We need to monitor the Audit logs by external software (QRadar). and for each of the below we need to monitor by a database query if avaibale.
I checked the following Docs and I think they don't have what I want
Release : 20.3
Component : UNIFIED INFRASTRUCTURE MANAGER
You could monitor the log files mentioned in the following sections using logmon probe. For information on using logmon probe, refer the Additional Information section.
The Nimbus users and Account users can be tracked monitoring the Operator Console's wasp.log
The LDAP users login/logout can be tracked through hub.log
For details on Nimbus users and Account users please check the following documentation.
To see the login details, you should find similar entries in your wasp.log file of OC Robot (fka UMP robot). You should find similar entries, if you don't, enable debugging of wasp probe on OC Robot to atleast loglevel 3, logsize to 50000 (the log size would now be around 50 MB). You can monitor the successful authentication via logmon probe
Example for username 'Administrator':
Apr 02 01:53:53:309 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: administrator
Apr 02 01:53:53:309 INFO [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator
Apr 02 01:53:53:671 INFO [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful
Example for username 'uimoperator':
Apr 02 02:00:05:705 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] Login from request usr uimoperator
Apr 02 02:00:05:707 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'full domain access/uimoperator' trying to log in.
SELECT account_id FROM CM_ACTIVE_ACCOUNT WHERE login_name = 'uimoperator'
Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] uimoperator logged in.
Apr 02 02:00:05:944 DEBUG [http-nio-8080-exec-6, com.firehunter.ump.auth.OCAuth] User: full domain access/uimoperator, NimBUS login milliseconds: 237
You could set the hub probe at loglevel 3, logsize to 50000 (the log size would now be around 50 MB), monitor the hub.log for string LDAP_SUCCESS using logmon probe, a successful login for example user David Brown would show in the hub.log as:
May 26 14:33:28:236  0 hub: (nim_ldap_query) ldap_search_ext_s(base:=CN=Brown David (e-david.brown),OU=Externalsite,OU=MPSV,DC=AD,DC=MPSV,DC=CZ scope:=LDAP_SCOPE_BASE filter:=(objectclass=*) attrs:=userPrincipalName, memberOf, name
May 26 14:33:28:236  3 hub: (nim_ldap_query) ldap_search_ext_s: LDAP_SUCCESS
You can use the help of audit probe here to track logins of IM.
Set the wasp probe of AC robot to atleast loglevel 3, set logsize to 50000. The wasp.log now of AC robot should have login information.
Example from my lab server for Successful administrator login on AC from wasp.log of AC robot (loglevel set to 3):
Apr 12 13:46:43:214 INFO [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator
Apr 12 13:46:43:592 INFO [http-nio-8080-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful
(2) NIMBUS/ACCOUNT USERS INFORMATION:
- All user (i.e. users created from Operator Console and/or Infrastructure Manager) information is stored in the table CM_USER, you could view all the users from the query:
SELECT * FROM CM_USER
- Users (created from Operator Console) information is stored in the table CM_CONTACT, you could view the data from the query:
SELECT * FROM CM_CONTACT
- You can track the above table for users added, deleted, check the ACL changes for user's permissions changed.
(3) PROBE CONFIGURATION CHANGES:
You can monitor probe configuration files (ending with .cfg) for any changes using logmon probe
(4) FIND IF A PROBE IS DELETED:
You can monitor files deletion using logmon probe, an idea would be to use the probe to track the probe's .cfg files
(5) FIND IF A ROBOT IS DELETED:
- CM_NIMBUS_ROBOT contains all the Robot names
SELECT * FROM CM_NIMBUS_ROBOT
- You can track the above table if robot is deleted
- CM_COMPUTER_SYSTEM is the main host system table, you could view the data from the query:
SELECT * FROM CM_COMPUTER_SYSTEM
- You can track the above table if robot/devices are deleted
When an AC change is made in the webapp, the user that will be listed is ppm for the change, but at the same time or within a few milliseconds the user would be listed that performed the operation.
More information on logmon probe:
1. Regex Part 1 technical document:
2. Regex How to Include and Exclude in same expression: