Help with Active Checks Disabled

[nagmoto]

Hi,

I am trying to find which user has disabled the Active Checks for a particular service on one of the host. I tried to see the nagios log file unfortunately it doesn't record the user details. Is there any other way i can find which "user" disabled the service check on this particular Server ?

[14341] EXTERNAL COMMAND: SCHEDULE_FORCED_SVC_CHECK;Server1;check-service;
[15431] SERVICE ALERT: Server1;check-service;OK;HARD;3;TASKS OK meas=15% warn=50% crit=80% min=0 max=3
[17839] EXTERNAL COMMAND: DISABLE_SVC_CHECK;Server1;check-service

Thanks,
nagmoto.

[tmcdonald]

Hmm, that's a tough one. The forensic-minded side of me would look for apache access logs corresponding with the timestamps listed in the nagios log. Correlate the listed IP addresses with a user's workstation.

[nagmoto]

I thought there might be some backdoor to figure out easily.I can compare with apache access logs but i need to spend good amount of time in debugging and i assume it not really an easy way to find out who did what as i have nearly 10 checks with similar state.

[tmcdonald]

The other difficulty here is that it might not have been a Nagios contact/user who did it. Suppose someone logged in as root and wrote a command directly to the nagios.cmd file? In this case there is no Nagios contact/user involved at all, just a Linux user. That would not be something we could track.

There's a saying in the computer forensic investigation world: "You can't put someone behind the keyboard". Basically no matter how much it may look like someone did something according to the logs, you can't know for sure without possibly a video camera recording.

I can certainly put in a feature request for this sort of logging, but bear in mind that the solution might not be ideal due to the reasons listed above.