Page 1 of 1
Audit Log - Not recording API actions
Posted: Wed Jan 15, 2020 2:55 pm
by scomdco
I believe this has been an issue since updating from 5.6.7 to 5.6.8 (We're currently on the latest version 5.6.9). I've yet to escalate it until now. API calls are still being made successfully, just not getting recorded in the Audit Log section of XI. Please inform what you'd need from us to be able to investigate this. i have our system profile ready should any reps want to see it.
This search is from today back to January 1st 2019. Throughout that time, and even today we've utilized the API very much for adding/remove hosts/hostgroups etc.
APIAudit.png
Re: Audit Log - Not recording API actions
Posted: Wed Jan 15, 2020 5:59 pm
by cdienger
I've been able to reproduce and will look into this further on our end. I should be able to update you tomorrow.
Re: Audit Log - Not recording API actions
Posted: Wed Jan 15, 2020 6:30 pm
by scomdco
Sounds good thanks for informing, i'll look out for the notification.
Re: Audit Log - Not recording API actions
Posted: Wed Jan 15, 2020 10:16 pm
by Box293
Great, one of us will get back to you with a response.
Re: Audit Log - Not recording API actions
Posted: Thu Jan 16, 2020 2:42 pm
by cdienger
I tested on a 5.6.7 machine but the logging wasn't working there either are you sure it was working on that version? I did notice that delete calls were getting logged to /usr/local/nagiosxi/var/components/auditlog.log(make sure it is enabled under Admin > System Config > System Setting > General > Other Settings > Write Audit Log to file). Please confirm if you're seeing any API activity in this file on you system.
Re: Audit Log - Not recording API actions
Posted: Thu Jan 16, 2020 3:25 pm
by scomdco
The audit log was was working in a different way before we went to 5.6.7. We updated our XI version from 5.5.7 to 5.6.7 on 10/19/2019. On 5.5.7 all API calls that were getting recorded were shown as "User submitted a command to the subsystem (ID=17, 18 or 204)". Any audit recording from this specific IP Address are solely API calls so i have that to go off of. As you can see, and what matches with what you've observed is that the only API calls that are being recorded are Delete calls and Apply Configs. If i go through the logs from then to now it's the same scenario, just delete calls and apply configs being recorded.
auditlog2.png
Turns out we did NOT have that box checked. Before checking it i went to see if auditlog.log existed already in the location you mentioned and it did not. After i checked the box it created the file.Granted, the Audit Log section of the Web UI shows recording of changes made through the Web UI without issue going back to 7/21/2019 ( not sure if there is a limit of time that the data will be saved, or a change was made that day, if there was one i'm not sure what it was)
To test if either the auditlog.log or or the Auditlog section of Web UI was going record more api calls, i ran a script that performed a Get, Put, Post, and then later a Delete call and it only logged the delete and the applyconfig in both still.
This is watching the auditlog.log
Code: Select all
Every 2.0s: cat auditlog.log Thu Jan 16 12:24:23 2020
2020-01-16 11:48:41 - User Interface [8] XXXX:172.XXXX - Writing to audit log file enabled.
2020-01-16 11:48:41 - User Interface [8] XXXX:172.XXXX - User updated global program settings
2020-01-16 11:48:41 - User Interface [32] XXXX:localhost - cmdsubsys: User started shell in a box
2020-01-16 11:48:42 - User Interface [32] XXXX:localhost - cmdsubsys: User enabled shell in a box
2020-01-16 11:56:39 - User Interface [32] XXXX:10.XXXX - Submitted COMMAND_NAGIOSCORE_APPLYCONFIG (ID=17) to cmdsubsys
2020-01-16 11:57:11 - Subsystem [32] system:localhost - Submitted COMMAND_BPI_SYNC (ID=1150) to cmdsubsys
2020-01-16 12:18:18 - Core Config Manager [1] XXXX:172.XXXX - Created host: testhost
2020-01-16 12:18:23 - User Interface [8] XXXX:172.XXXX - Ran apply configuration
2020-01-16 12:18:23 - User Interface [32] XXXX:172.XXXX - Submitted COMMAND_NAGIOSCORE_APPLYCONFIG (ID=17) to cmdsubsys
2020-01-16 12:18:58 - Subsystem [32] system:localhost - Submitted COMMAND_BPI_SYNC (ID=1150) to cmdsubsys
2020-01-16 12:23:38 - Core Config Manager [2]XXXX:10.XXXX - Deleted host: testhost
Re: Audit Log - Not recording API actions
Posted: Fri Jan 17, 2020 12:00 pm
by lmiltchev
To test if either the auditlog.log or or the Auditlog section of Web UI was going record more api calls, i ran a script that performed a Get, Put, Post, and then later a Delete call and it only logged the delete and the applyconfig in both still.
You are correct. Currently, the REST API logging is quite limited. This will be added in Nagios XI 5.7, along with a better explanation of certain commands.
Re: Audit Log - Not recording API actions
Posted: Fri Jan 17, 2020 1:19 pm
by scomdco
I appreciate the time y'all have taken to look into this, and i look forward to the version update, thank you!
Re: Audit Log - Not recording API actions
Posted: Fri Jan 17, 2020 1:25 pm
by lmiltchev
You are welcome! I will be locking this topic now. If you have any further questions/issues, please start a new thread.