How to Determine who Deleted a User in Spectrum
search cancel

How to Determine who Deleted a User in Spectrum


Article ID: 143823


Updated On:


CA Spectrum DX NetOps


How to Determine who Deleted a User in Spectrum

We have a question regarding users in spectrum,

Is there (in Spectrum) any log where we can see when the user has been deleted?


Release : 21.2.x, 22.2.x


Auditing requirements


By default, Spectrum will log an event on the VNM model showing which user destroyed the user account. This event has a code of 0x00010a03 and will have a event message similar to the following:

Dist Model: Master Destroyed - User spectrum@ destroyed master model TestUser (0x10006e) of type User.

You can either create an event filter within OneClick to just this event type or you could manually query the Archive Manager database with the following query:

- Open a command prompt on the SS and run the following commands:

bash -login

cd mysql/bin

./mysql -uroot -proot ddmdb -A

select * from event where type=68099 \G;

The output will look like the following:

*************************** 1. row ***************************
model_h: 1048576
utime: 1580144799
counter: 340
clk_seq: 2242
version: 1
node_id: €J9Ÿ
user_key: 2
type: 68099
severity: 0
TestUser User spectrum@

This shows that user TestUser was deleted by spectrum.

NOTE: By default the Archive Manager will only store 45 days worth of data. If the user was deleted before this period we will no longer have an entry for it.

Additional Information

getting an error trying to login to mysql: