UIM Auditing
search cancel

UIM Auditing

book

Article ID: 215164

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

You need to monitor the Audit logs by external software (such as QRadar).  For each of the below, you need to monitor by a database query if available.

  • You need to log the users changes (e.g Added user, deleted user, user changed permissions)
  • You need to monitor configuration changes on probes made through AdminConsole
  • You need to monitor changes on devices/robots (e.g. deleted device/robot, deleted probe)

Checking the following Doc, you don't find what you need:
Monitor user login attempts in DX UIM Operator Console (OC) 

Environment

  • DX UIM 20.4.x or later
  • Audit probe any version

Resolution

You could monitor the log files mentioned in the following sections using logmon probe. For information on using logmon probe, refer the Additional Information section. 

  1. LOGIN/LOGOUT MONITORING:

    The Nimbus users and Account users can be tracked monitoring the Operator Console's wasp.log
    The LDAP users login/logout can be tracked through hub.log
    For details on Nimbus users and Account users please check the following documentation:
    Nimsoft/UIM Users Explained (broadcom.com)
    • Use Cases:
      1. Nimbus users and Account users:
        To see the login details, you should find similar entries in your wasp.log file of OC Robot (fka UMP robot). You should find similar entries, if you don't, enable debugging of wasp probe on OC Robot to at least loglevel 3, logsize to 50000 (the log size would now be around 50 MB). You can monitor the successful authentication via the logmon probe
        Example for username 'Administrator':
        Apr 02 01:53:53:309 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: administrator 
        Apr 02 01:53:53:309 INFO  [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator 
        Apr 02 01:53:53:671 INFO  [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful

        Example for username 'uimoperator':
        Apr 02 02:00:05:705 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] Login from request usr uimoperator
        Apr 02 02:00:05:707 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'full domain access/uimoperator' trying to log in.
        SELECT account_id FROM CM_ACTIVE_ACCOUNT WHERE login_name = 'uimoperator'
        Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] uimoperator logged in.
        Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] User: full domain access/uimoperator, NimBUS login milliseconds: 237
      2. LDAP Users login:
        You could set the hub probe at loglevel 3, logsize to 50000 (the log size would now be around 50 MB), monitor the hub.log for string LDAP_SUCCESS using logmon probe, a successful login for an example user would show in the hub.log as: 
        May 26 14:33:28:236 [14192] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=CN=<user name> (exampleuser),OU=Externalsite,OU=xxxx,DC=xx,DC=xxxx,DC=xx scope:=LDAP_SCOPE_BASE filter:=(objectclass=*) attrs:=userPrincipalName, memberOf, name
        May 26 14:33:28:236 [14192] 3 hub: (nim_ldap_query) ldap_search_ext_s: LDAP_SUCCESS 
      3. IM Users Login:
        You can use the help of audit probe here to track logins of IM.
        UIM - Enable monitoring for configuration changes in the audit probe (broadcom.com)
        audit IM Configuration (broadcom.com)

      4. Admin Console Users Login:
        Set the wasp probe of AC robot to atleast loglevel 3, set logsize to 50000. The wasp.log now of AC robot should have login information.
        Example from my lab server for Successful administrator login on AC from wasp.log of AC robot (loglevel set to 3):
        Apr 12 13:46:43:214 INFO  [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator 
        Apr 12 13:46:43:592 INFO  [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful
  2. NIMBUS/ACCOUNT USERS INFORMATION:
    • All user (i.e. users created from Operator Console and/or Infrastructure Manager) information is stored in the table CM_USER, you could view all the users using the query:

      SELECT * FROM CM_USER

    • Users (created from Operator Console) information is stored in the table CM_CONTACT, you could view the data using the query:

      SELECT * FROM CM_CONTACT

    • You can track the above table for users added, deleted, check the ACL changes for user's permissions changed. 

  3. PROBE CONFIGURATION CHANGES:
    • You can monitor probe configuration files (ending with .cfg) for any changes using logmon probe 

  4. FIND IF A PROBE IS DELETED:
    • You can monitor files deletion using logmon probe, an idea would be to use the probe to track the probe's .cfg files
  5. FIND IF A ROBOT IS DELETED:
    • CM_NIMBUS_ROBOT contains all the Robot names.  You can see the data using the query:

      SELECT * FROM CM_NIMBUS_ROBOT

      You can track the above table to see if robots are deleted

    • CM_COMPUTER_SYSTEM is the main host system table.  You can see the data using the query:

      SELECT * FROM CM_COMPUTER_SYSTEM

      You can track the above table to see if robots/devices are deleted

  6. PROBE CHANGES IN AC
    When an AC change is made in the webapp, the user that will be listed is ppm for the change, but at the same time or within a few milliseconds the user would be listed that performed the operation.

Additional Information

More information on logmon probe:

  1. Logmon training 5 part web series:
  2. Regex tools you could use:
    • regexbuddy
    • regexR

  3. Regex technical documents:

 

Powered by Wolken Software