- Print
- PDF
Auditing User Actions and API Requests
Legacy orchestrator keeps a log of actions performed by users in its web interface and of requests made on its web services REST API .
Here are a few examples of the user actions that are registered in the log:
Successful login
Addition of a network element
Request for a manual resync of a network element.
As an administrator, you may find it useful to view this log for various reasons. For example:
To investigate who accessed or tried to access the appliance
To troubleshoot issues a user is experiencing while using the appliance
To determine whether a user action was accomplished successfully
To determine which user made a change to any stored information, such as a Provider Connectivity Assurance device configuration.
Note: Only user actions and API requests are logged. Actions initiated by the system, by an automatic trigger, or by a resync are not logged.
Viewing the Log
The log of user actions and API requests is a file stored on the hard drive of the Legacy orchestrator appliance. The file is named as follows:
auditing_business.log
The log file is stored in this directory:
/opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logs
You view the log in the appliance console. After logging in to the console, you change to the directory in which the log file is located and view the content of the log. You can enter the tail -f command to view a steady stream of the latest additions to the log file in the console. Or you can enter the more or less commands to view sections of the log file.
When the log is accessed via an SSH connection to the MGMT port (using PuTTY), it looks similar to the log shown in the figure below.
To view the log live
Log in to the Legacy orchestrator console (the CONSOLE port or an SSH connection to the MGMT port).
Enter the following command to shorten the prompt:
PS1='\u:\W$ 'Change to the logs directory as follows:
cd /opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logsEnter the following command to view the tail of the log file:
tail -f auditing_business.log
The ten most recent user actions are displayed in the console. As users perform actions, a log entry for each action is displayed in the console.
To step through the full contents of the log file
Log in to the Legacy orchestrator console (the CONSOLE port or an SSH connection to the MGMT port).
Enter the following command to shorten the prompt:
PS1='\u:\W$ 'Change to the logs directory as follows:
cd /opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logsEnter one of the following commands to view the log file.
To view one screen at a time:
more auditing_business.log
To be able to move forward and back through the file one line at a time:
less auditing_business.log
Interpreting Log Entries
Log entries have a standard format consisting of several parts that give the most important information about the user action (username, date and time, application, and a description of the user action).
Here is an example of the log entry format for an audit message:
[#|2015-08-05T08:45:53.041-0400|INFO |glassfish411.1.2|com.accedian.ems.audit.server.logger.ActionAuditingLogger|_ThreadID=48;_ThreadName=Thread-3; |com.accedian.ems.bus.application.auditing.DefaultBusinessAuditingLoggerManager|admin|NE_MANAGEMENT|INFO |Updated management state on NE [false] [[[Vcx-Serial10-10-1-1, 10.10.1.1]]]|#]
Here are explanations of the most significant information in a log entry (based on the example log entry above):
2015-08-05T08:45:53.041-0400
The date and time when the user performed the action.admin
The username of the user who performed the action.NE_MANAGEMENT
The name of the application being audited. In the example, the NE MANAGEMENT application is the part of the Legacy orchestrator system being audited. This indicates the page (in the Legacy orchestrator web interface) in which the user performed the action.INFO
The log level. It is always INFO for user auditing.Updated management state on NE [false] [[[Vcx-Serial10-10-1-1, 10.10.1.1]]
The audit message describing the user action (see the complete list below).The message is completed with runtime parameter values, which are displayed in square brackets after the message. Not all messages have runtime parameters. In the example, the message has two parameters:
[false]
The management state of the network element.
True = managed. False = unmanaged.
[[[Vcx-Serial10-10-1-1, 10.10.1.1]]
Properties of the network element: serial number and IP address.
Complete List of User Audit Log Messages
This section consists essentially of tables that list all the messages that you may see in the user audit log.
The messages are grouped as follows:
Backup Management Messages
Configuration Flow Messages
Configuration Job Messages
Firmware Management Messages
Network Element Management Messages
Network Element Credential Management Messages
Performance Monitoring Messages
RADIUS Messages
RFC 2544 Test Messages
User Management Messages
User Security Messages
Y1564 Test Messages
The tables include the following information about each message:
The Log message column lists the messages and indicates how many parameters that may be displayed with the message at runtime. For example:
Created a network flow [{0}] (the message will include one parameter)
Created backup [{0}] [{1}] (the message will include two parameters)
User session expired (the message will include no parameters)
The Parameters column explains the runtime parameters that each message takes. Not all messages include parameters at runtime.
