Open for Voting

Improve/Expand on audit log tracking

I've had some discussion with fellow MVP's and we all feel the audit log could use a big FR for the things we want to see tracked.

On my list I can think of:

  • who & when a credential is added or removed
    • eg: include module (Credential added to UDT? Credential added to SAM template?)
    • also: credential changed for the actual SQL or Netflow DB (backend/admin) + who + timestamp
  • who & when a component in a view is edited
    • example: when someone hits edit on a component - who & what?
  • When a report is modified in any way
    • eg: who ?
    • was the report description changed?
    • custom properties added?
    • new schedule added or removed from said report?
  • When an alert is modified in any way
    • eg: who modified the alert
    • was the title changed?
    • was the alert criteria changed?
    • was a new trigger added?
    • was a schedule changed?
    • was a node muted?
  • every single action a particular account takes
    • maybe as a toggle option or with a date option? EG: store every action a newly created user account does for the first 30 days. Or a "turn it on for a month starting now" kind of thing?

I'll add more as I discuss this with jbiggley​ and probably every single MVP.

designerfx
Parents

  • I think designerfx​ hit the nail on the head with that last bullet! emoticons_happy.png

    We'd like to see the 'Audit Events' option in the Message Centre show EVERYTHING an account has done. It appears that some actions are logged, but these are not currently selectable options within the drop down list.

    Perhaps, linked to this, there should be a check box or selection drop down for how granular the auditing is? So, for those highly secure environments (read: those with paranoid admins! emoticons_wink.png) can have the audit log set to 'Show All User Activity', down to 'Minimal'.

  • in reply to silverbacksays

    I'd really love to see every action logged to a file.  Not just the ones AuditingActionTypes table.  One of my big pet peeves is that adding/removing/changing/assigning/unassigning alert actions is not audited (as of NPM 12.1).  That hurts when we are trying to trace who modified a specific shared alert action.

Comment
  • in reply to silverbacksays

    I'd really love to see every action logged to a file.  Not just the ones AuditingActionTypes table.  One of my big pet peeves is that adding/removing/changing/assigning/unassigning alert actions is not audited (as of NPM 12.1).  That hurts when we are trying to trace who modified a specific shared alert action.

Children
  • in reply to jbiggley

    That is one of the exact scenarios I've had happen too, jbiggley  Another is when a report is modified, because there really isn't much for that right now (nothing currently). Said report works today and now tomorrow it doesn't? Not even a matter of focusing blame but I'd love to work with whoever changed the report so that I can understand what they did and work with them to help fix it. I expanded a little bit on what I'm thinking of so that serena​ can have something more solid. Also tagging rschroeder​ - if you're going the NAC (and eventual SIEM) route, this would certainly be of interest.

  • in reply to designerfx

    Thank you! The extra detail is very helpful.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.