What is user activity logging?

Log records

The NFM-P logs each GUI and XML API user action, such as system access attempts and configuration changes in the main database. The following table lists the information in a user activity log record.

Table 9-2: User activity log record information

Field name

Description

Time

Time of activity

Session Type

Type of session, which is GUI, JMS, or XML API

Session ID

Client session identifier

Session IP Address

Client IP address

Session Time

Client session start time

Server IP Address

IP address of main server that reports the activity

Type

General activity type, which is Deployment, Operation, or Save

Sub Type

Specific activity type, which is Creation, Deletion, Modification, or name of the invoked method

Username

NFM-P username

Site Name

Name of affected NE, if applicable

Site ID

IP address of affected NE, if applicable

Object Name

Name of affected object

Object ID

Fully qualified name of affected object

Object Type

Type of affected object

State

Activity status, which is Failure, Success, or Timeout

Request ID

Identifier assigned to the request, which is unique to a session

Additional Info

Information such as old and new parameter values after a modification

XML

NFM-P object class descriptor, if applicable, and activity details in XML request format

To view general user activity log entries in the GUI, or retrieve the entries using the XML API, you require an NFM-P user account that has the Administrator or NFM-P Management and Operations scope of command role.

You can also enable the forwarding of user activity logs to a remote syslog server, as described in Remote syslog server forwarding.

Note: Viewing or retrieving LI user activity entries requires the Lawful Intercept Management role, and is restricted to the entries of users in the same LI user group.

The logged activity types are the following:

  • Operation—a request for the NFM-P

  • Deployment—a change that is deployed to an NE

  • Save—a change to an object in the NFM-P database

Each user activity creates an Operation log entry. If the activity results in an NE configuration change, a Deployment entry is logged. If the deployed information differs from the information in the NFM-P database, a Save entry is logged. If appropriate, a log entry contains the activity details in XML format.

The following table lists the user activity types and describes the associated sub types.

Table 9-3: User activity types

Type

Sub Type

sub type description

Deployment

Creation

NE object creation

Deletion

NE object deletion

Modification

NE object modification

Operation

method

Name of invoked method

Save

Creation

Database object creation

Deletion

Database object deletion

Modification

Database object modification

The User Activity form displays a filterable list of the logged user activities, and a filterable list of the logged client and server session activities. Client session activities include connection, disconnection, and access violation. Server session activities include startup and shutdown. The properties form of a client connection log record lists the activities performed by the user during the client session.

The client GUI allows direct navigation between the following objects:

  • activity record and the associated session record

  • activity record and the activity target object

  • object properties form and the associated user activity list form

  • NFM-P Task Manager task and the associated user activity list form

  • session record and the associated user activity list form

The User Activity form lists the recent user session and activity entries; older entries are purged according to configurable storage criteria. See How do I set the NFM-P system preferences? for information about configuring the user activity log retention criteria using the System Preferences form.

To archive user activity log entries before the entries are purged from the NFM-P database, an XML API client can use a time-based filter to retrieve entries from the sysact package using the find and findToFile methods. See “Inventory retrieval methods” in the NSP NFM-P XML API Developer Guide for information about using the find and findToFile methods.

User activity logging is a valuable troubleshooting function. For example, if a port unexpectedly fails, you can quickly determine whether misconfiguration is the cause by doing one of the following:

  • opening the port properties form and clicking User Activity to view the recent user activity associated with the port

  • opening the User Activity form, filtering the list by object type or name, and then verifying the associated user activities

Note: Script execution is logged, but the actions that a script performs are not.

The following apply to user activity logging.

  • A Deployment activity typically does not have an associated Save activity for the following reasons:

    • A Deployment activity takes place only after a successful Save activity, so a Deployment implies a Save.

    • A Save activity typically contains the same information as the associated Deployment activity.

  • When a high-level object such as an NE is deleted, one aggregate activity record is created, rather than multiple NE child object activity records.

  • The XML text in a log entry is limited to 4000 characters. If an activity generates more than 4000 characters of XML text, the text is truncated, and the truncation is indicated on the log entry form.

Remote syslog server forwarding

You can enable the forwarding of NFM-P user activity logs to a remote syslog server by specifying the target server parameters for remote-syslog using the NFM-P samconfig utility on a main server.

Each generated remote syslog message for user activity has the following fields:

  • timestamp

  • hostname of syslog producer

  • program name

  • User Activity Log message

The User Activity Log message is in JSON format, and includes the following:

User Activity Log syslog record example

The following is an example of an NFM-P User Activity Log record forwarded to a remote syslog server.

May 27 17:30:57 nfmp-mainserver-1 activitylogs: {"app":"NFM-P","clientHost":"203.0.113.7","reqMethod":"Save","addlParams":"{}","actionParams":[

],"respCodePhrase":"Success","timeStamp":"2020-05-27 17:30:56.330 +0530","affObjs":[

{"val":"securityManager","key":"fdn"}

,

{"val":"TSecurity Manager","key":"objectType"}

,

{"val":"0.0.0.0","key":"siteId"}

,

{"val":"0.0.0.0","key":"siteName"}

],"uid":"154","host":"203.0.113.7","action":"Modification","user":"admin","reqURL":"N/A","respCode":"1"}

The fields in the example have the following values:

Note: In an NFM-P log record, the addlParams field is always empty, and the reqURL field always contains “N/A”.

  • timestamp—May 27 17:30:57

  • hostname of syslog entry producer—nfmp-mainserver-1

  • program name—activitylogs

  • User Activity Log entry—remainder that begins with "app":"NFM-P"

    • app—function name from which action performed

    • clientHost—remote hostname or IP address that invokes action

    • reqMethod—type of action performed

    • actionParams—array; contains parameters passed to action

    • addlParams—array; contains parameters or other such values not in other fields; always empty in NFM-P record

    • respCodePhrase—human-readable action response code

    • timeStamp—time at which action completed

    • affObjs—array of affected-object attributes, for example, FDN and ID

    • uid—record ID

    • host—IP address of syslog entry producer

    • action—name of action performed

    • user—username under which action performed

    • reqURL—HTTP URL of the executed HTTP Request; always contains “N/A” in NFM-P record

    • respCode—action response code, in integer format

Client session control

Each GUI or XML API client request creates an NFM-P client session. You can view a list of the active client sessions on the Sessions tab of the NFM-P User Security - Security Management form. Using this form, an admin user, or a user with an assigned Security scope of command role, can also terminate one or more client sessions. When a GUI client session is terminated in this manner, each client GUI displays a warning message and the connection is closed after a short delay. See How do I view and manage the active GUI client sessions? for more information.

Messaging connections

A list of active GUI connections and XML API JMS connections can be viewed on the Messaging Connections tab of the NFM-P User Security - Security Management form. Using this form, an admin user, or a user with an assigned Security scope of command role, can terminate one or more connections. When an XML API client connection is terminated, a notification is sent to the client, but the admin user must also remove the JMS client connection so that the server stops storing JMS messages for the session. See How do I disconnect an XML API JMS client connection or remove a durable subscription? for more information.

Client delegate sessions

The threshold for the number of client sessions allowed on a client delegate server is configurable from the client GUI. When a user tries to open a client session that exceeds the threshold, the client delegate server opens the session, displays a warning message, and generates an alarm. The threshold-crossing function can help to balance the session load across multiple client delegate servers. You need the Update user permission on the Server package to configure the threshold. See How do I configure the number of allowed client sessions for a client delegate server? for more information.