The Examples column provides examples of how the messages appear in the log. The leading information (date and time of message, program details) is omitted. Parameter values, if present, appear in square brackets, like this: [parameterValue]
The Meaning column explains examples that need clarification.
Backup Management Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Created backup [{0}] [{1}] | timestampOfBackup propertiesOfSelectedElement NE label, IP address | ANONYMOUS|CONFIG_MANAGEMENT|INFO |Created backup [2015-08-07 10:46:09.625] [[G141-0012, 10.5.30.20]] |ANONYMOUS|CONFIG_MANAGEMENT|INFO |Created backup [2015-08-07 11:59:12.575] [[G017-0782, 10.5.30.18]] | A user executed a configuration job that includes an NE Backup step. When the Backup step was executed, it created a backup of the selected device. |
Removed backup [{0}] [{1}] | timestampOfBackup Deletion parametersOfSelectedNE NE label, IP address | |admin |CONFIG_MANAGEMENT|INFO| Removed backup [[2015-08-07 10:23:06.0]] [[[G017-0782, 10.5.30.18]]] | The user “admin” deleted a particular backup fora particular device. |
Restored backup [{0}] [{1}] | timestampOfBackupRestore parametersOfSelectedNE NE label, IP address | admin|CONFIG_MANAGEMENT|INFO|Restored backup [[2015-08-07 10:46:09.0]] [[[G017-0782, 10.5.30.18]]] | The user “admin” restored a particular backup for a particular device. |
Updated backup [{0}] [{1}] | descriptionOfBackup backupCreationTime | |admin |CONFIG_MANAGEMENT|INFO |Updated backup [original] [[2015-08-07 11:59:12.0] | The user “admin” updated the information stored with a particular backup for a particular device. |
Configuration Flow Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Created a network flow [{0}] | nameOfFlowProfile | |admin |NETWORK_FLOW|INFO| Created a network flow [GOLD PROFILE] | The user “admin” created a configuration flow profile named “GOLD PROFILE”. |
Created a network flow executor [{0}] [{1}] | nameOfFlowExecutor selectedElements (serial number and IP address provided for each element) | |admin |NETWORK_FLOW|INFO| Created a network flow executor [GOLD EXECUTOR] [C037-0189, 10.5.30.22,C037-0185, 10.5.30.12] | The user “admin” created a configuration flow executor named “GOLD EXECUTOR” and selected two devices to configure. |
Deleted a network flow [{0}] | nameOfFlowProfile | |admin|NETWORK_FLOW |INFO|Deleted a network flow [[GOLD PROFILE]] | The user “admin” deleted a configuration flow profile named “GOLD PROFILE”. |
Deleted a network flow executor [{0}] | nameOfFlowExecutor selectedElements (serial number and IP address provided for each element) | |admin|NETWORK_FLOW|INFO |Deleted a network flow executor [[GOLD EXECUTOR]] | The user “admin” deleted a configuration flow profile named “GOLD EXECUTOR”. |
Updated a network flow [{0}] | nameOfFlowProfile | |admin|NETWORK_FLOW|INFO |Updated a network flow [[GOLD PROFILE]] | The user “admin” updated a configuration flow profile named “GOLD PROFILE”. |
Updated a network flow executor [{0}] | nameOfFlowExecutor selectedElements (serial number and IP address provided for each element) | |admin|NETWORK_FLOW|INFO |Updated a network flow executor [Testing] [C037-0189, 10.5.30.22, C037-0 185, 10.5.30.12] | The user “admin” updated a configuration flow profile named “Testing”. |
Configuration Job Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Created config job [{0}] | nameOfConfigJob | |admin|JOB_MANAGEMENT|INFO |Created config job [Backup network] | The user “admin” created a configuration job named “Backup network”. |
Created config job executor [{0}] | nameOfConfigJobExecutor | |admin|JOB_MANAGEMENT|INFO |Created config job executor [Backup network executor] | The user “admin” created a configuration job executor named “Backup network executor”. |
Created config job scheduler [{0}] [{1}] | nameOfConfigJob Scheduler | |admin|JOB_MANAGEMENT|INFO|Created config job scheduler [Backup network scheduler] [] | The user “admin” created a configuration job executor named “Backup network scheduler”. |
Created data set [{0}] | nameOfDataset | |admin|JOB_MANAGEMENT|INFO |Created data set [Subnet 192] | The user “admin” created a data set named “Subnet 192”. |
Imported CLI script [{0}] | nameOfCLIset | |admin|JOB_MANAGEMENT|INFO |Imported CLI script [Basic CLI set] | The user “admin” imported a CLI set named “Basic CLI set”. |
