Open for Voting
over 1 year ago

Improve/Expand on audit log tracking

I've had some discussion with fellow MVP's and we all feel the audit log could use a big FR for the things we want to see tracked.

On my list I can think of:

  • who & when a credential is added or removed
    • eg: include module (Credential added to UDT? Credential added to SAM template?)
    • also: credential changed for the actual SQL or Netflow DB (backend/admin) + who + timestamp
  • who & when a component in a view is edited
    • example: when someone hits edit on a component - who & what?
  • When a report is modified in any way
    • eg: who ?
    • was the report description changed?
    • custom properties added?
    • new schedule added or removed from said report?
  • When an alert is modified in any way
    • eg: who modified the alert
    • was the title changed?
    • was the alert criteria changed?
    • was a new trigger added?
    • was a schedule changed?
    • was a node muted?
  • every single action a particular account takes
    • maybe as a toggle option or with a date option? EG: store every action a newly created user account does for the first 30 days. Or a "turn it on for a month starting now" kind of thing?

I'll add more as I discuss this with jbiggley​ and probably every single MVP.

  • I only began to appreciate what TACACS does recently. I agree that TACACS style logging is a logical way to summarize a good portion of what I'm looking for, but more or less the point is to track what people have done. Say I went to the summary page, deleted a component, went to a node detail page, why not have a way to trace that and improve workflows for your teams as well as  ensure these things are actually logged in Orion. I see this being as much good UX as security and auditing.

  • The "solution" is to modify NPM to use TACACS.  I get all the requested information from my TACACS servers' logs, plus TACACS either allows or denies access to every device, and to every command on every TACACS-compatible-device, with full logging.

    Now, if only SW would only buy out Cisco and implement awesome compatibility and upgrades and logging and AAA . . .

  • I really like this updated suggestion thank you!

  • Added one more idea for serena​ - that this could be time-based for the highest level of granularity. As in, we may not need it for everyone at all times (might be too much data) but being able to define a criteria for when people are tracked in depth would be useful.

    Example 1: new users monitored for the first 6 months for every action they take

    Example 2: when someone hits a "permission denied"/"access denied", all actions are monitored for the next 30 days. The latter being a good way to make sure things are working the way they are intended to.