Audit

This topic includes the following sections:

By default, NNM iSPI Performance for QA audits user actions that result in changes to the NNM iSPI Performance for QA database.

By default, the following actions or changes are NOT included in the audit log:

  • Actions performed by the system user
  • Automatically performed by NNM iSPI Performance for QA are not included in the audit log.

The NNM iSPI Performance for QA auditing is enabled by default. Audit information is written to a new audit log file everyday. The audit log files reside in the following directory:

Windows: %NnmDataDir%\nmsas\qa\log\audit-<date>.log

Linux: $NnmDataDir/nmsas/qa/log/audit-<date>.log

Each record in the audit log includes the following kinds of information:

Audit Log
Field Description
Timestamp When the audit record is created. In ISO-8601 format without a time zone (local time).
Username The logged in user name associated with the change.
Remote Address

For changes made via the NNMi Console this will be the address of the client system:

  • The remote address of the client if applicable.
  • "" (indicates not applicable).
Record Type

The category describing the type of change:

  • ACTION – An action run by the user.
  • ACCESS_DENIED – A security check was performed and the user was denied access to the specified action.

  • MODEL – A change to an object in the NNMi topology or configuration made by the user.

  • MESSAGE – Log messages about the system rather than auditing of a user action. For example, the following series of messages might be logged when auditing has successfully begun and is subsequently stopped:

    2016-03-04T22:37:01.012 system "" MESSAGE "Auditing started"

    2016-03-04T22:37:01.014 system "" MESSAGE "Reloaded auditing configuration; auditing is enabled"

    2016-03-04T22:37:01.015 system "" MESSAGE "Audit service initialized successfully"

    2016-03-04T22:59:08.194 system "" MESSAGE "Audit service shutting down"

    2016-03-04T22:59:08.195 system "" MESSAGE "Auditing stopped"

  • TX – Used to indicate transaction boundaries for very large changes. If a change has a very large number of entries then it is written progressively as changes are made and these entries will indicate if the transaction commits or rolls back.
Transaction ID

Used to correlate multiple entries into a single transaction. Populated for all MODEL entries:

  • ID
  • "" (indicates not applicable).
Operation / Action

The specific operation or action associated with the entry.

  • "" (means no action performed)

For MODEL record types:

  • CREATE – Creating an entry in the NNMi database.
  • UPDATE – Updating an entry in the NNMi database.
  • DELETE – Deleting an entry in the NNMi database.

 

Target Object Type

When the record pertains to a type of object in NNMi this entry lists that type:

  • For example, “sites” for importing sites
  • "" (if not applicable)
Additional meta data available for the object or action (if applicable)
Target Object ID

When the record pertains to a specific object in NNMi this entry lists the unique ID of that object.

"" (if not applicable)

Target Object Name

When this record pertains to a specific object in NNMi this entry lists a user-friendly name or label of that object (where available).

"" (if not applicable)

Field Name

When this record pertains to a specific field on an object this identifies the field that was changed. For example “password” might be the field if the object type was “Account”.

"" (if not applicable)

Field Previous Value

When this record pertains to a specific change to a field on an object this entry lists the previous value of the field.

Sensitive information such as passwords values are displayed as asterisks, for example: password ************

Create operations will have an empty value ("") in this position.

Delete operations will have the value before delete in this position.

"" (if not applicable)

Field New Value

When this record pertains to a specific change to a field on an object this entry lists the new value of the field.

Sensitive information such as passwords values are displayed as asterisks, for example: password ************

Create operations will have the initial value in this position.

Delete operations will have an empty value ("") in this position.

"" (if not applicable)

To see the audit report:

    In the console menu bar, select ToolsQA Audit Log.

    The log provides a variety of information about the current day's account activity.

As an administrator, you can configure the following:

Specify the Retention Period of Audit Logs

By default, NNM iSPI Performance for QA retains each archived audit log file, one per day, for 14 days.

To change the number of days that NNM iSPI Performance for QA retains the archived audit log file:

This number does not affect the current day's audit log file.

  1. Open the following configuration file:

    Windows:

    %NnmDataDir%\nmsas\qa\conf\nms-audit-config.xml

    Linux:

    $NnmDataDir/nmsas/qa/conf/nms-audit-config.xml
  2. Locate the text block containing the following:

    <retain>14</retain>
  3. Modify the line to include the number of days the NNM iSPI Performance for QA should retain each audit log file. For example, to change the number of days to one week, enter:

    <retain>7</retain>

    In response, the NNMi retains the following:

    • the current audit log
    • one audit log per day for 7 additional days
  4. Save your changes.

  5. Restart the qajboss process:

    • ovstop -c qajboss
    • ovstart -c qajboss

About the NNM iSPI Performance for QAAudit Log File

This section provides examples of the types of information in the audit log files.

  • Example audit log entry generated after changing a node's Security Group

    The following is an example log entry that was generated when the Security Group of the node named mimcisco3 was changed from Default Security Group to testgrp.

