Pivotal Operations Manager 2.4.0 and above allows multiple Ops Manager Administrators to log in simultaneously. This feature is very valuable for Platform Administrators (PA).

However, this feature produces the risk of administrators concurrently applying competing tile config updates. When this situation occurs, the changes must be audited. 

Follow these instructions to audit the administrator's trail: 

1. Log in to the Ops Manager VM with SSH as described in the Pivotal Platform Documentation link below:

• https://docs.pivotal.io/pivotalcf/customizing/trouble-advanced.html#ssh

2. Once logged in, change to the following directory:

cd /var/log/opsmanager

The file audit_log.txt contains the log entries with the activity of administrator users.

Such entries will look similar to this:

{"timestamp":"2018-11-06T16:38:12.677+00:00","component":"Ops Manager 2.4-build.85","component_scheme":"https","component_host":"opsmgr.nrmlrp01.c0.pivotal.io","component_port":443,"result":302,"target":"/products/cf-fdc230ba1cc0c54c8478/forms/advanced_features","event_type":"PUT","origination":"127.0.0.1","user_identification":"user1","uaa_authentication_mechanism":"uaa"}

3. Use a shell command to list all configuration change entries executed by administrator users.

As noted in the log entry sample above, changes in Ops Manager tile configuration pages are marked with a "PUT" "event_type". The usage of a shell command to filter the log file for PUT actions will list these type entries that are available in the log files. For example:

cat ./audit_log.txt | grep PUT

The user_identification field describes the admin user ID that applied the configuration change.

The target field describes the tile configuration for the tile that had a configuration change was done for.

4. Inspect the data collected to determine:

• Which changes each administrator user made to Ops Manager tile configurations, and
• When they applied the changes