UMP login / logout and admin functions auditing

book

Article ID: 192935

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

 This may have been asked before in general terms. Due to internal audit findings, we need to try to get more specifics.

- Is there reporting for when an account with "administrator" permissions logs in , or logs out of UIM and/or UMP?

- If there is no "canned" reporting for this , are there any log files that would contain this information? I do not know, but for example, the Primary hub controller log or hub log file? And/Or the UMP Hub controller log file, or hub log file?  Or some other file?

- Is there any logging for the activity (process started/stop, configuration changes, etc ) that an administrator account performs?

Cause

- auditing

Environment

Release : 9.x, 20.1

Component : UIM - AUDIT

Resolution

UIM/UMP auditing

audit probe:

audit does not cover actual logins, but 'actions' that are taken.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/audit.html 

hub login activity:

Use logmon to parse the hub.log...

 Line 2246: Jun 12 23:07:39:639 [6300] 2 hub: login from ctrl10.xx.zzz.nnn/58329
 Line 2255: Jun 12 23:07:40:008 [6300] 3 hub: login [NimBUS] - success for user=administrator ip=10.xx.240.xxx
 Line 2256: Jun 12 23:07:40:008 [6300] 1 hub: login - user=administrator permissions=super ip=10.xx.240.xxx
 Line 2257: Jun 12 23:07:40:008 [6300] 1 hub: Login: succeeded for administrator, ip =10.xx.zzz.nnn
 Line 2262: Jun 12 23:07:39:639 [6300] 2 hub: login from ctrl10.xx.zzz.nnn/58329
 Line 2271: Jun 12 23:07:40:008 [6300] 3 hub: login [NimBUS] - success for user=administrator ip=10.xx.240.xxx
 Line 2272: Jun 12 23:07:40:008 [6300] 1 hub: login - user=administrator permissions=super ip=10.xx.240.xxx
 Line 2273: Jun 12 23:07:40:008 [6300] 1 hub: Login: succeeded for administrator, ip =10.xx.zzz.nnn

If you set the wasp probe to level 4 or above it will record login attempts in the wasp.log on the ump server.

UIM UMP User Activity Report
https://knowledge.broadcom.com/external/article/34331


Successful non-superuser logins (portal.log):

9c0e09cba3f8, userId=10726, companyId=10154, createDate=Fri Jun 05 14:05:18 PDT 2020, modifiedDate=Fri Jun 05 14:05:18 PDT 2020, defaultUser=false, contactId=10727, password=84q3vvvvvvvvvyyr4dEQFhx9v6ms=, passwordEncrypted=true, passwordReset=false, passwordModifiedDate=null, digest=, reminderQueryQuestion=, reminderQueryAnswer=, graceLoginCount=0, screenName=xxxsjdusr, [email protected], facebookId=0, openId=, portraitId=0, languageId=en_US, timeZoneId=UTC, greeting=Welcome xxxsjdusr!, comments=, firstName=xxxsjdusr, middleName=, lastName=, jobTitle=, loginDate=null, loginIP=, lastLoginDate=Fri Jun 05 14:05:18 PDT 2020, lastLoginIP=, lastFailedLoginDate=null, failedLoginAttempts=0, lockout=false, lockoutDate=null, agreedToTermsOfUse=false, emailAddressVerified=false, status=0}

failed logins (portal.log):

e.g., 12 Jun 2020 16:00:52,362 ERROR [NmsAuth:405] Login failed for xxxsjdusr: javax.security.auth.login.FailedLoginException: login failed

or from wasp:

Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'xxxsjdusr' trying to log in.
Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query oMUwSELECT acl, contact_id, account_id FROM CM_CONTACT WHERE login_name = ? AND password = ?
Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query oMUw took: 0.0s
Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: xxxsjdusr
Jun 12 16:00:51:971 INFO  [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: xxxsjdusr
Jun 12 16:00:52:346 INFO  [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimexception: code: 12, msg: login failed
Jun 12 16:00:52:346 INFO  [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimexception: code == E_LOGIN, returning null
Jun 12 16:00:52:346 ERROR [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] login() User 'xxxsjdusr' login failed

UMP  successful logins (wasp.log)

Jun 12 16:00:23:414 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'administrator' trying to log in.
Jun 12 16:00:23:430 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query sMYASELECT acl, contact_id, account_id FROM CM_CONTACT WHERE login_name = ? AND password = ?
Jun 12 16:00:23:430 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query sMYA took: 0.0s
Jun 12 16:00:23:430 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: administrator
Jun 12 16:00:23:430 INFO  [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator
Jun 12 16:00:23:805 INFO  [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful.

Additional Information

If running UIM 20.3 read this:

UIM 20.3.x - Auditing Operator Console logins

https://knowledge.broadcom.com/external/article?articleId=205830

 

Related KB:

UIM - UMP User Activity Report
https://knowledge.broadcom.com/external/article/34331

Powered by Wolken Software