Auditing User Actions and API Requests

Skylight orchestrator keeps a log of actions performed by users in its web interface and of requests made on its web services REST API .

Here are a few examples of the user actions that are registered in the log:

• Successful login
• Addition of a network element
• Request for a manual resync of a network element.

As an administrator, you may find it useful to view this log for various reasons. For example:

• To investigate who accessed or tried to access the appliance
• To troubleshoot issues a user is experiencing while using the appliance
• To determine whether a user action was accomplished successfully
• To determine which user made a change to any stored information, such as a Skylight device configuration.

Viewing the Log

The log of user actions and API requests is a file stored on the hard drive of the Skylight orchestrator appliance. The file is named as follows:
auditing_business.log

The log file is stored in this directory:
/opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logs

You view the log in the appliance console. After logging in to the console, you change to the directory in which the log file is located and view the content of the log. You can enter the tail -f command to view a steady stream of the latest additions to the log file in the console. Or you can enter the more or less commands to view sections of the log file.

When the log is accessed via an SSH connection to the MGMT port (using PuTTY), it looks similar to the log shown in the figure below.

To view the log live

1. Log in to the Skylight orchestrator console (the CONSOLE port or an SSH connection to the MGMT port).

2. Enter the following command to shorten the prompt:
   PS1='\u:\W$ '

3. Change to the logs directory as follows:
   cd /opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logs

4. Enter the following command to view the tail of the log file:
   tail -f auditing_business.log
   The ten most recent user actions are displayed in the console. As users perform actions, a log entry for each action is displayed in the console.

To step through the full contents of the log file

1. Log in to the Skylight orchestrator console (the CONSOLE port or an SSH connection to the MGMT port).

2. Enter the following command to shorten the prompt:
   PS1='\u:\W$ '

3. Change to the logs directory as follows:
   cd /opt/accedian/skylight/glassfish5/glassfish/nodes/bizn1/bizn1instance/logs

4. Enter one of the following commands to view the log file.
   To view one screen at a time:
   more auditing_business.log
   To be able to move forward and back through the file one line at a time:
   less auditing_business.log

Interpreting Log Entries

Log entries have a standard format consisting of several parts that give the most important information about the user action (username, date and time, application, and a description of the user action).

Here is an example of the log entry format for an audit message:

[#|2015-08-05T08:45:53.041-0400|INFO |glassfish411.1.2|com.accedian.ems.audit.server.logger.ActionAuditingLogger|_ThreadID=48;_ThreadName=Thread-3; |com.accedian.ems.bus.application.auditing.DefaultBusinessAuditingLoggerManager|admin|NE_MANAGEMENT|INFO |Updated management state on NE [false] [[[Vcx-Serial10-10-1-1, 10.10.1.1]]]|#]

Here are explanations of the most significant information in a log entry (based on the example log entry above):

• 2015-08-05T08:45:53.041-0400
  The date and time when the user performed the action.
• admin
  The username of the user who performed the action.
• NE_MANAGEMENT
  The name of the application being audited. In the example, the NE MANAGEMENT application is the part of the Skylight orchestrator system being audited. This indicates the page (in the Skylight orchestrator web interface) in which the user performed the action.
• INFO
  The log level. It is always INFO for user auditing.
• Updated management state on NE [false] [[[Vcx-Serial10-10-1-1, 10.10.1.1]]
  The audit message describing the user action (see the complete list below).
• The message is completed with runtime parameter values, which are displayed in square brackets after the message. Not all messages have runtime parameters. In the example, the message has two parameters:
  [false]
  The management state of the network element.
  True = managed. False = unmanaged.
  [[[Vcx-Serial10-10-1-1, 10.10.1.1]]
  Properties of the network element: serial number and IP address.

Complete List of User Audit Log Messages

This section consists essentially of tables that list all the messages that you may see in the user audit log.

• The messages are grouped as follows:
• Backup Management Messages
• Configuration Flow Messages
• Configuration Job Messages
• Firmware Management Messages
• Network Element Management Messages
• Network Element Credential Management Messages
• Performance Monitoring Messages
• RADIUS Messages
• RFC 2544 Test Messages
• User Management Messages
• User Security Messages
• Y1564 Test Messages

The tables include the following information about each message:

• The Log message column lists the messages and indicates how many parameters that may be displayed with the message at runtime. For example:

Created a network flow [{0}]	(the message will include one parameter)
Created backup [{0}] [{1}]	(the message will include two parameters)
User session expired  	(the message will include no parameters)

• The Parameters column explains the runtime parameters that each message takes. Not all messages include parameters at runtime.
• The Examples column provides examples of how the messages appear in the log. The leading information (date and time of message, program details) is omitted. Parameter values, if present, appear in square brackets, like this: [parameterValue]
• The Meaning column explains examples that need clarification.