As I'm perusing through the audit log to look for who changed a device-type view in Orion, I'm realizing how much I'd love to see the audit logging enhanced quite a bit and made more useful. Right now everything (that is there) seems to be heaped into one big lump for us to digest, and combined into the message center with the Alerts, Events, Syslogs and Traps. Actually found myself going into SWQL studio to sort through it quicker and realized that the info I wanted wasn't even there. So, I thought I'd start a public wish-list on what could be done better, and what is missing. That being said, I haven't thought this thoroughly through, so please chime in and give your ideas that are better than mine!!
So, I normally get into the Audit Events through the "Last XX Audit Events" resource and click on "ALL AUDIT EVENTS" which brings me up to the "Message Center" with "Show Audit Events" checked and the "FILTER AUDITS" set to "All Action Types". The first 30 or so messages on my current screen shows user login/logout events, which in this case is not something I'm interested in seeing really. However, the drop-down filter only gives me the option to see all events, or see specific event types, like login events.
As I see it, there are two things wrong with this. First, I'm not really sure what event type I want to see, but from what's in front of me I know what I don't want to see, and that's login/logout events. So I would love it if we could filter OUT things from what I'm seeing, but we can only filter FOR a specific audit event we're looking for. Ideally I'd like to be able to continue filtering things out that I don't want to see until I find what I do, and then maybe filter on that type of event, because I'm sure once I filter out login/logout there is going to be other events I want filtered out in my quest to find what I'm looking for. How do I know this? Because I started doing exactly the equivalent of this in SWQL when I gave up on the web-based view!! :-)
And that brings up my second point. I think having the audit event types put into different classes would be much more useful than having specific audit events. For example, I could see maybe one class being authentication events. That would include login, logout, bad password, and maybe some more events that I can't think of right off hand. Then maybe there could be a "Node" class, which would include everything related to working with a node, from creation to deletion, managing/unmanaging, changing a node custom property, etc. etc... Then a similar "Interface" class and other similar classes. I could even see things like an IPAM class and such.
I'd also really like to see an "Administrative" class, which would deal with when people make changes to settings in Orion. And maybe be able to filter based on which module its related to also. Of course that brings up another wish list item being that Orion log any change to various settings, such as my example above, who changed the device-type view for a given device in Orion. Right now AFAIK it isn't logged. I'm suspecting there are many other administrative changes that can be made where there isn't a logging trail for it in Orion either.
Personally I think it deserves its own interface also, not being clumped in with the rest of the "Message Center" also.
Ok, those are my basics, interested in hearing what others think of this? I'm betting someone else has better ideas and before I put it in as an "Idea" I'd like to hear them!!
