search cancel

UIM Auditing

book

Article ID: 215164

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We need to monitor the Audit logs by external software (QRadar). and for each of the below we need to monitor by a database query if avaibale.

  • We need to log the users changes (e.g Added user, deleted user, user changed permissions)
  • We need to monitor configuration changes on probes. (The Audit probe not auditing changes from AC as is I know)
  • We need to monitor changes on devices/robots (e.g. deleted device/robot, deleted probe)

I checked the following Docs and I think they don't have what I want

https://knowledge.broadcom.com/external/article/34331 
https://knowledge.broadcom.com/external/article?articleId=205830 
https://knowledge.broadcom.com/external/article?articleId=192935 

Environment

Release : 20.3

Component : UNIFIED INFRASTRUCTURE MANAGER

Resolution

 

You could monitor the log files mentioned in the following sections using logmon probe. For information on using logmon probe, refer the Additional Information section. 

 

LOGIN/LOGOUT MONITORING:
=========================

The Nimbus users and Account users can be tracked monitoring the Operator Console's wasp.log

The LDAP users login/logout can be tracked through hub.log 

For details on Nimbus users and Account users please check the following documentation.

 

Nimsoft/UIM Users Explained (broadcom.com)

 

Use Cases:

 

(a) Nimbus users and Account users:
===============================

To see the login details, you should find similar entries in your wasp.log file of OC Robot (fka UMP robot). You should find similar entries, if you don't, enable debugging of wasp probe on OC Robot to atleast loglevel 3, logsize to 50000 (the log size would now be around 50 MB). You can monitor the successful authentication via logmon probe


Example for username 'Administrator':

Apr 02 01:53:53:309 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: administrator 
Apr 02 01:53:53:309 INFO  [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator 
Apr 02 01:53:53:671 INFO  [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful 


Example for username 'uimoperator':

Apr 02 02:00:05:705 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] Login from request usr uimoperator
Apr 02 02:00:05:707 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'full domain access/uimoperator' trying to log in.
SELECT account_id FROM CM_ACTIVE_ACCOUNT WHERE login_name = 'uimoperator'
Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] uimoperator logged in.
Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] User: full domain access/uimoperator, NimBUS login milliseconds: 237

(b) LDAP Users login:
==================

You could set the hub probe at loglevel 3, logsize to 50000 (the log size would now be around 50 MB), monitor the hub.log for string LDAP_SUCCESS using logmon probe, a successful login for example user David Brown would show in the hub.log as: 

May 26 14:33:28:236 [14192] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=CN=Brown David (e-david.brown),OU=Externalsite,OU=MPSV,DC=AD,DC=MPSV,DC=CZ scope:=LDAP_SCOPE_BASE filter:=(objectclass=*) attrs:=userPrincipalName, memberOf, name
May 26 14:33:28:236 [14192] 3 hub: (nim_ldap_query) ldap_search_ext_s: LDAP_SUCCESS 

 

(c) IM Users Login:
==================

You can use the help of audit probe here to track logins of IM. 

- UIM - Enable monitoring for configuration changes in the audit probe (broadcom.com)

- audit IM Configuration (broadcom.com)

 

(d) Admin Console Users Login:
==========================

Set the wasp probe of AC robot to atleast loglevel 3, set logsize to 50000. The wasp.log now of AC robot should have login information.

Example from my lab server for Successful administrator login on AC from wasp.log of AC robot (loglevel set to 3):
====================================================================================

Apr 12 13:46:43:214 INFO  [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator 
Apr 12 13:46:43:592 INFO  [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful


(2) NIMBUS/ACCOUNT USERS INFORMATION:
======================================

- All user (i.e. users created from Operator Console and/or Infrastructure Manager) information is stored in the table CM_USER, you could view all the users from the query:

SELECT * FROM CM_USER

- Users (created from Operator Console) information is stored in the table CM_CONTACT, you could view the data from the query:

SELECT * FROM CM_CONTACT

- You can track the above table for users added, deleted, check the ACL changes for user's permissions changed. 


(3) PROBE CONFIGURATION CHANGES:
k=================================

You can monitor probe configuration files (ending with .cfg) for any changes using logmon probe 


(4) FIND IF A PROBE IS DELETED:
============================

You can monitor files deletion using logmon probe, an idea would be to use the probe to track the probe's .cfg files


(5) FIND IF A ROBOT IS DELETED:
============================


- CM_NIMBUS_ROBOT contains all the Robot names

SELECT * FROM CM_NIMBUS_ROBOT

- You can track the above table if robot is deleted

 

- CM_COMPUTER_SYSTEM is the main host system table, you could view the data from the query:

SELECT * FROM CM_COMPUTER_SYSTEM

- You can track the above table if robot/devices are deleted

Probe changes in AC

When an AC change is made in the webapp, the user that will be listed is ppm for the change, but at the same time or within a few milliseconds the user would be listed that performed the operation.

Additional Information

More information on logmon probe:
==========================


Logmon training 5 part web series:
===========================

Part 1:
=======
Overview and Logmon Uses - YouTube

Part 2:
=======
Logmon User Interfaces - YouTube

Part 3:
========
Logmon Regex Tools - YouTube

Part 4:
=======
Logmon Use Case 1 - YouTube

Part 5:
=======
Logmon Use Case 2 - YouTube

 

Regex tools you could use:
====================

1. regexbuddy

2. regexR

 

Regex technical documents:
========================

1. Regex Part 1 technical document:

REGEX: Part 1 - The Basics (broadcom.com)

2. Regex How to Include and Exclude in same expression: 

Regex How to Include and Exclude in same expression (broadcom.com)

Attachments