You could monitor the log files mentioned in the following sections using logmon probe. For information on using logmon probe, refer the Additional Information section. 

LOGIN/LOGOUT MONITORING:
=========================

The Nimbus users and Account users can be tracked monitoring the Operator Console's wasp.log

The LDAP users login/logout can be tracked through hub.log 

For details on Nimbus users and Account users please check the following documentation.

Nimsoft/UIM Users Explained (broadcom.com)

Use Cases:

(a) Nimbus users and Account users:
===============================

To see the login details, you should find similar entries in your wasp.log file of OC Robot (fka UMP robot). You should find similar entries, if you don't, enable debugging of wasp probe on OC Robot to atleast loglevel 3, logsize to 50000 (the log size would now be around 50 MB). You can monitor the successful authentication via logmon probe

Example for username 'Administrator':

Apr 02 01:53:53:309 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: administrator 
Apr 02 01:53:53:309 INFO  [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator 
Apr 02 01:53:53:671 INFO  [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful 

Example for username 'uimoperator':

Apr 02 02:00:05:705 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] Login from request usr uimoperator
Apr 02 02:00:05:707 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'full domain access/uimoperator' trying to log in.
SELECT account_id FROM CM_ACTIVE_ACCOUNT WHERE login_name = 'uimoperator'
Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] uimoperator logged in.
Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] User: full domain access/uimoperator, NimBUS login milliseconds: 237

(b) LDAP Users login:
==================

You could set the hub probe at loglevel 3, logsize to 50000 (the log size would now be around 50 MB), monitor the hub.log for string LDAP_SUCCESS using logmon probe, a successful login for example user David Brown would show in the hub.log as: 

May 26 14:33:28:236 [14192] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=CN=<user name> (e-username),OU=Externalsite,OU=xxxx,DC=xx,DC=xxxx,DC=xx scope:=LDAP_SCOPE_BASE filter:=(objectclass=*) attrs:=userPrincipalName, memberOf, name
May 26 14:33:28:236 [14192] 3 hub: (nim_ldap_query) ldap_search_ext_s: LDAP_SUCCESS 

(c) IM Users Login:
==================

You can use the help of audit probe here to track logins of IM. 

- UIM - Enable monitoring for configuration changes in the audit probe (broadcom.com)

- audit IM Configuration (broadcom.com)

(d) Admin Console Users Login:
==========================

Set the wasp probe of AC robot to atleast loglevel 3, set logsize to 50000. The wasp.log now of AC robot should have login information.

Example from my lab server for Successful administrator login on AC from wasp.log of AC robot (loglevel set to 3):
====================================================================================

Apr 12 13:46:43:214 INFO  [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator 
Apr 12 13:46:43:592 INFO  [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful

(2) NIMBUS/ACCOUNT USERS INFORMATION:
======================================

- All user (i.e. users created from Operator Console and/or Infrastructure Manager) information is stored in the table CM_USER, you could view all the users from the query:

SELECT * FROM CM_USER

- Users (created from Operator Console) information is stored in the table CM_CONTACT, you could view the data from the query:

SELECT * FROM CM_CONTACT

- You can track the above table for users added, deleted, check the ACL changes for user's permissions changed. 

(3) PROBE CONFIGURATION CHANGES:
k=================================

You can monitor probe configuration files (ending with .cfg) for any changes using logmon probe 

(4) FIND IF A PROBE IS DELETED:
============================

You can monitor files deletion using logmon probe, an idea would be to use the probe to track the probe's .cfg files

(5) FIND IF A ROBOT IS DELETED:
============================

- CM_NIMBUS_ROBOT contains all the Robot names

SELECT * FROM CM_NIMBUS_ROBOT

- You can track the above table if robot is deleted

- CM_COMPUTER_SYSTEM is the main host system table, you could view the data from the query:

SELECT * FROM CM_COMPUTER_SYSTEM

- You can track the above table if robot/devices are deleted

Probe changes in AC

When an AC change is made in the webapp, the user that will be listed is ppm for the change, but at the same time or within a few milliseconds the user would be listed that performed the operation.