Auditing User Actions and API Requests
  • 13 Aug 2024
  • 12 Minutes to read
  • Contributors
  • PDF

Auditing User Actions and API Requests

  • PDF

Article summary

Legacy orchestrator keeps a log of actions performed by users in its web interface and of requests made on its web services REST API .

Here are a few examples of the user actions that are registered in the log:

  • Successful login

  • Addition of a network element

  • Request for a manual resync of a network element.

As an administrator, you may find it useful to view this log for various reasons. For example:

  • To investigate who accessed or tried to access the appliance

  • To troubleshoot issues a user is experiencing while using the appliance

  • To determine whether a user action was accomplished successfully

  • To determine which user made a change to any stored information, such as a Provider Connectivity Assurance device configuration.


Note: Only user actions and API requests are logged. Actions initiated by the system, by an automatic trigger, or by a resync are not logged.


Viewing the Log

The log of user actions and API requests is a file stored on the hard drive of the Legacy orchestrator appliance. The file is named as follows:
auditing_business.log

The log file is stored in this directory:
/opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logs

You view the log in the appliance console. After logging in to the console, you change to the directory in which the log file is located and view the content of the log. You can enter the tail -f command to view a steady stream of the latest additions to the log file in the console. Or you can enter the more or less commands to view sections of the log file.

When the log is accessed via an SSH connection to the MGMT port (using PuTTY), it looks similar to the log shown in the figure below.
34.png

To view the log live

  1. Log in to the Legacy orchestrator console (the CONSOLE port or an SSH connection to the MGMT port).

  2. Enter the following command to shorten the prompt:
    PS1='\u:\W$ '

  3. Change to the logs directory as follows:
    cd /opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logs

  4. Enter the following command to view the tail of the log file:
    tail -f auditing_business.log
    The ten most recent user actions are displayed in the console. As users perform actions, a log entry for each action is displayed in the console.

To step through the full contents of the log file

  1. Log in to the Legacy orchestrator console (the CONSOLE port or an SSH connection to the MGMT port).

  2. Enter the following command to shorten the prompt:
    PS1='\u:\W$ '

  3. Change to the logs directory as follows:
    cd /opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logs

  4. Enter one of the following commands to view the log file.
    To view one screen at a time:
    more auditing_business.log
    To be able to move forward and back through the file one line at a time:
    less auditing_business.log

Interpreting Log Entries

Log entries have a standard format consisting of several parts that give the most important information about the user action (username, date and time, application, and a description of the user action).

Here is an example of the log entry format for an audit message:

[#|2015-08-05T08:45:53.041-0400|INFO |glassfish411.1.2|com.accedian.ems.audit.server.logger.ActionAuditingLogger|_ThreadID=48;_ThreadName=Thread-3; |com.accedian.ems.bus.application.auditing.DefaultBusinessAuditingLoggerManager|admin|NE_MANAGEMENT|INFO |Updated management state on NE [false] [[[Vcx-Serial10-10-1-1, 10.10.1.1]]]|#]

Here are explanations of the most significant information in a log entry (based on the example log entry above):

  • 2015-08-05T08:45:53.041-0400
    The date and time when the user performed the action.

  • admin
    The username of the user who performed the action.

  • NE_MANAGEMENT
    The name of the application being audited. In the example, the NE MANAGEMENT application is the part of the Legacy orchestrator system being audited. This indicates the page (in the Legacy orchestrator web interface) in which the user performed the action.

  • INFO
    The log level. It is always INFO for user auditing.

  • Updated management state on NE [false] [[[Vcx-Serial10-10-1-1, 10.10.1.1]]
    The audit message describing the user action (see the complete list below).

  • The message is completed with runtime parameter values, which are displayed in square brackets after the message. Not all messages have runtime parameters. In the example, the message has two parameters:
    [false]
    The management state of the network element.
    True = managed. False = unmanaged.
    [[[Vcx-Serial10-10-1-1, 10.10.1.1]]
    Properties of the network element:  serial number and IP address.

