Weird entries in audit log

Post by **BanditBBS** » Tue Dec 10, 2024 2:09 pm

So one of my customers is a public company and has to link all audit log entries to a change control. While reconciling Novembers, we can't figure out what these entries are for, and why they showed up....

Audit log.png

Nobody was performing a change at that time, it looks like in the early afternoon, cfg files for all config wizards appeared in the import folder and were imported into XI.

jmichaelson · Post by **jmichaelson** » Tue Dec 10, 2024 5:08 pm

Having a look through things, those messages come from ccm_import.php, ccm_import.php is executed from reconfigure_nagios.sh, and when core config is imported within Nagios XI. Is there also an audit log entry akin to "Applied a new configuration to CCM without Applying configuration"?

Post by **BanditBBS** » Wed Dec 11, 2024 8:35 am

Jason, nope. And I am aware how the import works, have used it many time, not sure why all those files would have been in that folder to begin with. But there wasn't even any login to Nagios that day nor the previous few days.

DoubleDoubleA · Post by **DoubleDoubleA** » Wed Dec 11, 2024 10:09 am

You are likely best served by putting in a ticket on this issue with the support team. Getting to the bottom of it will likely require a level of troubleshooting and investigation that the forum is not set up for.

Thanks,

Aaron

Post by **tgriep** » Wed Dec 11, 2024 5:06 pm

When Nagios XI is upgraded, the upgrade at certain times, upgrades all of the Wizards and the wizard upgrade, sets the commands to what is needed fro the wizard so what you are seeing is normal if XI was upgraded.

Was XI upgraded on that day at that time?

Post by **BanditBBS** » Fri Dec 13, 2024 11:02 am

No, there were no logins to XI that day, nothing was done, that's why it is baffling.

DoubleDoubleA · Post by **DoubleDoubleA** » Fri Dec 13, 2024 12:24 pm

Are you able to look at OS-level logins? The scripts that generate those log entries could have been run from the command line. Perhaps unlikely but if there aren't any interface logins, it is at least possible.

Post by **BanditBBS** » Fri Dec 13, 2024 2:56 pm

Only thing really run is dnf upgrade -y

We search longer back in the audit log and we see this happening in July, August, Sept and November..all on different dates that do not line up with the OS patches and no RFC.

DoubleDoubleA · Post by **DoubleDoubleA** » Fri Dec 13, 2024 3:20 pm

Is it an rpm install of XI?

And is your signature accurate, you're on 5.6?

Post by **BanditBBS** » Tue Dec 17, 2024 4:30 pm

Oh wow, haven't updated signature in quite some time. It is RPM install as it was the offline installation.

Nagios Support Forum

Weird entries in audit log

Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log

Re: Weird entries in audit log