This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

audits did not log user account used to remove and add nodes

Hello Thwack community members,

My events history indicated in our Solarwinds platform that about six nodes were removed and added back after 15 minutes. However, I could not find the account associated to remove and add these nodes.

I tried to use a report query suggested on the below link but did not get the username and the nodes reported on the event. I also checked no admin account were logged during that time.   

https://thwack.solarwinds.com/t5/NPM-Documents/Nodes-added-or-deleted-with-username-Last-24-hrs/ta-p/526697

is there any other way I could trace the user account used for these changes or the validity of these event messages?

  •  
    This is a query I keep in notepad on my server and run via database manager
    It will help with the newly added node, but you would have to know the old NodeID to find out who deleted it.

    SELECT TOP 10 * FROM [dbo].[NodesData]
    where IP_Address = '10.10.0.###'


    get the node ID from above and use below.

    SELECT TOP 10 * FROM [dbo].[AuditingEvents]
    where networknode = '934'

    Hope this helps

  • thanks sharing your query. it did not find the the deleted or added nodes from Auditing table. 

    I further expanded your query to look for action type (ActionTypeID) for  Node added  and Node deleted, but did not find the nodes I am looking. the audit event is not displaying recent days changes. 

    I might reach support to check the audit event DB . Wish me luck with the support 

  • Here's a query to check that directly in the database...

    I will add that this will look for ALL node add/remove events regardless. Also note that your audit log retention could play a part here too. If I recall correctly I think the default retention for audit logs is 1 year (365 days) and then it will start rolling the log. Go to Settings -> All Settings -> Polling Settings, and look for Auditing Trails Retention. Events Retention is also in there, I'd just be cautious of changing that one.

    SELECT ae.AuditEventID, aat.ActionTypeDisplayName, ae.AccountID, ae.AuditEventMessage, ae.NetworkNode, ae.NetObjectID, ae.NetObjectType, ae.TimeLoggedUtc
    FROM SolarWindsOrion.dbo.AuditingEvents AS ae
    INNER JOIN SolarWindsOrion.dbo.AuditingActionTypes AS aat
    ON aat.ActionTypeID = ae.ActionTypeID
    WHERE ae.ActionTypeID IN ( 25, 26 )

    All the different audit event ID references are stored in the AuditingActionTypes table in the database. You can query them all by running the query below. The query above is filtering for only node add / remove events.

    SELECT aat.ActionTypeID, aat.ActionType, aat.ActionTypeDisplayName
    FROM SolarWindsOrion.dbo.AuditingActionTypes AS aat

    The standard NPM events log can show these as well, it just doesn't tie a user to them like so:

    SELECT e.EventID, et.Name, e.Message, e.NetworkNode, e.NetObjectID, e.NetObjectType, e.EventTime
    FROM SolarWindsOrion.dbo.Events AS e
    INNER JOIN SolarWindsOrion.dbo.EventTypes AS et
    ON et.EventType = e.EventType
    WHERE e.EventType IN ( 8, 9 )

    Good luck and hope this helps...

  • thanks providing the query. I also reviewed the audit events table at the time the events were reported , but no trace of the actions reported by the events.

    Also run the query but did not pull any result as shown below. I used report writer to view the result.  

    mestasew_0-1611756490617.png

    is it possible an admin clear the audit events ?

  • Is you database name ‘SolarWindsOrion’ ? (without quotes)

    That may need to change, however I’m not proficient in the report writer tool (truly never use it). But I thought it used just direct SQL queries?... Perhaps some adjustments may need to be made beyond that, I’m just not sure.

    Other folks may know better