Document toolboxDocument toolbox

User Audit Logs

Owned by Viktoryia Varapayeva (Deactivated)
Mar 30, 2022
3 min read

Note

If the contents of an audit log are of interest and must be kept for a longer term, save the log contents into a separate text file, as the log will drop off of the system 30 days after it appears. Audit logs are unique to each device.

Audit logs are an important tool for tracking the following event types:

  • Configuration collection logging after discovery.
  • CLI Credential guessing and CLI sessions through the Telnet/SSH proxy.
  • Connections and commands issued to devices through the CLI proxy.

When you display a single audit log entry, a complete screen dump of the entire session is shown in text format. Session audit logs are kept by the appliance for a rolling 30-day time window. Audit logs are available at two levels: system-wide (under Settings), and for individual devices (in the Device Viewer). Error events you see here are normally associated with credential guessing operations by NetMRI and user-initiated SSH/Telnet sessions to individual devices.

For CLI Credential guessing and Telnet/SSH session attempts, you will see messages for the following phenomena:

  • Invalid Credentials: In which a connection attempt is made through Telnet/SSH, and the login tuple is used but the distant end rejects it. This occurs after NetMRI successfully communicates with the device, and the initial attempts with username/password combinations fail.
  • Connection Closed by Foreign Host: This is usually due to enforced telnet or SSH session timeout on the device.
  • Timeout Waiting for Device: NetMRI's discovery polling or data collection timed out due to lack of response from the device.
  • *No Route to Host: The device is now not reachable.
  • Bad Secrets for Enable Mode: An incorrect Enable password was sent by NetMRI and the device rejects the attempt to enter Enable mode.

For configuration collection logging, you may see messages of the following types:

  • Config collection disabled globally: The current instance of NetMRI has disabled all Config Collection features (go to the Settings icon > Setup > Collection and Groups > Config Management side tab to check and enable collection settings).
  • Config collection disabled globally for all protocols: The current instance of NetMRI has enabled Config Collection but none of the protocols for gathering data (telnet, SSH, HTTP) are enabled (go to Settings icon > Setup > Collection and Groups > Config Management side tab to check and enable collection settings).
  • Not Included by Discovery Settings: The device in question is not part of any IP range, is not specified as a static IP, does not match any device Hints, and is not a seed router. To check values for each of the four setting types, go to Settings icon > Setup > Discovery Settings. This message appears only for attempts to get configurations from the device.
  • Not Licensed: The device is not licensed under NetMRI. This message appears only for attempts to get configurations from the device.
  • Config collection disabled at device group level: NetMRI has disabled Config Collection features for a specific Device Group. To check and enable collection settings for a Device Group, go to the Settings icon > Setup > Collection and Groups > Groups > Device Groups side tab.
  • History Indicates Config not Changed: No configuration changes have occurred since the previous fetching of configuration data. This message appears only for regular device polling operations on managed devices.
  • CLI credentials unknown: All attempts at guessing or logging in to a device after discovery are unsuccessful.

To view a device's user audit log, go to Device Viewer > Settings & Status > User Audit Log. The audit log appears as a cumulative list for all Telnet/SSH sessions for the individual network device or end host for the last 30 days.