    2014-04-15T01:56:54.979 admin "" MODEL 5fd8ed33-e671-494e-ab25-06d293347c4f UPDATE Node 50281 mimcisco3 securityGroup "138/Default Security Group" 56651/testgrp

  • Example audit log entry generated when a User Account was created:

    The following are example log entries that were generated when an account for user op1 was created:

    2014-04-15T01:55:48.574 admin "" MODEL 4654e06c-5c1f-4955-bf82-e317dcbf38f3 CREATE Account 56647 op1 alg "" SHA-256

    2014-04-15T01:55:48.574 admin "" MODEL 4654e06c-5c1f-4955-bf82-e317dcbf38f3 CREATE Account 56647 op1 external "" false

    2014-04-15T01:55:48.574 admin "" MODEL 4654e06c-5c1f-4955-bf82-e317dcbf38f3 CREATE Account 56647 op1 name "" op1

    2014-04-15T01:55:48.574 admin "" MODEL 4654e06c-5c1f-4955-bf82-e317dcbf38f3 CREATE Account 56647 op1 password "" ********

  • Example audit log entry generated when a User Account was assigned to a User Group:

    The following is an example log entry that was generated when the user op1 was assigned to the NNMi Level 1 Operator User Group

    2014-04-15T01:55:48.597 admin "" MODEL 4654e06c-5c1f-4955-bf82-e317dcbf38f3 CREATE UserGroupMember 56650 5486f4cf-a3e0-4f24-abd6-28f5169f9f92 account "" 56647/op1

    2014-04-15T01:55:48.597 admin "" MODEL 4654e06c-5c1f-4955-bf82-e317dcbf38f3 CREATE UserGroupMember 56650 5486f4cf-a3e0-4f24-abd6-28f5169f9f92 userGroup "" 141/level1

  • Example audit log entry generated when a User Account password was changed:

    The following is an example log entry that was generated when the op2 User Account password was changed:

    The first user name is the name of the user making the change. The second user name is the account name for which the password is changed.

    2014-04-15T02:04:39.121 admin "" MODEL 0ae97c60-3035-46e0-a20c-20b6da04615f UPDATE Account 56645 op2 password ******** ********

Configure the Actions Included in the NNM iSPI Performance for QA Audit Log File

After you examine an NNMi audit log file, you might find that you want to include or exclude auditing for a particular action, entity or field. See step 3 for examples.

In each audit log message, the <action_name> immediately precedes the <entity_name> . The field name appears after the <entity_name>. Here is an example message, with the action (UPDATE), entity (Node), and field name (managementMode) in bold:

2014-04-30T01:20:25.301 joe.operator 10.12.203.55 MODEL abb44ddb-ae52-40d9-855f-f6ab0ab899e1 UPDATENode 151434 172.20.12.7 managementMode MANAGED NOTMANAGED

To change the information included in an NNMi audit log:

  1. Open the following configuration file:

    Windows

    %NnmDataDir%\nmsas\NNM\conf\nms-audit-config.xml

    Linux

    $NnmDataDir/nmsas/NNM/conf/nms-audit-config.xml
  2. Locate the text block containing the following:

    Although you can specify that NNMi audits system updates, use this option with caution. If you enable system audits, every change to NNMi is included in the audit log file.

    <rules>

    <!-- define custom audit rules here. Any rules here will override system defaults -->
    </rules>
  3. Modify the rules as follows:

    • To exclude a single message in the audit log, use the following syntax:

      <exclude entity="<entity_name>" field="<field_name>" action="<action_name>"/> 

      The following example excludes this example audit log message:

      2014-04-30T01:20:25.301 joe.operator 10.12.203.55 MODEL abb44ddb-ae52-40d9-855f-f6ab0ab899e1 UPDATENode 151434 172.20.12.7 managementMode MANAGED NOTMANAGED

      <exclude entity="Node" field="managementMode" action="UPDATE" />
    • To exclude from the audit log all actions to an entity, use the following syntax:

      <exclude entity="<entity_name>" />

      The following example excludes from the audit log all update operations to nodes.

      <exclude entity="Node" />
      • To exclude a specified action to an entity, use the following syntax:
      <exclude entity="<entity_name>" action="<action_name>" />

      The following example excludes from the audit log all update operations to nodes.

      <exclude entity="Node" action="UPDATE" />

      The following example excludes from the audit log all delete operations to nodes:

      <exclude entity="Node" action="DELETE" />
    • To exclude from the audit log all actions to a specified field on any object, use the following syntax:

      <exclude field="<field_name>" />

      The following example excludes from the audit log all updates to the managementMode field on any object:

      <exclude field="managementMode" action="UPDATE" />
  4. Restart the NNMi management server:

    Run the ovstop command on the NNMi management server.

    Run the ovstart command on the NNMi management server

Disable Auditing

To disable the NNM iSPI Performance for QA auditing:

  1. Open the following configuration file:

    Windows:

    %NnmDataDir%\nmsas\qa\conf\nms-audit-config.xml

    Linux:

    $NnmDataDir/nmsas/qa/conf/nms-audit-config.xml

  2. Locate the text block containing the following:

    enabled>true</enabled>

  3. Modify the line to read as follows:

    <enabled>false</enabled>

  4. Save your changes.

  5. Restart the qajboss process:

    • ovstop -c qajboss
    • ovstart -c qajboss