Administer > NNMi Auditing > Configure the Actions Included in the NNMi Audit Log File

Configure the Actions Included in the NNMi Audit Log File

All content in this chapter is customer visible.

By default, NNMi audits user actions that result in changes to the NNMi database. These kinds of user actions include, but are not limited to, the following:

  • Changes to NNMi topology objects (for example, nodes, node groups, interfaces, and interface groups) . Examples include creating or deleting Node Groups or Interface Groups, and changing filters or membership in a Node Groups or Interface Groups.
  • Changes to incident lifecycle information. Examples include changing an incident's owner or state.
  • Changes to user and access information. Example include changing passwords, adding or deleting a user account or user group, and creating tenants.
  • Configuration changes made using the NNMi console Configuration workspace or a command line tool. Example include modifications to SNMP settings, discovery settings, and monitoring configuration.
  • User actions from the NNMi console Actions menu. Examples include Configuration Poll and Status Poll.

After you examine an NNMi audit log file, you might find that you want to include or exclude auditing for a particular action, entity or field. See step 3 for examples.

Tip In each audit log message, the <action_name> immediately precedes the <entity_name> . The field name appears after the <entity_name>. Here is an example message, with the action (UPDATE), entity (Node), and field name (managementMode) in bold:

2014-04-30T01:20:25.301 joe.operator 10.12.203.55 MODEL abb44ddb-ae52-40d9-855f-f6ab0ab899e1 UPDATE Node 151434 172.20.12.7 managementMode MANAGED NOTMANAGED

To change the information included in an NNMi audit log:

  1. Open the following configuration file:

    Windows

    %NnmDataDir%\nmsas\NNM\conf\nms-audit-config.xml

    Linux

    $NnmDataDir/nmsas/NNM/conf/nms-audit-config.xml
  2. Locate the text block containing the following:

    <rules>

    <!-- define custom audit rules here. Any rules here will override system defaults -->
    </rules>
  3. Modify the rules as follows:

    • To exclude a single message in the audit log, use the following syntax:

      <exclude entity="<entity_name>" field="<field_name>" action="<action_name>"/> 

      The following example excludes this example audit log message:

      2014-04-30T01:20:25.301 joe.operator 10.12.203.55 MODEL abb44ddb-ae52-40d9-855f-f6ab0ab899e1 UPDATE Node 151434 172.20.12.7 managementMode MANAGED NOTMANAGED

      <exclude entity="Node" field="managementMode" action="UPDATE" />
    • To exclude from the audit log all actions to an entity, use the following syntax:

      <exclude entity="<entity_name>" />

      The following example excludes from the audit log all update operations to nodes.

      <exclude entity="Node" />
      • To exclude a specified action to an entity, use the following syntax:
      <exclude entity="<entity_name>" action="<action_name>" />

      The following example excludes from the audit log all update operations to nodes.

      <exclude entity="Node" action="UPDATE" />

      The following example excludes from the audit log all delete operations to nodes:

      <exclude entity="Node" action="DELETE" />
    • To exclude from the audit log all actions to a specified field on any object, use the following syntax:

      <exclude field="<field_name>" />

      The following example excludes from the audit log all updates to the managementMode field on any object:

      <exclude field="managementMode" action="UPDATE" />
  4. Restart the NNMi management server:

    Run the ovstop command on the NNMi management server.

    Run the ovstart command on the NNMi management server