Page 1 of 1
Audit logs not displaying users
Posted: Fri Jun 03, 2016 9:11 am
by tonyleatwork
Hi -
I had a recent incident where a host notification was disabled and the host went down. I need to know which user did it but the audit log only specifies the event but not a user. Is this data captured somewhere and if not, how do I enable it?
Re: Audit logs not displaying users
Posted: Fri Jun 03, 2016 9:23 am
by bwallace
That's odd. Are you using an older version of XI? The audit log in my 5.2.8 version shows the user...
Re: Audit logs not displaying users
Posted: Fri Jun 03, 2016 9:28 am
by tonyleatwork
Actually you're right - some of them shows a user but this one just says:
2016-06-03 09:56:32 43035 Nagios XI INFO localhost cmdsubsys: User submitted a command to Nagios Core: ENABLE_HOST_NOTIFICATIONS;<Hostname>
So items done in Nagios core doesn't log?
Re: Audit logs not displaying users
Posted: Fri Jun 03, 2016 10:58 am
by rkennedy
It does not, because the way Core authenticates vs XI are completely different. They both do their own logging independently.
I created a feature request to have the dev's look further into the auditing in regards to Core, so that hopefully it'll be possible to see which core user submitted the command. The ID is #8709.
Re: Audit logs not displaying users
Posted: Fri Jun 03, 2016 11:11 am
by tonyleatwork
Thanks for this.
I think a work around is to look at the audit log immediately before that who submitted the command. Unfortunately when you search by host - that submission doesn't show up.
We can close this case. Thanks.
Re: Audit logs not displaying users
Posted: Fri Jun 03, 2016 12:05 pm
by mcapra
Glad you were able to find a solution! Locking this