The audit mechanism


GoServe includes a built-in audit mechanism that records events in an audit file while GoServe is running. This maintains a record of usage, and also records any errors or failures of the server.

By default, all audit information (see details below) except selectors is recorded. Choose the 'Audit' page of the Options notebook for detailed control over which audit information will be written to the audit file. You should only select auditing of 'Selectors' if the recording of selectors (request strings) would not compromise confidentiality or privacy.

The audit file has a fixed filename (GOAUDIT), with an extension that is the TCP/IP port number used (for example, 'GOAUDIT.80'). It is written in the working directory for GoServe. The audit file may be read but not altered while GoServe is running.

For reliability, the audit file is written directly to disk and not cached by the file system (though GoServe caches some informational lines briefly to improve response time). You can select the 'Lazy audit' option for caching of up to five seconds, which will improve server throughput under load.

Each line in the audit file starts with three words, separated by one or more blanks: the time (hhmmss), the audit type (one character), and the transaction number (a number, incremented for each connection accepted, that begins at 0 when GoServe is started). Additional information follows, depending on the audit type:

  A (Accept)      - addresses of the client and (if non-prime) server (n.n.n.n)
  C (Complete)    - response time (seconds), and description of action
  D (Day/Time)    - current day (yyyymmdd), and description of adjustment
  E (Error)       - description of an error in processing (e.g., timeout)
  F (Failure)     - description of the failure (terminating error)
  I (Information) - description of information (statistics, etc.)
  L (Limit)       - description of limit that has been exceeded
  N (Network)     - description of how network or client ended transaction
  P (Primary)     - primary server address and port (n.n.n.n nn)
  S (Selector)    - selector received from client for each new request
  U (User)        - description of event from User (filter) command

The 'A' audit line includes the address of the server only if this is different from the primary server address shown on the 'P' line. This may occur if more than one network is active (perhaps a real network and a loopback configuration, or more than one active network adapter cards).

The times (and dates) recorded in the audit file may be in GMT (the default) or in local time (the default for GoServe 1.41 and earlier). The default may be altered using the 'Audit Selection' dialog, but note that use of GMT is only possible if GMT times are available (that is, the TZ environment variable was set when GoServe was started or when a time dislocation was detected). If GMT is in use, the word 'GMT' is added after the current day on 'D' audit lines.

Additional audit types may be added later. The format of any "description" in the above is not strictly defined, except that all Carriage Return, Line Feed, and End of File characters (ASCII '0d'x, '0a'x, and '1a'x) are translated to '[', ']' and '#' respectively to ensure audit file lines are well defined.

For example:

  103701 D 0 19950620 GMT ----- GoServe 2.40 -----
  103701 P 0 9.20.1.20 80
  103726 A 1 9.20.5.59
  103726 S 1 GET / HTTP/1.0
  103727 C 1 0.9 Sent file "d:/gohttp/index.htm" [979 bytes in 0.02s]
  103727 A 2 9.20.5.59
  103727 S 2 GET /pmglobe.gif HTTP/1.0
  103728 C 2 0.95 Sent file "d:/gohttp/pmglobe.gif" [2154 bytes in 0.043s]
  103737 A 3 9.20.5.59
  103737 S 3 GET /globe?22,40 HTTP/1.0
  103738 C 3 0.9 Sent string "You clicked on the globe" [423 bytes in 0.07s]
  103745 A 4 9.20.5.59
  103745 S 4 GET /samptest.htm HTTP/1.0
  103746 C 4 1 Sent file "d:/gohttp/samptest.htm" [664 bytes in 0.012s]
  103750 A 5 9.20.5.59
  103750 S 5 GET /!statistics HTTP/1.0
  103750 C 5 0.8 Sent response "CONTROL STATISTICS" [708 bytes in 0.017s]
  103808 I 5 Bytes sent 4928 received 3045
  103808 I 5 Close

Most requests will end normally, with a 'C' line in the audit file. If an error occurs, there may be one or more 'E' lines in the audit file instead. If a transaction is ended by the client or network, than an 'N' line is used, which is not recorded as an error. Similarly, when a chosen limit is exceeded (such as a timeout) an 'L' line is used, which also is not recorded as an error. A persistent-connection timeout is considered an uninteresting event and is not audited.

The response time recorded on 'C' lines is rounded down to the nearest millisecond below, and measures the total elapsed time from receiving the request to the first send of data to the client. This excludes any time spent waiting for the network, but includes any time taken to receive data from the network and so depends on the network as well as the speed of the processor and the work done by the filter. (See also "Response time recording" for more details.)

The 'bytes' count on 'C' lines is the total number of bytes sent to the client (including any overhead demanded by the protocol in use), and the time shown after the bytes count is the total elapsed time for sending the response (rounded down to the nearest millisecond below). This latter depends on the speed and activity of the server, client, and the network between the two. It is likely to be rather variable.

Viewing or archiving the audit file

To look at an 'active' audit file, use a program or command that allows shared reading of files. TYPE is one such command; its output may be redirected to a file to take a snapshot copy of the audit file. For example:

  type goaudit.80 > snapshot.log

In addition, the Actions pull down menu has an item 'Move audit to archive'. This closes the audit file, appends it to the GoServe archive file in the current working directory, then erases and re-opens the audit file. The GoServe filter can also initiate this action, by returning "control moveaudit"--see "CONTROL command" for details.

The GoServe archive file has a fixed filename (GOARCH), with an extension that is the TCP/IP port number used (for example, 'GOARCH.80'). It is only touched by GoServe during a "Move audit to archive", so is readily copied, edited, or renamed.


[ previous section | contents | next section ]

From 'goserve.doc', version 2.50.
Copyright © IBM Corporation, 1993, 1997. All rights reserved.