Page 1 of 1
Weird entries in audit log
Posted: Tue Dec 10, 2024 2:09 pm
by BanditBBS
So one of my customers is a public company and has to link all audit log entries to a change control. While reconciling Novembers, we can't figure out what these entries are for, and why they showed up....
Audit log.png
Nobody was performing a change at that time, it looks like in the early afternoon, cfg files for all config wizards appeared in the import folder and were imported into XI.
Re: Weird entries in audit log
Posted: Tue Dec 10, 2024 5:08 pm
by jmichaelson
Having a look through things, those messages come from ccm_import.php, ccm_import.php is executed from reconfigure_nagios.sh, and when core config is imported within Nagios XI. Is there also an audit log entry akin to "Applied a new configuration to CCM without Applying configuration"?
Re: Weird entries in audit log
Posted: Wed Dec 11, 2024 8:35 am
by BanditBBS
Jason, nope. And I am aware how the import works, have used it many time, not sure why all those files would have been in that folder to begin with. But there wasn't even any login to Nagios that day nor the previous few days.
Re: Weird entries in audit log
Posted: Wed Dec 11, 2024 10:09 am
by DoubleDoubleA
You are likely best served by putting in a ticket on this issue with the support team. Getting to the bottom of it will likely require a level of troubleshooting and investigation that the forum is not set up for.
Thanks,
Aaron
Re: Weird entries in audit log
Posted: Wed Dec 11, 2024 5:06 pm
by tgriep
When Nagios XI is upgraded, the upgrade at certain times, upgrades all of the Wizards and the wizard upgrade, sets the commands to what is needed fro the wizard so what you are seeing is normal if XI was upgraded.
Was XI upgraded on that day at that time?
Re: Weird entries in audit log
Posted: Fri Dec 13, 2024 11:02 am
by BanditBBS
No, there were no logins to XI that day, nothing was done, that's why it is baffling.
Re: Weird entries in audit log
Posted: Fri Dec 13, 2024 12:24 pm
by DoubleDoubleA
Are you able to look at OS-level logins? The scripts that generate those log entries could have been run from the command line. Perhaps unlikely but if there aren't any interface logins, it is at least possible.
Re: Weird entries in audit log
Posted: Fri Dec 13, 2024 2:56 pm
by BanditBBS
Only thing really run is dnf upgrade -y
We search longer back in the audit log and we see this happening in July, August, Sept and November..all on different dates that do not line up with the OS patches and no RFC.
Re: Weird entries in audit log
Posted: Fri Dec 13, 2024 3:20 pm
by DoubleDoubleA
Is it an rpm install of XI?
And is your signature accurate, you're on 5.6?
Re: Weird entries in audit log
Posted: Tue Dec 17, 2024 4:30 pm
by BanditBBS
Oh wow, haven't updated signature in quite some time. It is RPM install as it was the offline installation.