Page 1 of 1
Audit of disabled host notification not being found
Posted: Thu May 06, 2021 8:28 am
by gwakem
XI 5.8.1 on RHEL 7.7
I am investigating when a host had it's notifications disabled, and by whom. I have tested with a control host and verified it shows up correctly in Admin > Audit log, but when I check on the host in question, I get no results. It is not outside the realm of possibility that this was disabled one or two years ago. I was unable to find any instance of DISABLE in the /usr/local/nagios/var/archives, so I assume this is logged to the database from the /usr/local/nagiosxi/var/components/auditlog.log? Is there a start date that this was implemented? I am wondering if this host's notifications were disabled before we upgraded to the version that would have implemented this. Is there a good way to verify that we have no information logged on this somewhere in archived logs or other locations?
Re: Audit of disabled host notification not being found
Posted: Thu May 06, 2021 5:46 pm
by ssax
I think if it occurred prior to XI 5.6 it wouldn't have been logged. I see this in the XI 5.6.0 change log:
Added proper audit logging to all the sections/actions that are performed [TPS#13495] -JO
How long is your audit log setup to save for? See Admin > Performance Settings > Databases tab > Max Audit Log Age.
Re: Audit of disabled host notification not being found
Posted: Thu May 06, 2021 7:08 pm
by gwakem
Aha, Thats what I was missing. Its set to 30 days. Are there any potential concerns regarding increasing retention from 30 to 90?
Re: Audit of disabled host notification not being found
Posted: Fri May 07, 2021 8:59 am
by gwakem
Actually, now that I think about it, would it be performance impacting or present a potential issue to raise it from 30 days to 180 days (6 months)?
Re: Audit of disabled host notification not being found
Posted: Fri May 07, 2021 11:36 am
by vtrac
Hi Griffin,
Hope you are having a good day.
Yes, increase from the number of days to keep will also increase the size of your database which will affect performance.
As you can see (below) is the database table for "xi_auditlog".
Code: Select all
+-----------------------------+
| xi_auditlog |
| xi_auth_tokens |
| xi_cmp_ccm_backups |
| xi_cmp_favorites |
| xi_cmp_nagiosbpi_backups |
| xi_cmp_scheduledreports_log |
| xi_cmp_trapdata |
| xi_cmp_trapdata_log |
| xi_commands |
| xi_deploy_agents |
| xi_deploy_jobs |
| xi_eventqueue |
| xi_events |
| xi_meta |
| xi_mibs |
| xi_options |
| xi_sessions |
| xi_sysstat |
| xi_usermeta |
| xi_users |
+-----------------------------+
20 rows in set (0.00 sec)
MariaDB [nagiosxi]>
MariaDB [nagiosxi]> desc xi_auditlog;
+-------------+--------------+------+-----+-------------------+-----------------------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+-------------------+-----------------------------+
| auditlog_id | int(11) | NO | PRI | NULL | auto_increment |
| log_time | timestamp | NO | MUL | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
| source | text | YES | | NULL | |
| user | varchar(200) | YES | MUL | NULL | |
| type | int(11) | YES | MUL | NULL | |
| message | text | YES | | NULL | |
| ip_address | varchar(45) | YES | MUL | NULL | |
| details | text | YES | | NULL | |
+-------------+--------------+------+-----+-------------------+-----------------------------+
8 rows in set (0.00 sec)
Best Regards,
Vinh
Re: Audit of disabled host notification not being found
Posted: Fri May 07, 2021 12:43 pm
by gwakem
Thanks, I will monitor the performance impact and database size after adjusting to 90 days. This can be locked.
Re: Audit of disabled host notification not being found
Posted: Fri May 07, 2021 1:08 pm
by vtrac
Great!! .... locking thread ...
