Audit of disabled host notification not being found

[gwakem]

XI 5.8.1 on RHEL 7.7
I am investigating when a host had it's notifications disabled, and by whom. I have tested with a control host and verified it shows up correctly in Admin > Audit log, but when I check on the host in question, I get no results. It is not outside the realm of possibility that this was disabled one or two years ago. I was unable to find any instance of DISABLE in the /usr/local/nagios/var/archives, so I assume this is logged to the database from the /usr/local/nagiosxi/var/components/auditlog.log? Is there a start date that this was implemented? I am wondering if this host's notifications were disabled before we upgraded to the version that would have implemented this. Is there a good way to verify that we have no information logged on this somewhere in archived logs or other locations?

[ssax]

I think if it occurred prior to XI 5.6 it wouldn't have been logged. I see this in the XI 5.6.0 change log:

Added proper audit logging to all the sections/actions that are performed [TPS#13495] -JO

How long is your audit log setup to save for? See Admin > Performance Settings > Databases tab > Max Audit Log Age.

[gwakem]

Aha, Thats what I was missing. Its set to 30 days. Are there any potential concerns regarding increasing retention from 30 to 90?

[gwakem]

Actually, now that I think about it, would it be performance impacting or present a potential issue to raise it from 30 days to 180 days (6 months)?

[vtrac]

Hi Griffin,
Hope you are having a good day.

Yes, increase from the number of days to keep will also increase the size of your database which will affect performance.

As you can see (below) is the database table for "xi_auditlog".

Code: Select all

+-----------------------------+
| xi_auditlog                 |
| xi_auth_tokens              |
| xi_cmp_ccm_backups          |
| xi_cmp_favorites            |
| xi_cmp_nagiosbpi_backups    |
| xi_cmp_scheduledreports_log |
| xi_cmp_trapdata             |
| xi_cmp_trapdata_log         |
| xi_commands                 |
| xi_deploy_agents            |
| xi_deploy_jobs              |
| xi_eventqueue               |
| xi_events                   |
| xi_meta                     |
| xi_mibs                     |
| xi_options                  |
| xi_sessions                 |
| xi_sysstat                  |
| xi_usermeta                 |
| xi_users                    |
+-----------------------------+
20 rows in set (0.00 sec)


MariaDB [nagiosxi]>
MariaDB [nagiosxi]> desc xi_auditlog;
+-------------+--------------+------+-----+-------------------+-----------------------------+
| Field       | Type         | Null | Key | Default           | Extra                       |
+-------------+--------------+------+-----+-------------------+-----------------------------+
| auditlog_id | int(11)      | NO   | PRI | NULL              | auto_increment              |
| log_time    | timestamp    | NO   | MUL | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
| source      | text         | YES  |     | NULL              |                             |
| user        | varchar(200) | YES  | MUL | NULL              |                             |
| type        | int(11)      | YES  | MUL | NULL              |                             |
| message     | text         | YES  |     | NULL              |                             |
| ip_address  | varchar(45)  | YES  | MUL | NULL              |                             |
| details     | text         | YES  |     | NULL              |                             |
+-------------+--------------+------+-----+-------------------+-----------------------------+
8 rows in set (0.00 sec)

Best Regards,
Vinh

[gwakem]

Thanks, I will monitor the performance impact and database size after adjusting to 90 days. This can be locked.

[vtrac]

Great!! .... locking thread ...