CA Automation Point has shutdown by remote user, who did this.

Document ID : KB000012482
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CA Automation Point was shutdown on a server. Several people were signed in via CA AP Remote Viewer (APView). And in the XCMSG.LOG, you see CA Automation Point shutting down.

Question:

You are trying to determine who or what shut it down. How can you find in the logs who or what did it should down.

Environment:
CA Automation Point : Any releaseWindows : Windows server
Answer:

For the APView logging of messages, as specially the shutdown, you can find the information in the out.deb log file. 

Example follows: 

1) Find message containing "op:KEY(kill_xc)". For example: 
16:48:58.183 S1 P4420 T5540 C=3 Task=27 RMW OUT: (rmw_menu,1000,I) vw_id:35, op:KEY(kill_xc) 

2) Take a note of the vw_id value, which is Remote Viewer ID of whomever issued the command - in case of this example it is 35. 

3) Find message containing "Connect 35". This message also contains username which is used by Remote Viewer with ID = 35: 
16:48:50.917 S1 P4420 T2564 C=0 Task=18 RMW OUT: (rmw_packet,600,I) Connect 35 login01@domain.ca.com 

In order to have these messages displayed inside out.deb file. It is necessary to have "Information messages" ticked on in Expert Interface/Infrastructure/Debugging 

Additional Information:

To audit the APview session windows better/simpler, there is currently an Idea open in the CA Communities to get more audit messages in the logs.

See: https://communities.ca.com/ideas/235733594