Here’s an example of how to collate some logs (we’re looking at a simple start of a stopped guest).
In OpenStack GUI we see the guest was started at 3:08PM by some cloud user with a really long userid
<1A589859.jpg>
If we list the open stack users we see that was admin:
[mnadmin@xcat ~] $ openstack user list
±-----------------------------------------------------------------±------------------------+
| ID | Name |
±-----------------------------------------------------------------±------------------------+
| 1cd323027ffe4e79a6fa98462bb8d833 | glance |
| 22724d55a1b14c0f9d276da62e4645c1 | heat |
| 58d39f6c3523459287d4e9cdb5ca5a01 | nova |
| 5db4f75ff7c34eebbe6b4d28c827f14f | cinder |
| 62540aa1c80a4ffb9763d2879b33826d | aodh |
| 72bf01a1b59f44cba9311001b7e4f4a3 | discovery |
| 794d45442c2d44179389e52f4425f66b | admin |
| c159e3391cc24747a25ebd4c88192dff | neutron |
| c4f8f83a2469436ca5c1616b526b3abc | ceilometer |
±-----------------------------------------------------------------±------------------------+
In /var/log/messages we see
2017-09-13T15:08:13.581842+00:00 xcat xCAT: xCAT::zvmUtils powerVM() node:osp0001a userid:DISLX2 zHCP:zhcp.ibm.com sudoer:root sudo:
2017-09-13T15:08:14.794925+00:00 xcat xCAT: xCAT::zvmUtils DISLX2: IUCV command: ssh root@zhcp.ibm.com /opt/zhcp/bin/IUCV/iucvclnt DISLX2 shutdown -h now. return 0
2017-09-13T15:08:29.802561+00:00 xcat xCAT: xCAT::zvmUtils smcli Image_Deactivate -T DISLX2
2017-09-13T15:09:00.284073+00:00 xcat xCAT: xCAT::zvmUtils powerVM() node:osp0001a userid:DISLX2 zHCP:zhcp.ibm.com sudoer:root sudo:
2017-09-13T15:09:00.292443+00:00 xcat xCAT: xCAT::zvmUtils smcli Image_Activate -T DISLX2
In Racf see the guest log on and link disks
17.256 15:09:00 VMSP DISLX2 SYS1 0 1 12 JOBID=( 00.000 00:00:00),USERDATA=()
(NAME UNKNOWN) AUTH=(NONE),REASON=(NONE)
LOGSTR=‘XAUTOLOG’,
17.256 15:09:00 VMSP DISLX2 SYS1 0 2 0 JOBID=( 00.000 00:00:00),USERDATA=()
(NAME UNKNOWN) AUTH=(NORMAL),REASON=(LOGOPTIONS)
VMLAN=SYSTEM.XCATVSW2,INTENT=UPDATE,ALLOWED=NONE
17.256 15:09:00 VMSP DISLX2 SYS1 0 2 0 JOBID=( 00.000 00:00:00),USERDATA=(),OWNER=DISLX2
(NAME UNKNOWN) AUTH=(NORMAL),REASON=(LOGOPTIONS)
VMMDISK=DISLX2.100,LEVEL=00,INTENT=CONTROL,ALLOWED=ALTER
17.256 15:09:00 VMSP DISLX2 SYS1 0 2 0 JOBID=( 00.000 00:00:00),USERDATA=(),OWNER=MAINT
(NAME UNKNOWN) AUTH=(NORMAL),REASON=(LOGOPTIONS)
VMMDISK=MAINT.190,LEVEL=00,INTENT=READ,ALLOWED=READ
17.256 15:09:00 VMSP DISLX2 SYS1 0 2 0 JOBID=( 00.000 00:00:00),USERDATA=(),OWNER=MAINT
(NAME UNKNOWN) AUTH=(NORMAL),REASON=(LOGOPTIONS)
VMMDISK=MAINT.19D,LEVEL=00,INTENT=READ,ALLOWED=READ
17.256 15:09:00 VMSP DISLX2 SYS1 0 2 0 JOBID=( 00.000 00:00:00),USERDATA=(),OWNER=MAINT
(NAME UNKNOWN) AUTH=(NORMAL),REASON=(LOGOPTIONS)
VMMDISK=MAINT.19E,LEVEL=00,INTENT=READ,ALLOWED=READ
17.256 15:09:00 VMSP DISLX2 SYS1 0 2 0 JOBID=( 00.000 00:00:00),USERDATA=(),OWNER=MAINT
(NAME UNKNOWN) AUTH=(NORMAL),REASON=(LOGOPTIONS)
VMMDISK=MAINT.402,LEVEL=00,INTENT=READ,ALLOWED=READ
17.251 15:09:00 VMSP DISLX2 SYS1 0 2 0 JOBID=( 00.000 00:00:00),USERDATA=(),OWNER=MAINT
(NAME UNKNOWN) AUTH=(NORMAL),REASON=(LOGOPTIONS)
VMMDISK=MAINT.401,LEVEL=00,INTENT=READ,ALLOWED=READ