HPE Community
HPE Synergy
1819848 Members
2621 Online
109607 Solutions
New Discussion

Re: Query: HP Synergy audit log format - ci-audit-log

 
JorgePizarro
Occasional Advisor

‎12-14-2022 04:21 AM - last edited on ‎01-05-2023 11:35 PM by

‎12-14-2022 04:21 AM - last edited on ‎01-05-2023 11:35 PM by

HP Synergy audit log format - ci-audit-log

Hi,

I'm looking for some manual with the description of the ci-audit-log format.

What I need is the meaning of multiples descriptions for the follow columns: componentId, result, action, severity, object and objectDescription. For example: column componentId had different values: "licmgr", "cert", "psrm", "crm", "tasktrack"; some of them as self explained ("licmgr"), but no others.

Thanks in advance

Jorge

1 person had this problem.
0 Kudos
Reply
11 REPLIES 11
support_s
System Recommended

‎12-14-2022 05:22 AM

‎12-14-2022 05:22 AM

Query: HP Synergy audit log format - ci-audit-log

System recommended content:

1. HPE OneView 8.0 User Guide for HPE Synergy | Support dump file

2. HPE OneView 7.1 User Guide for HPE Synergy | Support dump file

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

0 Kudos
Reply
JorgePizarro
Occasional Advisor

‎12-14-2022 06:18 AM

‎12-14-2022 06:18 AM

Re: Query: HP Synergy audit log format - ci-audit-log

Hi, can you be more specific? Page of this URL (manual)?

The manual (PDF File) is more than 800 pages long, I search por "crm" or "psrm" (componentId) but does not find any match.

I'm looking for information about meaning of follow log lines (example, extract):

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_Down_2SM520000F at location: enclosure: /rest/enclosures/092SM520000F bay: 1

2022-09-20 19:39:18.742 UTC,psrm,,localhost,System,LTU1NjQ1MzExMDM5,/rest/tasks/A0BC322F-3448-45DE-AD0D-204097B531B2,,FAILURE,MODIFY,INFO,SERVER,/rest/server-hardware/30373237-3132-4D32-3235-343130345744,Refresh server hardware

Regards,

Jorge

0 Kudos
Reply
DanCernese
HPE Pro

‎12-20-2022 08:31 AM

‎12-20-2022 08:31 AM

Re: Query: HP Synergy audit log format - ci-audit-log

You're correct, the "internal component names" are not documented.  In reality what they are shouldn't matter except to identify which internal component executed the action that is the remainder of the log entry.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
JorgePizarro
Occasional Advisor

‎12-20-2022 08:45 AM

‎12-20-2022 08:45 AM

Re: Query: HP Synergy audit log format - ci-audit-log

Well, maybe I need to say that I'am a Digital Forensics Analyst. A customer suffer a security incidente with the FlexFabric (someone connect to it and execute some commands). All I have is the log (ciAudit.log).

I need to undestand what the "attacker" try to do with the executed commands in the log.

Some commands are self explanatory, but other not.

Example:

"/rest/tasks/" with component-id psrm

"/rest/tasks/" with component-id crm

"Refresh server hardware" with component-id psrm

"/rest/ethernet-networks/374ed2f6-8881-4267-be92-713d669b34e3,Updated ethernet-network 'Fiserv-Internet-A'" with component-id crm

"Deleted connection-template 'name-1066080839-1491836372577'" with component-id crm

"/rest/network-sets/832976bb-382b-45eb-beec-a8d7e6cb85f7,Updated network-set 'NetSet_2SN54116Q2_10'" with component-id crm

"Updated connection-template 'name-623451695-1663732523724'" with component-id crm

"Updated logical-interconnect-group 'LIG_0000000000_1'" with component-id crm

Thanks in advance

Jorge

0 Kudos
Reply
DanCernese
HPE Pro

‎12-21-2022 07:12 AM

‎12-21-2022 07:12 AM

Re: Query: HP Synergy audit log format - ci-audit-log

Understood-- but the component internal name won't help anyone understand what an attacker or user is trying to do or has done because everything of value is in the rest of the message. I'll share this, if you think it helps, these are definitive:

  • CRM == connectivity resource manager:  networks, switches, profile connections
  • PSRM == physical server resource manager:  enclosures, servers, and server health
  • PM == profile manager:  server profiles, cluster profiles, host profiles


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
JorgePizarro
Occasional Advisor

‎12-27-2022 07:28 AM

‎12-27-2022 07:28 AM

Re: Query: HP Synergy audit log format - ci-audit-log

Thanks for your responses.

