How to Determine who Deleted a User in Spectrum

book

Article ID: 143823

calendar_today

Updated On:

Products

CA eHealth CA Spectrum DX NetOps

Issue/Introduction

How to Determine who Deleted a User in Spectrum

Environment

Release : 10.3.x, 10.4.x

Resolution

By default, Spectrum will log an event on the VNM model showing which user destroyed the user account. This event has a code of 0x00010a03 and will have a event message similar to the following:

Dist Model: Master Destroyed - User [email protected] destroyed master model TestUser (0x10006e) of type User.

You can either create an event filter within OneClick to just this event type or you could manually query the Archive Manager database with the following query:

- Open a command prompt on the SS and run the following commands:

bash -login

cd mysql/bin

./mysql -uroot -proot ddmdb -A

select * from event where type=68099 \G;

The output will look like the following:

*************************** 1. row ***************************
model_h: 1048576
utime: 1580144799
counter: 340
clk_seq: 2242
version: 1
node_id: €J9Ÿ
user_key: 2
type: 68099
severity: 0
vardata_string:
n
TestUser User [email protected]

This shows that user TestUser was deleted by spectrum.

NOTE: By default the Archive Manager will only store 45 days worth of data. If the user was deleted before this period we will no longer have an entry for it.