Removed CLI script [{0}] | nameOfCLIset | |admin|JOB_MANAGEMENT|INFO |Removed CLI script [Basic CLI set] | The user “admin” removed a CLI set named “Basic CLI set”. |
Removed config job [{0}] | nameOfConfigJob | |admin|JOB_MANAGEMENT|INFO|Removed config job [Backup network] | The user “admin” deleted a configuration job named “Backup network”. |
Removed config job executor [{0}] [{1}] | nameOfConfigJobExecutor
| |admin|JOB_MANAGEMENT|INFO|Removed config job executor [job executor to delete] [{1}] | The user “admin” deleted a configuration job executor named “job executor to delete”. No devices were selected. |
Removed config job scheduler [{0}] [{1}] [{2}] | nameOfConfigJobScheduler networkElementsSelectedInExecutor nameOfConfigJobExecutor | |admin|JOB_MANAGEMENT|INFO|Removed config job scheduler [Backup network scheduler] [] [Backup network executor] | The user “admin” deleted a configuration job scheduler named “Backup network scheduler”. No devices were selected in the executor. The “Backup network executor” was being scheduled. |
Removed data set [{0}] | nameOfDataset | |admin|JOB_MANAGEMENT|INFO|Removed data set [[Subnet 192]] | The user “admin” deleted a data set named “Subnet 192”. |
Started config job executor [{0}] [{1}] | nameOfConfigJob Executor networkElementsSelectedInExecutor | |admin|JOB_MANAGEMENT|INFO |Started config job executor [Backup network] [{1}] | The user “admin” started the configuration job executor named “Backup Network”. No devices were selected in the executor. The job uses an ME dataset as the list of target elements. |
Started dry run on config job executor [{0}] [{1}] | nameOfConfigJob Executor networkElementsSelectedInExecutor | |admin|JOB_MANAGEMENT|INFO|Started dry run on config job executor [Backup Network] [[ [G082-2850, 10.5.30.2], [00:0C:29:A0:D2:ED, 192.168.106.54], [00:0C:29:A0:C2:5C, 192.168.106.55], [C108-0067, 192.168.106.198], [G279-4700, 100.100.100.62], [G017-0782, 10.5.30.18], [G178-1174, 10.5.30.19], [K024-1816, 10.5.30.17], [G280-0025, 192.168.106.130]]] | The user “admin” started a dry run of the configuration job executor named “Backup Network”. Multiple devices were selected in the executor. Doing a dry run ensures the connection can be made. |
Stopped config job executor [{0}] [{1}] | nameOfConfigJob Executor networkElementsSelectedInExecutor | |admin|JOB_MANAGEMENT|INFO|Stopped config job executor [Backup Network] [[[G082-2850, 10.5.30.2], [00:0C:29:A0:D2:ED, 192.168.106.54], [00:0C:29:A0:C2:5C, 192.168.106.55], [C108-0067, 192.168.106.198], [G279-4700, 100.100.100.62], [G017-0782, 10.5.30.18], [G178-1174, 10.5.30.19], [K024-1816, 10.5.30.17], [G178-1136, 10.5.30.21], [G280-0025, 192.168.106.130]]] | The user “admin” stopped execution of the configuration job executor named “Backup Network”. Multiple devices were selected in the executor. |
Updated CLI script [{0}] | nameOfCLIset | |admin|JOB_MANAGEMENT|INFO|Updated CLI script [Basic CLI set] | The user “admin” updated a CLI set named “Basic CLI set”. |
Updated config job [{0}] | nameOfConfigJob | |admin|JOB_MANAGEMENT|INFO|Updated config job [Backup Network] | The user “admin” updated a configuration job named “Backup Network”. |
Updated config job executor [{0}] [{1}] | nameOfConfigJob Executor networkElements SelectedInExecutor | |admin|JOB_MANAGEMENT|INFO|Updated config job executor [Backup Network] [{1}] | The user “admin” updated execution of the configuration job executor named “Backup Network Executor”. No devices were selected in the executor. |
Updated config job scheduler [{0}] [{1}] | nameOfConfigJobExecutor networkElementsSelectedInExecutor nameOfConfigJobExecutor | |admin|JOB_MANAGEMENT|INFO|Updated config job scheduler [Backup Network Scheduler] [] [Backup Network Executor] | The user “admin” updated a configuration job scheduler named “Backup Network Scheduler”. No devices were selected in the executor. The “Backup Network Executor” was being scheduled. |
Updated data set [{0}] | nameOfDataset | |admin|JOB_MANAGEMENT|INFO|Updated data set [Subnet 192] | The user “admin” updated a data set named “Subnet 192”. |