I have another question.

The follow events show some activity from localhost (127.0.0.1). From what application this activity comes from?

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_abajo-LIG_2SM520000F_1 at location: enclosure: /rest/enclosures/092SM520000F bay: 1

2022-09-21 05:07:13.836 UTC,security,,,appliance,MTMzOTQ0NDQwMjcy,,localhost,SUCCESS,DELETE,INFO,SESSION,1374d41c-76b5-491b-8084-662cf07d52a9,The session for user "appliance" with [logID:MTMzOTQ0NDQwMjcy] timed out.

 

0 Kudos
Reply
DanCernese
HPE Pro

‎01-03-2023 01:20 PM

‎01-03-2023 01:20 PM

Re: Query: HP Synergy audit log format - ci-audit-log

HPE OneView



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
support_s
System Recommended

‎01-03-2023 07:17 PM

‎01-03-2023 07:17 PM

Re: Query: HP Synergy audit log format - ci-audit-log

The events mentioned are captured by Oneview.

 

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_abajo-LIG_2SM520000F_1 at location: enclosure: /rest/enclosures/092SM520000F bay: 1

2022-09-21 05:07:13.836 UTC,security,,,appliance,MTMzOTQ0NDQwMjcy,,localhost,SUCCESS,DELETE,INFO,SESSION,1374d41c-76b5-491b-8084-662cf07d52a9,The session for user "appliance" with [logID:MTMzOTQ0NDQwMjcy] timed out.


Accept or Kudo

0 Kudos
Reply
JorgePizarro
Occasional Advisor

‎01-04-2023 02:46 AM

‎01-04-2023 02:46 AM

Re: Query: HP Synergy audit log format - ci-audit-log

As the ciAuditlog only show "localhost" for OneView user's connections, how can I know the IP address from where the user connect to OneView application?

From my understanding, OneView is a web application, right?

There are some log file for this web application?

Where this logs files are located?

Regards,

Jorge

0 Kudos
Reply
Keerthana_RP
HPE Pro

‎01-04-2023 09:35 PM

‎01-04-2023 09:35 PM

Re: Query: HP Synergy audit log format - ci-audit-log

Usually, the HPE Oneview is configured during the installation. Please refer the installation guide below.

 

https://techlibrary.hpe.com/docs/synergy/shared/setup_overview/index.html

 

Also, for getting information about the environment, we usually check the CI Support Dump (For composers) and LE Support Dump.

 

LE Support Dump can be collected from Logical Enclosure on Oneview.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
DanCernese
HPE Pro

‎01-05-2023 12:30 PM - edited ‎01-05-2023 12:31 PM

‎01-05-2023 12:30 PM - edited ‎01-05-2023 12:31 PM

Re: Query: HP Synergy audit log format - ci-audit-log

how can I know the IP address from where the user connect to OneView

So you've asked two things: which user performed the operation and what is that user's source IP where they are running their browser from (to connect to OneView).

To find out what user executed an operation, you need to see if it was part of a task and then use the RESTapi to look up more information about that task.  For example, 

2022-09-21 03:30:48.585 UTC,crm,,,System,LTk5NzY4NTQxMDMw,/rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4,127.0.0.1,SUCCESS,MODIFY,INFO,logical-interconnects,/rest/logical-interconnects/ef3537c6-be26-4e05-8e07-92bd168cab44,Adding interconnect to logical-interconnect C7000_A_abajo-LIG_2SM520000F_1 at location: enclosure: /rest/enclosures/092SM520000F bay: 1

You'll need to look up /rest/tasks/D81C5471-C22D-47AA-8FBB-8DAAAE8877C4 using PowerShell or the RESTapi.

Other entries may have the user, sometimes "Administrator" or any other authorized user.

There are other entries specifically corresponding to that user logging on and their source IP.

2021-05-19 19:03:51.474 UTC,Authentication,,Local,Administrator,,,16.99.152.235,SUCCESS,LOGIN,INFO,AUTHENTICATION,,Authentication SUCCESS. User "Administrator" logged in successfully from client "16.99.152.235" and directory "LOCAL". [logID "MzQ2MDM3MDcyMTgy"]

Maybe that will point you in the right direction.

 

 

 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.