The number of bytes the client sends to and reads
from the server The number of messages sent to the client, The number of messages deleted from the client, and
the duration of the session.
Type of records are Authorization records , Checkpoint records, Close records
Replica The names of the source and Destination servers, The replicaID of the database The number of bytes replicated in each direction.
SMTP Record information such as the IP address of the connected client
The number of messages the client sends to the server, The number of bytes the client sends to and receives
from the server, the number of recipients to whom messages are sent The duration of the session.
14 © 2014 IBM Corporation
Activity Trends Core Domino Functionality Trend user Activity
- Identity (Person or DB) - Database - Access Protocol Statistic for
- Current Observation- Historical Trends- Load on Server
Store it in Activity.nsf
Data Flow
15 © 2014 IBM Corporation
Working with Activity Trends
16 © 2014 IBM Corporation
Working with Activity Trends
17 © 2014 IBM Corporation
Working with Activity Trends
18 © 2014 IBM Corporation
Working with Activity Trends
19 © 2014 IBM Corporation
Resource Balancing
20 © 2014 IBM Corporation
Running activity analysis In the Domino Administrator, make the server on which you want to run activity
analysis current. Click the Server - Analysis tab. In the Tools pane, expand Analyze, and then click Activity.
21 © 2014 IBM Corporation
Running activity analysis (cont') Do one of the following to select the types of activity you want to log: To log all the types of activity, skip this step. By default, all activity types are selected. To deselect a type of activity to log, click the activity type in the “Selected types of activity”
pane, and then click Remove. To deselect all the types of activity, click Remove All. To select a type of activity to log, click the activity type in the “Select server activity types to
search for” pane; and then click Add. To add all the types of activity, click Add All Choose the starting and ending dates and times of the activity you want to view. (Optional) To write the analysis results to a database other than the Log Analysis database,
click Results Database and specify a different database. Then click OK.
22 © 2014 IBM Corporation
Viewing the data in the Log Analysis database If the Log Analysis database is not already open, do the following: On your local computer, choose File - Database - Open. Select the Log Analysis database, and then click Open. (By default,the database
title is “Log Analysis” and the file name is LOGA4.NSF.) In the Task pane, expand Server Activity; and then click the view for the type of
activity you want to view. (Optional) In the Results pane, double-click the record you want to view.
23 © 2014 IBM Corporation
Test Case – Track the IP Address of mail In the below example we are trying to capture the IP address of the sender
machine from where the email was generated. Perform the Activity analysis for the date you want to track the email. Click on Mail → Deposited (Sender is “Test User21/Training” who has sent the
email to “Test User22/Training”) Locate the email, as we need the Session ID to get the IP Address.
24 © 2014 IBM Corporation
Test Case – Track the IP Address of mail (cont')Also you can verify the Message ID from the console.log to confirm if it is the same email.
Once you have got the Session ID, click on Notes → Session and search for the document with Session ID.
It will return the result if the document is found.
25 © 2014 IBM Corporation
Test Case – Track the IP Address of mail (cont') Client Address field will give the IP Address of the machine from where the email
was generated. It give some additional information like which database used to send the email, bytes transferred etc.
26 © 2014 IBM Corporation
Test Case – Track the IP Address of database In an organization we have generic ID's configured on multiple machines and if
we want to track if a particular database has been accessed from which all IP Addresses either it could be through its own ID file or through access delegation.
The Basic purpose is to capture from which all IP addresses a particular database has been accessed.
Run the Activity Analysis for date you want to capture. From Activity Analysis result database goto Notes → Database
27 © 2014 IBM Corporation
Test Case – Track the IP Address of database (cont')
Capture the Session ID
Goto → Notes → Session. Search the document using Session ID.
28 © 2014 IBM Corporation
Test Case – Track the IP Address of database (cont') Client Address field will give the IP Address of the machine from where the
database was accessed.
29 © 2014 IBM Corporation
User Activity Logging for a Database By default Domino logs user activity for a database in each database.
However, user activity logging is a great tool for monitoring unauthorized access to certain data, so you should maintain it on vital application data.
To access user activity logging, open the database properties, select the information tab an then click on the button "user detail"
Note: ODS 48 have additional column of deletes
30 © 2014 IBM Corporation
Last Active Databases To know the last active database, open the Activity.nsf → Databases →
Inactivity, it will list all the databases.
31 © 2014 IBM Corporation
TroubleshootingSince enabling Activity Logging and setting up Activity Trends, the size of your server's log.nsf is 3 to 4 times larger than before. How can you reduce the size of the log when activity trends are being collected?
The overall purge interval for the log.nsf is determined by the third number in the notes.ini variable "log=log.nsf, 1, 0,7,40000". You can set a purge interval specifically for activity trends data by tacking on a number to the end of this value.
For example, if you want to purge activity trends documents not modified after two days, you would set the variable to:
log=log.nsf, 1, 0,7,40000 ,2
Note: The activity trends purge value can be set to 1 through 6. The default purge for the overall log.nsf is 7 days.
32 © 2014 IBM Corporation
TroubleshootingSince enabling Activity Logging and setting up Activity Trends, the size of your server's activity.nsf will grow in larger size. In order to control the size of activity.nsf use the retention option.
By default it stores the data for 10 days
To customize the days setting un-check the default option and can set the days option.
33 © 2014 IBM Corporation
Troubleshooting
Title: User activity logging is automatically reenabled after being disabledDoc #: 1096282URL: http://www.ibm.com/support/docview.wss?uid=swg21096282
Title: Examples of events that trigger Read/Write entries in the User Activity log for a database
Doc #: 1096117URL: http://www.ibm.com/support/docview.wss?uid=swg21096117
Title: How to reduce log file size when activity trends are being collectedDoc #: 1230016URL: http://www.ibm.com/support/docview.wss?uid=swg21230016
Title: STATLOG does not display all databases in Database Size viewDoc #: 1285394URL: http://www.ibm.com/support/docview.wss?uid=swg21285394
34 © 2014 IBM Corporation
References
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/activity-logging-and-activity-trends
Activity Logginghttp://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_BILLING_OVERVIEW_7158_OVERVIEW.html
Activity Trendshttp://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_TIVOLI_ACTIVITY_TRENDS_STEPS.html
35 | © 2014 IBM Corporation
Thank you Q & A
Visit our Support Technical Exchange page or our Facebook page for details on future events.
To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2
IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport
ICS Supporthttp://twitter.com/IBM_ICSSupport