What is user activity logging?
Log records
The NFM-P logs each GUI and XML API user action, such as system access attempts and configuration changes in the main database. The following table lists the information in a user activity log record.
Table 9-2: User activity log record information
Field name |
Description |
---|---|
Time |
Time of activity |
Session Type |
Type of session, which is GUI, JMS, or XML API |
Session ID |
Client session identifier |
Session IP Address |
Client IP address |
Session Time |
Client session start time |
Server IP Address |
IP address of main server that reports the activity |
Type |
General activity type, which is Deployment, Operation, or Save |
Sub Type |
Specific activity type, which is Creation, Deletion, Modification, or name of the invoked method |
Username |
NFM-P username |
Site Name |
Name of affected NE, if applicable |
Site ID |
IP address of affected NE, if applicable |
Object Name |
Name of affected object |
Object ID |
Fully qualified name of affected object |
Object Type |
Type of affected object |
State |
Activity status, which is Failure, Success, or Timeout |
Request ID |
Identifier assigned to the request, which is unique to a session |
Additional Info |
Information such as old and new parameter values after a modification |
XML |
NFM-P object class descriptor, if applicable, and activity details in XML request format |
To view general user activity log entries in the GUI, or retrieve the entries using the XML API, you require an NFM-P user account that has the Administrator or NFM-P Management and Operations scope of command role.
You can also enable the forwarding of user activity logs to a remote syslog server, as described in Remote syslog server forwarding.
Note: Viewing or retrieving LI user activity entries requires the Lawful Intercept Management role, and is restricted to the entries of users in the same LI user group.
The logged activity types are the following:
Each user activity creates an Operation log entry. If the activity results in an NE configuration change, a Deployment entry is logged. If the deployed information differs from the information in the NFM-P database, a Save entry is logged. If appropriate, a log entry contains the activity details in XML format.
The following table lists the user activity types and describes the associated sub types.
Table 9-3: User activity types
Type |
Sub Type |
sub type description |
---|---|---|
Deployment |
Creation |
NE object creation |
Deletion |
NE object deletion | |
Modification |
NE object modification | |
Operation |
method |
Name of invoked method |
Save |
Creation |
Database object creation |
Deletion |
Database object deletion | |
Modification |
Database object modification |
The User Activity form displays a filterable list of the logged user activities, and a filterable list of the logged client and server session activities. Client session activities include connection, disconnection, and access violation. Server session activities include startup and shutdown. The properties form of a client connection log record lists the activities performed by the user during the client session.
The client GUI allows direct navigation between the following objects:
-
object properties form and the associated user activity list form
-
NFM-P Task Manager task and the associated user activity list form
The User Activity form lists the recent user session and activity entries; older entries are purged according to configurable storage criteria. See How do I set the NFM-P system preferences? for information about configuring the user activity log retention criteria using the System Preferences form.
To archive user activity log entries before the entries are purged from the NFM-P database, an XML API client can use a time-based filter to retrieve entries from the sysact package using the find and findToFile methods. See “Inventory retrieval methods” in the NSP NFM-P XML API Developer Guide for information about using the find and findToFile methods.
User activity logging is a valuable troubleshooting function. For example, if a port unexpectedly fails, you can quickly determine whether misconfiguration is the cause by doing one of the following:
-
opening the port properties form and clicking User Activity to view the recent user activity associated with the port
-
opening the User Activity form, filtering the list by object type or name, and then verifying the associated user activities
Note: Script execution is logged, but the actions that a script performs are not.
The following apply to user activity logging.
-
A Deployment activity typically does not have an associated Save activity for the following reasons:
-
When a high-level object such as an NE is deleted, one aggregate activity record is created, rather than multiple NE child object activity records.
-
The XML text in a log entry is limited to 4000 characters. If an activity generates more than 4000 characters of XML text, the text is truncated, and the truncation is indicated on the log entry form.
Remote syslog server forwarding
You can enable the forwarding of NFM-P user activity logs to a remote syslog server by specifying the target server parameters for remote-syslog using the NFM-P samconfig utility on a main server.
Each generated remote syslog message for user activity has the following fields:
The User Activity Log message is in JSON format, and includes the following:
User Activity Log syslog record example
The following is an example of an NFM-P User Activity Log record forwarded to a remote syslog server.
May 27 17:30:57 nfmp-mainserver-1 activitylogs: {"app":"NFM-P","clientHost":"203.0.113.7","reqMethod":"Save","addlParams":"{}","actionParams":[
],"respCodePhrase":"Success","timeStamp":"2020-05-27 17:30:56.330 +0530","affObjs":[
{"val":"securityManager","key":"fdn"}
,
{"val":"TSecurity Manager","key":"objectType"}
,
{"val":"0.0.0.0","key":"siteId"}
,
{"val":"0.0.0.0","key":"siteName"}
],"uid":"154","host":"203.0.113.7","action":"Modification","user":"admin","reqURL":"N/A","respCode":"1"}
The fields in the example have the following values:
Note: In an NFM-P log record, the addlParams field is always empty, and the reqURL field always contains “N/A”.
-
User Activity Log entry—remainder that begins with "app":"NFM-P"
-
clientHost—remote hostname or IP address that invokes action
-
addlParams—array; contains parameters or other such values not in other fields; always empty in NFM-P record
-
affObjs—array of affected-object attributes, for example, FDN and ID
-
reqURL—HTTP URL of the executed HTTP Request; always contains “N/A” in NFM-P record
Client session control
Each GUI or XML API client request creates an NFM-P client session. You can view a list of the active client sessions on the Sessions tab of the NFM-P User Security - Security Management form. Using this form, an admin user, or a user with an assigned Security scope of command role, can also terminate one or more client sessions. When a GUI client session is terminated in this manner, each client GUI displays a warning message and the connection is closed after a short delay. See How do I view and manage the active GUI client sessions? for more information.
Messaging connections
A list of active GUI connections and XML API JMS connections can be viewed on the Messaging Connections tab of the NFM-P User Security - Security Management form. Using this form, an admin user, or a user with an assigned Security scope of command role, can terminate one or more connections. When an XML API client connection is terminated, a notification is sent to the client, but the admin user must also remove the JMS client connection so that the server stops storing JMS messages for the session. See How do I disconnect an XML API JMS client connection or remove a durable subscription? for more information.
Client delegate sessions
The threshold for the number of client sessions allowed on a client delegate server is configurable from the client GUI. When a user tries to open a client session that exceeds the threshold, the client delegate server opens the session, displays a warning message, and generates an alarm. The threshold-crossing function can help to balance the session load across multiple client delegate servers. You need the Update user permission on the Server package to configure the threshold. See How do I configure the number of allowed client sessions for a client delegate server? for more information.