Complete List of User Audit Log Messages

This section consists essentially of tables that list all the messages that you may see in the user audit log.

  • The messages are grouped as follows:

  • Backup Management Messages

  • Configuration Flow Messages

  • Configuration Job Messages

  • Firmware Management Messages

  • Network Element Management Messages

  • Network Element Credential Management Messages

  • Performance Monitoring Messages

  • RADIUS Messages

  • RFC 2544 Test Messages

  • User Management Messages

  • User Security Messages

  • Y1564 Test Messages

The tables include the following information about each message:

  • The Log message column lists the messages and indicates how many parameters that may be displayed with the message at runtime. For example:

Created a network flow [{0}]	(the message will include one parameter)
Created backup [{0}] [{1}]	(the message will include two parameters)
User session expired  	(the message will include no parameters)
  • The Parameters column explains the runtime parameters that each message takes. Not all messages include parameters at runtime.

  • The Examples column provides examples of how the messages appear in the log. The leading information (date and time of message, program details) is omitted. Parameter values, if present, appear in square brackets, like this: [parameterValue]

  • The Meaning column explains examples that need clarification.

Backup Management Messages

Log Message

Parameters

Examples

Meaning

Created backup [{0}] [{1}]

timestampOfBackup

propertiesOfSelectedElement

NE label, IP address

ANONYMOUS|CONFIG_MANAGEMENT|INFO

|Created backup [2015-08-07 10:46:09.625] [[G141-0012, 10.5.30.20]]

|ANONYMOUS|CONFIG_MANAGEMENT|INFO

|Created backup [2015-08-07 11:59:12.575] [[G017-0782, 10.5.30.18]]

A user executed a configuration job that includes an NE Backup step. When the Backup step was executed, it created a backup of the selected device.

Removed backup [{0}] [{1}]

timestampOfBackup Deletion

parametersOfSelectedNE

NE label,

IP address

|admin

|CONFIG_MANAGEMENT|INFO|

Removed backup [[2015-08-07 10:23:06.0]] [[[G017-0782, 10.5.30.18]]]

The user “admin” deleted a particular backup fora particular device.

Restored backup [{0}] [{1}]

timestampOfBackupRestore

parametersOfSelectedNE

NE label, IP address

admin|CONFIG_MANAGEMENT|INFO|Restored backup [[2015-08-07 10:46:09.0]] [[[G017-0782, 10.5.30.18]]]

The user “admin” restored a particular backup for a particular device.

Updated backup [{0}] [{1}]

descriptionOfBackup

backupCreationTime

|admin

|CONFIG_MANAGEMENT|INFO

|Updated backup [original] [[2015-08-07 11:59:12.0]

The user “admin” updated the information stored with a particular backup for a particular device.

Configuration Flow Messages

Log Message

Parameters

Examples

Meaning

Created a network flow [{0}]

nameOfFlowProfile

|admin

|NETWORK_FLOW|INFO|

Created a network flow [GOLD PROFILE]

The user “admin” created a configuration flow profile named “GOLD PROFILE”.

Created a network flow executor [{0}] [{1}]

nameOfFlowExecutor

selectedElements (serial number and IP address provided for each element)

|admin

|NETWORK_FLOW|INFO|

Created a network flow executor [GOLD EXECUTOR] [C037-0189, 10.5.30.22,C037-0185, 10.5.30.12]

The user “admin” created a configuration flow executor named “GOLD EXECUTOR” and selected two devices to configure.

Deleted a network flow [{0}]

nameOfFlowProfile

|admin|NETWORK_FLOW

|INFO|Deleted a network flow [[GOLD PROFILE]]

The user “admin” deleted a configuration flow profile named “GOLD PROFILE”.

Deleted a network flow executor [{0}]

nameOfFlowExecutor

selectedElements (serial number and IP address provided for each element)

|admin|NETWORK_FLOW|INFO

|Deleted a network flow executor [[GOLD EXECUTOR]]

The user “admin” deleted a configuration flow profile named “GOLD EXECUTOR”.

Updated a network flow [{0}]

nameOfFlowProfile

|admin|NETWORK_FLOW|INFO

|Updated a network flow [[GOLD PROFILE]]

The user “admin” updated a configuration flow profile named “GOLD PROFILE”.

Updated a network flow executor [{0}]

nameOfFlowExecutor

selectedElements (serial number and IP address provided for each element)

|admin|NETWORK_FLOW|INFO

|Updated a network flow executor [Testing] [C037-0189, 10.5.30.22, C037-0 185, 10.5.30.12]

The user “admin” updated a configuration flow profile named “Testing”.

Configuration Job Messages

Log Message

Parameters

Examples

Meaning

Created config job [{0}]

nameOfConfigJob

|admin|JOB_MANAGEMENT|INFO

|Created config job [Backup network]

The user “admin” created a configuration job named “Backup network”.

Created config job executor [{0}]

nameOfConfigJobExecutor

|admin|JOB_MANAGEMENT|INFO |Created config job executor [Backup network executor]

The user “admin” created a configuration job executor named “Backup network executor”.

Created config job scheduler [{0}] [{1}]

nameOfConfigJob Scheduler

|admin|JOB_MANAGEMENT|INFO|Created config job scheduler [Backup network scheduler] []

The user “admin” created a configuration job executor named “Backup network scheduler”.

Created data set [{0}]

nameOfDataset

|admin|JOB_MANAGEMENT|INFO

|Created data set [Subnet 192]

The user “admin” created a data set named “Subnet 192”.

Imported CLI script [{0}]

nameOfCLIset

|admin|JOB_MANAGEMENT|INFO

|Imported CLI script [Basic CLI set]

The user “admin” imported a CLI set named “Basic CLI set”.

Removed CLI script [{0}]

nameOfCLIset

|admin|JOB_MANAGEMENT|INFO

|Removed CLI script [Basic CLI set]

The user “admin” removed a CLI set named “Basic CLI set”.

Removed config job [{0}]

nameOfConfigJob

|admin|JOB_MANAGEMENT|INFO|Removed config job [Backup network]

The user “admin” deleted a configuration job named “Backup network”.

Removed config job executor [{0}] [{1}]

nameOfConfigJobExecutor


networkElementsSelectedInExecutor

|admin|JOB_MANAGEMENT|INFO|Removed config job executor [job executor to delete] [{1}]

The user “admin” deleted a configuration job executor named “job executor to delete”. No devices were selected.

Removed config job scheduler [{0}] [{1}] [{2}]

nameOfConfigJobScheduler

networkElementsSelectedInExecutor

nameOfConfigJobExecutor

|admin|JOB_MANAGEMENT|INFO|Removed config job scheduler [Backup network scheduler] [] [Backup network executor]

The user “admin” deleted a configuration job scheduler named “Backup network scheduler”. No devices were selected in the executor. The “Backup network executor” was being scheduled.

Removed data set [{0}]

nameOfDataset

|admin|JOB_MANAGEMENT|INFO|Removed data set [[Subnet 192]]

The user “admin” deleted a data set named “Subnet 192”.

Started config job executor [{0}] [{1}]

nameOfConfigJob Executor

networkElementsSelectedInExecutor

|admin|JOB_MANAGEMENT|INFO

|Started config job executor [Backup network] [{1}]

The user “admin” started the configuration job executor named “Backup Network”. No devices were selected in the executor. The job uses an ME dataset as the list of target elements.

Started dry run on config job executor [{0}] [{1}]

nameOfConfigJob Executor

networkElementsSelectedInExecutor

|admin|JOB_MANAGEMENT|INFO|Started dry run on config job executor [Backup Network] [[

[G082-2850, 10.5.30.2], [00:0C:29:A0:D2:ED, 192.168.106.54], [00:0C:29:A0:C2:5C, 192.168.106.55], [C108-0067, 192.168.106.198], [G279-4700, 100.100.100.62], [G017-0782, 10.5.30.18], [G178-1174, 10.5.30.19], [K024-1816, 10.5.30.17], [G280-0025, 192.168.106.130]]]

The user “admin” started a dry run of the configuration job executor named “Backup Network”. Multiple devices were selected in the executor.

Doing a dry run ensures the connection can be made.

Stopped config job executor [{0}] [{1}]

nameOfConfigJob Executor

networkElementsSelectedInExecutor

|admin|JOB_MANAGEMENT|INFO|Stopped config job executor [Backup Network] [[[G082-2850, 10.5.30.2], [00:0C:29:A0:D2:ED, 192.168.106.54], [00:0C:29:A0:C2:5C, 192.168.106.55], [C108-0067, 192.168.106.198], [G279-4700, 100.100.100.62], [G017-0782, 10.5.30.18], [G178-1174, 10.5.30.19], [K024-1816, 10.5.30.17], [G178-1136, 10.5.30.21], [G280-0025, 192.168.106.130]]]

The user “admin” stopped execution of the configuration job executor named “Backup Network”. Multiple devices were selected in the executor.

Updated CLI script [{0}]

nameOfCLIset

|admin|JOB_MANAGEMENT|INFO|Updated CLI script [Basic CLI set]

The user “admin” updated a CLI set named “Basic CLI set”.

Updated config job [{0}]

nameOfConfigJob

|admin|JOB_MANAGEMENT|INFO|Updated config job [Backup Network]

The user “admin” updated a configuration job named “Backup Network”.

Updated config job executor [{0}] [{1}]

nameOfConfigJob Executor

networkElements SelectedInExecutor

|admin|JOB_MANAGEMENT|INFO|Updated config job executor [Backup Network] [{1}]

The user “admin” updated execution of the configuration job executor named “Backup Network Executor”. No devices were selected in the executor.

Updated config job scheduler [{0}] [{1}]

nameOfConfigJobExecutor

networkElementsSelectedInExecutor

nameOfConfigJobExecutor

|admin|JOB_MANAGEMENT|INFO|Updated config job scheduler [Backup Network Scheduler] [] [Backup Network Executor]

The user “admin” updated a configuration job scheduler named “Backup Network Scheduler”. No devices were selected in the executor. The “Backup Network Executor” was being scheduled.

Updated data set [{0}]

nameOfDataset

|admin|JOB_MANAGEMENT|INFO|Updated data set [Subnet 192]

The user “admin” updated a data set named “Subnet 192”.

Updated discovery scheduler config [{0}] [{1}] [{2}]

nameOfConfigJob

credentialUsedForTrigger

stateOfTrigger

|admin|JOB_MANAGEMENT|INFO|Updated discovery scheduler config [Backup Element] [visionems] [true]

The user “admin” updated the discovery trigger configuration. The configuration job “Backup Element” will be run on discovered devices.

The credential used to access discovered devices is “visionems”. The trigger is enabled.

Firmware Management Messages

Log Message

Parameters

Examples

Meaning

Imported firmware [{0}]

nameOfFirmwareFile

|admin|CONFIG_MANAGEMENT|INFO

|Imported firmware firmware_GT.afl]

The user “admin” imported the firmware file “firmware_GT.afl” onto the Legacy orchestrator system.

Removed firmware [{0}]

nameOfFirmwareFile

|admin|CONFIG_MANAGEMENT|INFO|Removed firmware [[firmware_GT.afl]]

The user “admin” deleted the firmware file “firmware_GT.afl” from the Legacy orchestrator system.

Rollback firmware [{0}]

selectedElement (NE label,IP address)

|admin|CONFIG_MANAGEMENT|INFO|Rollback firmware [[G280-0025, 192.168.106.130]]

The user “admin” selected a network element in the list of managed NEs and selected the rollback button.

Network Element Management Messages

Log Message

Parameters

Examples

Meaning

Created a NE[{0}]

labelOfNewNE

|admin|NE_MANAGEMENT|INFO| Created a NE [Inventory Node]

The user “admin” created a device with the label “Inventory Node”.

Imported NEs [{0}]

fileImported

|admin|NE_MANAGEMENT|INFO| Imported NEs [Default_MEs.xml]

The user “admin” imported devices from a file named “Default_MEs.xml”.

Removed a NE [{0}]

labelOfDeletedNE

|admin|NE_MANAGEMENT|INFO| Deleted a NE [PLM LT Node]

The user “admin” deleted a device with the label “PLM LT Node”.

Resync NE [{0}]

synchronizedNEs

label, IP address

|admin|NE_MANAGEMENT|INFO| Resync NE [[[G280-0025, 192.168.106.130], [C108-0067, 192.168.106.198]]]

The user “admin” synchronized two devices. Data in the Legacy orchestrator data store was synchronized with data on the devices.

Updated a NE [{0}] with subtending NEs [{1}]

labelOfUpdated Element

elementsSubtended ToUpdatedElement

|admin|NE_MANAGEMENT|INFO |Updated a NE [Secondary Appliance] with subtending NEs [{1}]

The user “admin” updated the device labeled “Secondary Appliance” to enable it as an inventory node.

Updated management state on NE [{0}] [{1}]

labelOfUpdated Element

managementState

true = managed false = unmanaged

Example A:|admin|NE_MANAGEMENT|INFO|Updated management state on NE [false] [[[G178-1129, 10.5.30.13]]]

Example B:|admin|NE_MANAGEMENT|INFO|Updated management state on NE [true] [[[G178-1129, 10.5.30.13]]]

Example A:The user “admin” changed the state of the device labeled “G178-1129” to unmanaged.

Example B: State changed to managed.

Created a NE credential [{0}] [{1}]

credentialName (Name of new credential)

credentialType

only possible value: USERID_BASED

|admin|NE_MANAGEMENT|INFO

|Created a NE credential [visionems] [USERID_BASED]|

The user “admin” created a new account (user name “visionems”) that Legacy orchestrator can use to log on to devices.

Removed a NE credential [{0}]

credentialName (Name of deletedcredential)

credentialType

only possible value: USERID_BASED

admin|NE_MANAGEMENT|INFO

|Removed a NE credential [visionems]

The user “admin” removed an account (user name “visionems”) that Legacy orchestrator used to log on to devices.

Performance Monitoring Messages

Log Message

Parameters

Examples

Meaning

Updated PM configuration

No parameters

|admin|PM|INFO

|Updated PM configuration

RADIUS Messages

Log Message

Parameters

Examples

Meaning

Updated radius configuration [{0}]

userName

|admin|RADIUS|INFO

|Updated radius configuration [Ralph]

Note: RADIUS is an external user management system.

The user “admin” updated the configuration of a RADIUS account of a user named “Ralph”.

RFC2544 Test Messages

Log Message

Parameters

Examples

Meaning

Created RFC2544 test [{0}]

testName

|admin|RFC2544|INFO

|Created RFC2544 test [RFC suite]

The user “admin” created a test named “RFC suite”.

Created RFC2544 report [{0}]

testName

|admin|RFC2544|INFO

|Created RFC2544 report [RFC suite]

The user “admin” created a report for the test named “RFC suite”.

Removed RFC2544 report [{0}]

testName

|admin|RFC2544|INFO

|Removed RFC2544 report [RFC suite]

|admin|RFC2544|INFO

|Removed a configuration [suitedesc : rfc suite, suitename :RFC suite] on [G082-2850, 10.5.30.2]

The user “admin” removed a report for the test named “RFC suite”.

Started RFC2544 test [{0}]

testName

|admin|RFC2544|INFO

|Started RFC2544 test [RFC suite]

The user “admin” started the test named “RFC suite”.

Stopped RFC2544 test [{0}]

testName

|admin|RFC2544|INFO

|Stopped RFC2544 test [RFC suite]

The user “admin” stopped the test named “RFC suite”.

User Management Messages

Log Message

Parameters

Examples

Meaning

Added roles to user [{0}] [{1}]

userName
roles

|admin|USER_MANAGEMENT|INFO|Added roles to user[victor][ROLE_VIEWER]

The user “admin” added a role for the user named “victor”.

Created user [{0}]

userName

|admin|USER_MANAGEMENT|INFO|Created user[victor]

The user “admin” created new user named “victor”(authentication by Legacy orchestrator).

Deleted user [{0}]

userName

|admin|USER_MANAGEMENT|INFO|Deleted user [victor]

The user “admin” deleted the user named “victor”.

Radius user login [{0}]

userName

|admin|USER_MANAGEMENT|INFO|Radius user login[ralph]

The user “admin” created a user named “ralph” with authentication by RADIUS.

Removed roles from user [{0}] [{1}]

userName
roles

admin|USER_MANAGEMENT|INFO|Removed roles fromuser [victor] [ROLE_VIEWER]

The user “admin” removed roles for the user named “victor”.

Set login source for user [{0}] [{1}]

userName

authenticationSource

|admin|USER_MANAGEMENT|INFO|Set login source for user[victor] [LOCAL]

admin|USER_MANAGEMENT|INFO|Set login source for user [ralph] [RADIUS]

The user “admin” set the source for authentication of the user—to either local (Legacy orchestrator) or RADIUS(external system).

Set password for user [{0}]

userName

|admin|USER_MANAGEMENT|INFO|Set password for user [victor]

The user “admin” set the password for the user named “victor”.

Set roles on user [{0}] [{1}]

userName

roles

admin|USER_MANAGEMENT|INFO|Set roles on user[victor] [ROLE_VIEWER]

The user “admin” set the roles for the user named “victor”.

Updated radius user [{0}] [{1}]

userName

authenticationSource

admin|USER_MANAGEMENT|INFO|Updated radius user [ralph] [RADIUS]

The user “admin” updated the RADIUS-authenticated user named “ralph.

User Security Messages

Log Message

Parameters

Examples

Meaning

Bad credentials

No parameters

|admin|USER_SECURITY|INFO| Bad credentials|

The user “admin” was not able to log in because their user name and/or password could not be authenticated.

Login

No parameters

|admin|USER_SECURITY|INFO |Login|

The user “admin” logged in successfully.

Logout

No parameters

|admin|USER_SECURITY|INFO |Logout|

The user “admin” logged out.

Maximum user sessions reached

No parameters

|admin|USER_SECURITY|INFO | Maximum user sessions reached|

The user “admin” reached maximum number of login attempts.

Password change required

No parameters

|admin|USER_SECURITY|INFO |Password change required|

The user “admin” was required to enter a new password on login.

User disabled

No parameters

|admin|USER_SECURITY|INFO |User disabled|

The user “admin” was disabled because maximum number of login attempts was exceeded.

User session expired

No parameters

|admin|USER_SECURITY|INFO |User session expired|

The user “admin” was logged out automatically.

Y.1564 Test Messages

Log Message

Parameters

Examples

Meaning

Created Y1564 test [{0}]

testName

|admin|Y1564|INFO

|Created Y1564 test [Y test]

The user “admin” created a test named “Y test”.

Created Y1564 report [{0}]

testName

|admin|Y1564|INFO

|Created Y1564 report [Y test]

The user “admin” created a report for the test named “Y test”.

Removed Y1564 report [{0}]

testName

|admin|Y1564|INFO

|Removed Y1564 report [Y test]

The user “admin” removed the report for the test named “Y test”.

Started Y1564 test [{0}]

testName

admin|Y1564|INFO

|Started Y1564 test [Y test]

The user “admin” started the test named “Y test”.

Stopped Y1564 test [{0}]

testName

|admin|Y1564|INFO

|Started Y1564 test [Y test]

The user “admin” stopped the test named “Y test”.

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.