What is user activity logging?

Log records

The NFM-P logs each GUI and XML API user action, such as system access attempts and configuration changes in the main database. The following table lists the information in a user activity log record.

Table 9-2: User activity log record information

Field name

Description

Time

Time of activity

Session Type

Type of session, which is GUI, JMS, or XML API

Session ID

Client session identifier

Session IP Address

Client IP address

Session Time

Client session start time

Server IP Address

IP address of main server that reports the activity

Type

General activity type, which is Deployment, Operation, or Save

Sub Type

Specific activity type, which is Creation, Deletion, Modification, or name of the invoked method

Username

NFM-P username

Site Name

Name of affected NE, if applicable

Site ID

IP address of affected NE, if applicable

Object Name

Name of affected object

Object ID

Fully qualified name of affected object

Object Type

Type of affected object

State

Activity status, which is Failure, Success, or Timeout

Request ID

Identifier assigned to the request, which is unique to a session

Additional Info

Information such as old and new parameter values after a modification

XML

NFM-P object class descriptor, if applicable, and activity details in XML request format

To view general user activity log entries in the GUI, or retrieve the entries using the XML API, you require an NFM-P user account that has the Administrator or NFM-P Management and Operations scope of command role.

You can also enable the forwarding of user activity logs to a remote syslog server, as described in Remote syslog server forwarding.

Note: Viewing or retrieving LI user activity entries requires the Lawful Intercept Management role, and is restricted to the entries of users in the same LI user group.

The logged activity types are the following:

Each user activity creates an Operation log entry. If the activity results in an NE configuration change, a Deployment entry is logged. If the deployed information differs from the information in the NFM-P database, a Save entry is logged. If appropriate, a log entry contains the activity details in XML format.

The following table lists the user activity types and describes the associated sub types.

Table 9-3: User activity types

Type

Sub Type

sub type description

Deployment

Creation

NE object creation

Deletion

NE object deletion

Modification

NE object modification

Operation

method

Name of invoked method

Save

Creation

Database object creation

Deletion

Database object deletion

Modification

Database object modification

The User Activity form displays a filterable list of the logged user activities, and a filterable list of the logged client and server session activities. Client session activities include connection, disconnection, and access violation. Server session activities include startup and shutdown. The properties form of a client connection log record lists the activities performed by the user during the client session.

The client GUI allows direct navigation between the following objects:

The User Activity form lists the recent user session and activity entries; older entries are purged according to configurable storage criteria. See How do I set the NFM-P system preferences? for information about configuring the user activity log retention criteria using the System Preferences form.

To archive user activity log entries before the entries are purged from the NFM-P database, an XML API client can use a time-based filter to retrieve entries from the sysact package using the find and findToFile methods. See “Inventory retrieval methods” in the NSP NFM-P XML API Developer Guide for information about using the find and findToFile methods.

User activity logging is a valuable troubleshooting function. For example, if a port unexpectedly fails, you can quickly determine whether misconfiguration is the cause by doing one of the following:

Note: Script execution is logged, but the actions that a script performs are not.

The following apply to user activity logging.

Remote syslog server forwarding

You can enable the forwarding of NFM-P user activity logs to a remote syslog server by specifying the target server parameters for remote-syslog using the NFM-P samconfig utility on a main server.

Each generated remote syslog message for user activity has the following fields:

The User Activity Log message is in JSON format, and includes the following:

User Activity Log syslog record example

The following is an example of an NFM-P User Activity Log record forwarded to a remote syslog server.

May 27 17:30:57 nfmp-mainserver-1 activitylogs: {"app":"NFM-P","clientHost":"203.0.113.7","reqMethod":"Save","addlParams":"{}","actionParams":[

],"respCodePhrase":"Success","timeStamp":"2020-05-27 17:30:56.330 +0530","affObjs":[

{"val":"securityManager","key":"fdn"}

,

{"val":"TSecurity Manager","key":"objectType"}

,

{"val":"0.0.0.0","key":"siteId"}

,

{"val":"0.0.0.0","key":"siteName"}

],"uid":"154","host":"203.0.113.7","action":"Modification","user":"admin","reqURL":"N/A","respCode":"1"}

The fields in the example have the following values:

Note: In an NFM-P log record, the addlParams field is always empty, and the reqURL field always contains “N/A”.

Client session control

Each GUI or XML API client request creates an NFM-P client session. You can view a list of the active client sessions on the Sessions tab of the NFM-P User Security - Security Management form. Using this form, an admin user, or a user with an assigned Security scope of command role, can also terminate one or more client sessions. When a GUI client session is terminated in this manner, each client GUI displays a warning message and the connection is closed after a short delay. See How do I view and manage the active GUI client sessions? for more information.

Messaging connections

A list of active GUI connections and XML API JMS connections can be viewed on the Messaging Connections tab of the NFM-P User Security - Security Management form. Using this form, an admin user, or a user with an assigned Security scope of command role, can terminate one or more connections. When an XML API client connection is terminated, a notification is sent to the client, but the admin user must also remove the JMS client connection so that the server stops storing JMS messages for the session. See How do I disconnect an XML API JMS client connection or remove a durable subscription? for more information.

Client delegate sessions

The threshold for the number of client sessions allowed on a client delegate server is configurable from the client GUI. When a user tries to open a client session that exceeds the threshold, the client delegate server opens the session, displays a warning message, and generates an alarm. The threshold-crossing function can help to balance the session load across multiple client delegate servers. You need the Update user permission on the Server package to configure the threshold. See How do I configure the number of allowed client sessions for a client delegate server? for more information.