9 Replies Latest reply on Jan 7, 2016 7:55 PM by Craig Norborg

    Audit Log wish list...

    Craig Norborg

      As I'm perusing through the audit log to look for who changed a device-type view in Orion, I'm realizing how much I'd love to see the audit logging enhanced quite a bit and made more useful.   Right now everything (that is there) seems to be heaped into one big lump for us to digest, and combined into the message center with the Alerts, Events, Syslogs and Traps.   Actually found myself going into SWQL studio to sort through it quicker and realized that the info I wanted wasn't even there.   So, I thought I'd start a public wish-list on what could be done better, and what is missing.   That being said, I haven't thought this thoroughly through, so please chime in and give your ideas that are better than mine!!

       

      So, I normally get into the Audit Events through the "Last XX Audit Events" resource and click on "ALL AUDIT EVENTS" which brings me up to the "Message Center" with "Show Audit Events" checked and the "FILTER AUDITS" set to "All Action Types".    The first 30 or so messages on my current screen shows user login/logout events, which in this case is not something I'm interested in seeing really.  However, the drop-down filter only gives me the option to see all events, or see specific event types, like login events.

       

      As I see it, there are two things wrong with this.   First, I'm not really sure what event type I want to see, but from what's in front of me I know what I don't want to see, and that's login/logout events.  So I would love it if we could filter OUT things from what I'm seeing, but we can only filter FOR a specific audit event we're looking for.   Ideally I'd like to be able to continue filtering things out that I don't want to see until I find what I do, and then maybe filter on that type of event, because I'm sure once I filter out login/logout there is going to be other events I want filtered out in my quest to find what I'm looking for.   How do I know this?  Because I started doing exactly the equivalent of this in SWQL when I gave up on the web-based view!!  :-)

       

      And that brings up my second point.   I think having the audit event  types put into different classes would be much more useful than having specific audit events.   For example, I could see maybe one class being authentication events.   That would include login, logout, bad password, and maybe some more events that I can't think of right off hand.   Then maybe there could be a "Node" class, which would include everything related to working with a node, from creation to deletion, managing/unmanaging, changing a node custom property, etc. etc...   Then a similar "Interface" class and other similar classes.   I could even see things like an IPAM class and such.

       

      I'd also really like to see an "Administrative" class, which would deal with when people make changes to settings in Orion.  And maybe be able to filter based on which module its related to also.   Of course that brings up another wish list item being that Orion log any change to various settings, such as my example above, who changed the device-type view for a given device in Orion.  Right now AFAIK it isn't logged.  I'm suspecting there are many other administrative changes that can be made where there isn't a logging trail for it in Orion either.

       

      Personally I think it deserves its own interface also, not being clumped in with the rest of the "Message Center" also.

       

      Ok, those are my basics, interested in hearing what others think of this?   I'm betting someone else has better ideas and before I put it in as an "Idea" I'd like to hear them!!

        • Re: Audit Log wish list...
          ttl

          I agree that this needs to be fleshed out; did you create a Feature Request? 

            • Re: Audit Log wish list...
              Craig Norborg

              Not yet, was hoping others would chime in with constructive criticism and/or other things they wanted to see before I did this.   Then I got distracted by a squirrel or something!! 

               

              I'll try and remember to do it.   Maybe your response will trigger some others to chime in though!!

                • Re: Audit Log wish list...
                  johnny ringo

                  I agree with your list Crag.  The only thing I would add in addition to this is that these logs would be written to a flat file on the orion server.  Having them in the database is good but most security tools look for windows event logs and text file logs on the system.  this would enable these logs to be quickly ingested by those tools.

              • Re: Audit Log wish list...
                cahunt

                1 - Message Center - uncheck everything but Audit Events

                2 - Event Type : View Edited

                         *Set Proper Time Frame*

                3 - Click Apply

                 

                It will show you the View Changed and the User whom changed the view

                  • Re: Audit Log wish list...
                    Craig Norborg

                    Thanks for the try cahunt, your example works just fine for someone that changes a View, but not for a device-type View.  ie:  If you go to "Settings" and  "Manage Views" (or just customize a page), your example will pick it up in the Audit logs.   However, if you go to "Settings" and "Views by Device Type" and change something there, the changes don't show up in an audit log.

                     

                    I finally did open a case on this.  What I was looking for was who was setting my views by device type for "Cisco 891/891W IS Router" back to "Wireless Autonomous AP - Summary" on me when I was changing it to "(default)" repeatedly.   If you're curious why I'm doing this its because the 891 router is managed like its two separate devices (or nodes) in Orion.   One will be the router, which is identified as the above, the other is an embedded AP which gets identified as a "Cisco AP801agn" I think.   The router half should have the default view any router has, while the AP side should show up like an AP.  But, Orion wants to show both devices as an AP.

                     

                    There is no good resolution to the case yet.   It turns out that every time I ran the config wizard it was changing the device types back to what SolarWinds believes they should be, even when I overrode it on this page.   Furthermore, there is no way to change what SolarWinds believes they should be.   Now, if you ask me, if I override what SW thinks a view should be for a device type, it should stay there.   Not to mention they need to fix this router model (and a few others).   But, making edits on the Views by Device type page are basically worthless right now.

                     

                    I finally figured out it wasn't a person doing it by checking my IIS logs to see when this page (ie: /Orion/Admin/ViewsByDeviceType.aspx) was visited, and saw that I was the only one visiting it.  After that the tech went back to the developers and confirmed what my suspicions were, that they were doing it every time I ran the config wizard.   They admit its a problem though and are hopefully fixing it quickly!!

                     

                    This is partially why I say auditing needs great improvement!!

                      • Re: Audit Log wish list...
                        cahunt

                        Interesting. Curious the last time you updated your MIB.cfg files? Old ones may be missing the OID structure you are looking for on that specific device. That may help your view.

                        But now that I understand your situation, I must agree with that the changing of any setting should be included in the audit logs - or create the option to choose what you want when running the config wizard.

                          • Re: Audit Log wish list...
                            Craig Norborg

                            Hmm...  I don't think that would be it.   Orion knows how to discover both the router and it's embedded AP correctly, and as separate devices which they really are even though they are contained inside a single box.  It just assigns the wrong view by device type, and then if you go and correct it, it changes your corrections back after running the config wizard.   Neither are desired behaviors if you ask me...

                             

                            The whole auditing part of it would have made figuring the above out much easier, rather than me going around and asking folks whether they had done it or not, and then having to go to the IIS logs...   Makes you wonder how much stuff goes on with your server that the audit logs don't record!!

                              • Re: Audit Log wish list...
                                cahunt

                                There is a lot that goes on when I'm not looking at the server... If the embedded AP has it's own IP Address you can add see what type of device it sees the AP as. Just a quick thought. We have so many AP's I just add the controllers, as it would be too much for me to worry about each AP itself.

                                  • Re: Audit Log wish list...
                                    Craig Norborg

                                    Correct, as I said above, it sees the router as a device type of "Cisco 891/891W IS Router", while it sees the AP as a device type of "Cisco AP801agn".   If it was a lightweight AP that was embedded, I'd probably be happy with the controller being added, but these are autonomous...