What is user activity log forwarding?

User activity log forwarding overview

If the forwarding of NSP user activity logs to a remote server is enabled, each NSP user action is forwarded to a remote syslog server specified in the NSP configuration during system deployment.

User activity syslog record format

Each generated remote syslog message for user activity has the following fields:

  • timestamp

  • hostname of syslog producer

  • program name

  • User Activity Log entry

User Activity Log syslog record example

The following is an example of an NFM-P User Activity Log record forwarded to a remote syslog server:

Note: The record is displayed as three separate sections for illustration purposes; an actual record is contiguous.

May 18 09:56:36 nsp-1a3 activitylogs: {"app":"Users And Security","clientHost":"203.0.100.5","reqMethod":"POST","addlParams":"{}","actionParams":[{"val":"

{\"retentionPeriod\":32,\"activityLogsMaxSize\":1000000,\"activityLogsWarningThreshold\":95,\"activityLogsCriticalThreshold\":100,\"activityLogsWarningPurgePercent\":5,\"activityLogsCriticalPurgePercent\":10}

","key":"jsonRequest"}],"respCodePhrase":"OK","timeStamp":"2020/05/27 10:47:14 821 +0000","affObjs":"{}","uid":"a0d3b09f66acb238d9f95ab1155d075e","host":"198.51.100.16","action":"set","time":"1590576434821","user":"admin","reqURL":"https://198.51.100.16/activitylogs-api/rest/api/v1/activityLogs/settings/set","respCode":"200"}

The fields in the example have the following values; the actionParams section, which is the second section in the example, indicates that the action involved setting user-activity log parameters:

  • timestamp—May 18 09:56:36

  • hostname of syslog entry producer—nsp-1a3

  • program name—activitylogs

  • User Activity Log entry—remainder that begins with "app":"Users and Security"; is in JSON format, and includes the following:

    • app—source NSP function from which action performed

    • clientHost—remote hostname or IP address that invokes action

    • reqMethod—type of action performed

    • actionParams—array; contains parameters passed to action

    • addlParams—array; contains parameters or other such values not in other fields

    • respCodePhrase—human-readable action response code

    • timeStamp—time at which action completed

    • affObjs—array of affected-object attributes, for example, FDN and ID

    • uid—record ID

    • host—IP address of server on which action performed

    • action—name of action performed

    • user—username under which action performed

    • reqURL—HTTP URL of the executed HTTP request

    • respCode—action response code, in integer format