This may have been asked before in general terms. Due to internal audit findings, we need to try to get more specifics.
- Is there reporting for when an account with "administrator" permissions logs in , or logs out of UIM and/or UMP?
- If there is no "canned" reporting for this , are there any log files that would contain this information? I do not know, but for example, the Primary hub controller log or hub log file? And/Or the UMP Hub controller log file, or hub log file? Or some other file?
- Is there any logging for the activity (process started/stop, configuration changes, etc ) that an administrator account performs?
- auditing
Release : 9.x, 20.1
Component : UIM - AUDIT
UIM/UMP auditing
audit probe:
audit does not cover actual logins, but 'actions' that are taken.
hub login activity:
Use logmon to parse the hub.log...
Line 2246: Jun 12 23:07:39:639 [6300] 2 hub: login from ctrl10.xx.zzz.nnn/58329
Line 2255: Jun 12 23:07:40:008 [6300] 3 hub: login [NimBUS] - success for user=administrator ip=10.xx.240.xxx
Line 2256: Jun 12 23:07:40:008 [6300] 1 hub: login - user=administrator permissions=super ip=10.xx.240.xxx
Line 2257: Jun 12 23:07:40:008 [6300] 1 hub: Login: succeeded for administrator, ip =10.xx.zzz.nnn
Line 2262: Jun 12 23:07:39:639 [6300] 2 hub: login from ctrl10.xx.zzz.nnn/58329
Line 2271: Jun 12 23:07:40:008 [6300] 3 hub: login [NimBUS] - success for user=administrator ip=10.xx.240.xxx
Line 2272: Jun 12 23:07:40:008 [6300] 1 hub: login - user=administrator permissions=super ip=10.xx.240.xxx
Line 2273: Jun 12 23:07:40:008 [6300] 1 hub: Login: succeeded for administrator, ip =10.xx.zzz.nnn
If you set the wasp probe to level 4 or above it will record login attempts in the wasp.log on the ump server.
UIM UMP User Activity Report
https://knowledge.broadcom.com/external/article/34331
Successful non-superuser logins (portal.log):
9c0e09cba3f8, userId=10726, companyId=10154, createDate=Fri Jun 05 14:05:18 PDT 2020, modifiedDate=Fri Jun 05 14:05:18 PDT 2020, defaultUser=false, contactId=10727, password=84q3vvvvvvvvvyyr4dEQFhx9v6ms=, passwordEncrypted=true, passwordReset=false, passwordModifiedDate=null, digest=, reminderQueryQuestion=, reminderQueryAnswer=, graceLoginCount=0, screenName=xxxsjdusr, [email protected], facebookId=0, openId=, portraitId=0, languageId=en_US, timeZoneId=UTC, greeting=Welcome xxxsjdusr!, comments=, firstName=xxxsjdusr, middleName=, lastName=, jobTitle=, loginDate=null, loginIP=, lastLoginDate=Fri Jun 05 14:05:18 PDT 2020, lastLoginIP=, lastFailedLoginDate=null, failedLoginAttempts=0, lockout=false, lockoutDate=null, agreedToTermsOfUse=false, emailAddressVerified=false, status=0}
failed logins (portal.log):
e.g., 12 Jun 2020 16:00:52,362 ERROR [NmsAuth:405] Login failed for xxxsjdusr: javax.security.auth.login.FailedLoginException: login failed
or from wasp:
Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'xxxsjdusr' trying to log in.
Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query oMUwSELECT acl, contact_id, account_id FROM CM_CONTACT WHERE login_name = ? AND password = ?
Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query oMUw took: 0.0s
Jun 12 16:00:51:971 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: xxxsjdusr
Jun 12 16:00:51:971 INFO [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: xxxsjdusr
Jun 12 16:00:52:346 INFO [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimexception: code: 12, msg: login failed
Jun 12 16:00:52:346 INFO [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimexception: code == E_LOGIN, returning null
Jun 12 16:00:52:346 ERROR [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] login() User 'xxxsjdusr' login failed
UMP successful logins (wasp.log)
Jun 12 16:00:23:414 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'administrator' trying to log in.
Jun 12 16:00:23:430 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query sMYASELECT acl, contact_id, account_id FROM CM_CONTACT WHERE login_name = ? AND password = ?
Jun 12 16:00:23:430 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query sMYA took: 0.0s
Jun 12 16:00:23:430 DEBUG [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: administrator
Jun 12 16:00:23:430 INFO [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: administrator
Jun 12 16:00:23:805 INFO [http-nio-80-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimbus user authentication successful.
If running UIM 20.3 read this:
UIM 20.3.x - Auditing Operator Console logins
https://knowledge.broadcom.com/external/article?articleId=205830
Related KB:
UIM - UMP User Activity Report
https://knowledge.broadcom.com/external/article/34331