Updated discovery scheduler config [{0}] [{1}] [{2}] | nameOfConfigJob credentialUsedForTrigger stateOfTrigger | |admin|JOB_MANAGEMENT|INFO|Updated discovery scheduler config [Backup Element] [visionems] [true] | The user “admin” updated the discovery trigger configuration. The configuration job “Backup Element” will be run on discovered devices. The credential used to access discovered devices is “visionems”. The trigger is enabled. |
Firmware Management Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Imported firmware [{0}] | nameOfFirmwareFile | |admin|CONFIG_MANAGEMENT|INFO |Imported firmware firmware_GT.afl] | The user “admin” imported the firmware file “firmware_GT.afl” onto the Legacy orchestrator system. |
Removed firmware [{0}] | nameOfFirmwareFile | |admin|CONFIG_MANAGEMENT|INFO|Removed firmware [[firmware_GT.afl]] | The user “admin” deleted the firmware file “firmware_GT.afl” from the Legacy orchestrator system. |
Rollback firmware [{0}] | selectedElement (NE label,IP address) | |admin|CONFIG_MANAGEMENT|INFO|Rollback firmware [[G280-0025, 192.168.106.130]] | The user “admin” selected a network element in the list of managed NEs and selected the rollback button. |
Network Element Management Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Created a NE[{0}] | labelOfNewNE | |admin|NE_MANAGEMENT|INFO| Created a NE [Inventory Node] | The user “admin” created a device with the label “Inventory Node”. |
Imported NEs [{0}] | fileImported | |admin|NE_MANAGEMENT|INFO| Imported NEs [Default_MEs.xml] | The user “admin” imported devices from a file named “Default_MEs.xml”. |
Removed a NE [{0}] | labelOfDeletedNE | |admin|NE_MANAGEMENT|INFO| Deleted a NE [PLM LT Node] | The user “admin” deleted a device with the label “PLM LT Node”. |
Resync NE [{0}] | synchronizedNEs label, IP address | |admin|NE_MANAGEMENT|INFO| Resync NE [[[G280-0025, 192.168.106.130], [C108-0067, 192.168.106.198]]] | The user “admin” synchronized two devices. Data in the Legacy orchestrator data store was synchronized with data on the devices. |
Updated a NE [{0}] with subtending NEs [{1}] | labelOfUpdated Element elementsSubtended ToUpdatedElement | |admin|NE_MANAGEMENT|INFO |Updated a NE [Secondary Appliance] with subtending NEs [{1}] | The user “admin” updated the device labeled “Secondary Appliance” to enable it as an inventory node. |
Updated management state on NE [{0}] [{1}] | labelOfUpdated Element managementState true = managed false = unmanaged | Example A:|admin|NE_MANAGEMENT|INFO|Updated management state on NE [false] [[[G178-1129, 10.5.30.13]]] Example B:|admin|NE_MANAGEMENT|INFO|Updated management state on NE [true] [[[G178-1129, 10.5.30.13]]] | Example A:The user “admin” changed the state of the device labeled “G178-1129” to unmanaged. Example B: State changed to managed. |
Created a NE credential [{0}] [{1}] | credentialName (Name of new credential) credentialType only possible value: USERID_BASED | |admin|NE_MANAGEMENT|INFO |Created a NE credential [visionems] [USERID_BASED]| | The user “admin” created a new account (user name “visionems”) that Legacy orchestrator can use to log on to devices. |
Removed a NE credential [{0}] | credentialName (Name of deletedcredential) credentialType only possible value: USERID_BASED | admin|NE_MANAGEMENT|INFO |Removed a NE credential [visionems] | The user “admin” removed an account (user name “visionems”) that Legacy orchestrator used to log on to devices. |
Performance Monitoring Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Updated PM configuration | No parameters | |admin|PM|INFO |Updated PM configuration |
RADIUS Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Updated radius configuration [{0}] | userName | |admin|RADIUS|INFO |Updated radius configuration [Ralph] Note: RADIUS is an external user management system. | The user “admin” updated the configuration of a RADIUS account of a user named “Ralph”. |
RFC2544 Test Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Created RFC2544 test [{0}] | testName | |admin|RFC2544|INFO |Created RFC2544 test [RFC suite] | The user “admin” created a test named “RFC suite”. |
Created RFC2544 report [{0}] | testName | |admin|RFC2544|INFO |Created RFC2544 report [RFC suite] | The user “admin” created a report for the test named “RFC suite”. |
Removed RFC2544 report [{0}] | testName | |admin|RFC2544|INFO |Removed RFC2544 report [RFC suite] |admin|RFC2544|INFO |Removed a configuration [suitedesc : rfc suite, suitename :RFC suite] on [G082-2850, 10.5.30.2] | The user “admin” removed a report for the test named “RFC suite”. |
Started RFC2544 test [{0}] | testName | |admin|RFC2544|INFO |Started RFC2544 test [RFC suite] | The user “admin” started the test named “RFC suite”. |
Stopped RFC2544 test [{0}] | testName | |admin|RFC2544|INFO |Stopped RFC2544 test [RFC suite] | The user “admin” stopped the test named “RFC suite”. |
User Management Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Added roles to user [{0}] [{1}] | userName | |admin|USER_MANAGEMENT|INFO|Added roles to user[victor][ROLE_VIEWER] | The user “admin” added a role for the user named “victor”. |
Created user [{0}] | userName | |admin|USER_MANAGEMENT|INFO|Created user[victor] | The user “admin” created new user named “victor”(authentication by Legacy orchestrator). |
Deleted user [{0}] | userName | |admin|USER_MANAGEMENT|INFO|Deleted user [victor] | The user “admin” deleted the user named “victor”. |
Radius user login [{0}] | userName | |admin|USER_MANAGEMENT|INFO|Radius user login[ralph] | The user “admin” created a user named “ralph” with authentication by RADIUS. |
Removed roles from user [{0}] [{1}] | userName | admin|USER_MANAGEMENT|INFO|Removed roles fromuser [victor] [ROLE_VIEWER] | The user “admin” removed roles for the user named “victor”. |
Set login source for user [{0}] [{1}] | userName authenticationSource | |admin|USER_MANAGEMENT|INFO|Set login source for user[victor] [LOCAL] admin|USER_MANAGEMENT|INFO|Set login source for user [ralph] [RADIUS] | The user “admin” set the source for authentication of the user—to either local (Legacy orchestrator) or RADIUS(external system). |
Set password for user [{0}] | userName | |admin|USER_MANAGEMENT|INFO|Set password for user [victor] | The user “admin” set the password for the user named “victor”. |
Set roles on user [{0}] [{1}] | userName roles | admin|USER_MANAGEMENT|INFO|Set roles on user[victor] [ROLE_VIEWER] | The user “admin” set the roles for the user named “victor”. |
Updated radius user [{0}] [{1}] | userName authenticationSource | admin|USER_MANAGEMENT|INFO|Updated radius user [ralph] [RADIUS] | The user “admin” updated the RADIUS-authenticated user named “ralph. |
User Security Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Bad credentials | No parameters | |admin|USER_SECURITY|INFO| Bad credentials| | The user “admin” was not able to log in because their user name and/or password could not be authenticated. |
Login | No parameters | |admin|USER_SECURITY|INFO |Login| | The user “admin” logged in successfully. |
Logout | No parameters | |admin|USER_SECURITY|INFO |Logout| | The user “admin” logged out. |
Maximum user sessions reached | No parameters | |admin|USER_SECURITY|INFO | Maximum user sessions reached| | The user “admin” reached maximum number of login attempts. |
Password change required | No parameters | |admin|USER_SECURITY|INFO |Password change required| | The user “admin” was required to enter a new password on login. |
User disabled | No parameters | |admin|USER_SECURITY|INFO |User disabled| | The user “admin” was disabled because maximum number of login attempts was exceeded. |
User session expired | No parameters | |admin|USER_SECURITY|INFO |User session expired| | The user “admin” was logged out automatically. |
Y.1564 Test Messages
Log Message | Parameters | Examples | Meaning |
---|---|---|---|
Created Y1564 test [{0}] | testName | |admin|Y1564|INFO |Created Y1564 test [Y test] | The user “admin” created a test named “Y test”. |
Created Y1564 report [{0}] | testName | |admin|Y1564|INFO |Created Y1564 report [Y test] | The user “admin” created a report for the test named “Y test”. |
Removed Y1564 report [{0}] | testName | |admin|Y1564|INFO |Removed Y1564 report [Y test] | The user “admin” removed the report for the test named “Y test”. |
Started Y1564 test [{0}] | testName | admin|Y1564|INFO |Started Y1564 test [Y test] | The user “admin” started the test named “Y test”. |
Stopped Y1564 test [{0}] | testName | |admin|Y1564|INFO |Started Y1564 test [Y test] | The user “admin” stopped the test named “Y test”. |
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks