How to Determine who Deleted a User in Spectrum
search cancel

How to Determine who Deleted a User in Spectrum

book

Article ID: 143823

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

How to Determine who Deleted a User in Spectrum

We have a question regarding users in spectrum,

Is there (in Spectrum) any log where we can see when the user has been deleted?

Environment

Release : 21.2.x, 22.2.x

Cause

Auditing requirements

Resolution

By default, Spectrum will log an event on the VNM model showing which user destroyed the user account. This event has a code of 0x00010a03 and will have a event message similar to the following:

Dist Model: Master Destroyed - User spectrum@ destroyed master model TestUser (0x10006e) of type User.

You can either create an event filter within OneClick to just this event type or you could manually query the Archive Manager database with the following query:

- Open a command prompt on the SS and run the following commands:

bash -login

cd mysql/bin

./mysql -uroot -proot ddmdb -A

select * from event where type=68099 \G;

The output will look like the following:

*************************** 1. row ***************************
model_h: 1048576
utime: 1580144799
counter: 340
clk_seq: 2242
version: 1
node_id: €J9Ÿ
user_key: 2
type: 68099
severity: 0
vardata_string:
n
TestUser User spectrum@

This shows that user TestUser was deleted by spectrum.

NOTE: By default the Archive Manager will only store 45 days worth of data. If the user was deleted before this period we will no longer have an entry for it.

Additional Information

getting an error trying to login to mysql:

https://knowledge.broadcom.com/external/article?articleId=51857