topic Re: Query: HP Synergy audit log format - ci-audit-log in HPE Synergy

HP Synergy audit log format - ci-audit-log

JorgePizarro — Fri, 06 Jan 2023 07:35:11 GMT

Hi,

I'm looking for some manual with the description of the ci-audit-log format.

What I need is the meaning of multiples descriptions for the follow columns: componentId, result, action, severity, object and objectDescription. For example: column componentId had different values: "licmgr", "cert", "psrm", "crm", "tasktrack"; some of them as self explained ("licmgr"), but no others.

Thanks in advance

Jorge

Query: HP Synergy audit log format - ci-audit-log

support_s — Wed, 14 Dec 2022 13:22:03 GMT

System recommended content:

1. HPE OneView 8.0 User Guide for HPE Synergy | Support dump file

2. HPE OneView 7.1 User Guide for HPE Synergy | Support dump file

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

Thank you for being a HPE valuable community member.

Re: Query: HP Synergy audit log format - ci-audit-log

JorgePizarro — Wed, 14 Dec 2022 14:18:18 GMT

Hi, can you be more specific? Page of this URL (manual)?

The manual (PDF File) is more than 800 pages long, I search por "crm" or "psrm" (componentId) but does not find any match.

I'm looking for information about meaning of follow log lines (example, extract):

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_Down_2SM520000F at location: enclosure: /rest/enclosures/092SM520000F bay: 1

2022-09-20 19:39:18.742 UTC,psrm,,localhost,System,LTU1NjQ1MzExMDM5,/rest/tasks/A0BC322F-3448-45DE-AD0D-204097B531B2,,FAILURE,MODIFY,INFO,SERVER,/rest/server-hardware/30373237-3132-4D32-3235-343130345744,Refresh server hardware

Regards,

Jorge

Re: Query: HP Synergy audit log format - ci-audit-log

DanCernese — Tue, 20 Dec 2022 16:31:59 GMT

You're correct, the "internal component names" are not documented. In reality what they are shouldn't matter except to identify which internal component executed the action that is the remainder of the log entry.

Re: Query: HP Synergy audit log format - ci-audit-log

JorgePizarro — Tue, 20 Dec 2022 16:45:25 GMT

Well, maybe I need to say that I'am a Digital Forensics Analyst. A customer suffer a security incidente with the FlexFabric (someone connect to it and execute some commands). All I have is the log (ciAudit.log).

I need to undestand what the "attacker" try to do with the executed commands in the log.

Some commands are self explanatory, but other not.

Example:

"/rest/tasks/" with component-id psrm

"/rest/tasks/" with component-id crm

"Refresh server hardware" with component-id psrm

"/rest/ethernet-networks/374ed2f6-8881-4267-be92-713d669b34e3,Updated ethernet-network 'Fiserv-Internet-A'" with component-id crm

"Deleted connection-template 'name-1066080839-1491836372577'" with component-id crm

"/rest/network-sets/832976bb-382b-45eb-beec-a8d7e6cb85f7,Updated network-set 'NetSet_2SN54116Q2_10'" with component-id crm

"Updated connection-template 'name-623451695-1663732523724'" with component-id crm

"Updated logical-interconnect-group 'LIG_0000000000_1'" with component-id crm

Thanks in advance

Jorge

Re: Query: HP Synergy audit log format - ci-audit-log

DanCernese — Wed, 21 Dec 2022 15:12:36 GMT

Understood-- but the component internal name won't help anyone understand what an attacker or user is trying to do or has done because everything of value is in the rest of the message. I'll share this, if you think it helps, these are definitive:

CRM == connectivity resource manager: networks, switches, profile connections
PSRM == physical server resource manager: enclosures, servers, and server health
PM == profile manager: server profiles, cluster profiles, host profiles

Re: Query: HP Synergy audit log format - ci-audit-log

JorgePizarro — Tue, 27 Dec 2022 15:28:22 GMT

Thanks for your responses.

I have another question.

The follow events show some activity from localhost (127.0.0.1). From what application this activity comes from?

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_abajo-LIG_2SM520000F_1 at location: enclosure: /rest/enclosures/092SM520000F bay: 1

2022-09-21 05:07:13.836 UTC,security,,,appliance,MTMzOTQ0NDQwMjcy,,localhost,SUCCESS,DELETE,INFO,SESSION,1374d41c-76b5-491b-8084-662cf07d52a9,The session for user "appliance" with [logID:MTMzOTQ0NDQwMjcy] timed out.

Re: Query: HP Synergy audit log format - ci-audit-log

DanCernese — Tue, 03 Jan 2023 21:20:41 GMT

HPE OneView

Re: Query: HP Synergy audit log format - ci-audit-log

support_s — Wed, 04 Jan 2023 03:17:16 GMT

The events mentioned are captured by Oneview.

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_abajo-LIG_2SM520000F_1 at location: enclosure: /rest/enclosures/092SM520000F bay: 1

Re: Query: HP Synergy audit log format - ci-audit-log

JorgePizarro — Wed, 04 Jan 2023 10:46:51 GMT

As the ciAuditlog only show "localhost" for OneView user's connections, how can I know the IP address from where the user connect to OneView application?

From my understanding, OneView is a web application, right?

There are some log file for this web application?

Where this logs files are located?

Regards,

Jorge

Re: Query: HP Synergy audit log format - ci-audit-log

Keerthana_RP — Thu, 05 Jan 2023 05:35:28 GMT

Usually, the HPE Oneview is configured during the installation. Please refer the installation guide below.

https://techlibrary.hpe.com/docs/synergy/shared/setup_overview/index.html

Also, for getting information about the environment, we usually check the CI Support Dump (For composers) and LE Support Dump.

LE Support Dump can be collected from Logical Enclosure on Oneview.

Re: Query: HP Synergy audit log format - ci-audit-log

DanCernese — Thu, 05 Jan 2023 20:31:47 GMT

how can I know the IP address from where the user connect to OneView

So you've asked two things: which user performed the operation and what is that user's source IP where they are running their browser from (to connect to OneView).

To find out what user executed an operation, you need to see if it was part of a task and then use the RESTapi to look up more information about that task. For example,

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_abajo-LIG_2SM520000F_1 at location: enclosure: /rest/enclosures/092SM520000F bay: 1

You'll need to look up /rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4 using PowerShell or the RESTapi.

Other entries may have the user, sometimes "Administrator" or any other authorized user.

There are other entries specifically corresponding to that user logging on and their source IP.

2021-05-19 19:03:51.474 UTC,Authentication,,Local,Administrator,,,16.99.152.235,SUCCESS,LOGIN,INFO,AUTHENTICATION,,Authentication SUCCESS. User "Administrator" logged in successfully from client "16.99.152.235" and directory "LOCAL". [logID "MzQ2MDM3MDcyMTgy"]

Maybe that will point you in the right direction.