Audit logging

During installation, you can create an audit database to log all Management Station user actions. Then, whenever a Management Station user performs an action, information about the action is written to this audit database. The information remains in the database for a year before the Management Station automatically purges it.

Schema overview

Each of the tables in the audit logging database are independent of each other.

t_login_logout_audit

The t_login_logout_audit table tracks the login and logout information about Management Station users.

Field name

Description

Type

Constraints

username (Composite key)

Name of the user who logged in or logged out.

varchar(255)

NOT NULL

ipaddress (Index)

IP Address of the user who logged in or logged out.

varchar(255)

NOT NULL

operation (Index)

Type of operation: Login or Logout.

varchar(255)

NOT NULL

operation_result

Whether the operation was a Success or a Failure.

varchar(255)

NOT NULL

description

Details about the operation:

  • Self Login—Normal login by a user.
  • Self Logout—Normal logout by a user. The user logged out manually, or via the Management Station Administration tab.
  • Wrong Credentials While Self Login—User tried to login, but did not provide a valid username/password.
  • Forced LogOut by User having admin rights—An administrator or other user having administrator rights logged out the user.
  • Self Logout By Login With New Session—User created another session and tried to login, and was prompted to log out from the previous session.

varchar(255)

NOT NULL

operation_time (Composite key)

Time when the operation was performed.

datetime

NOT NULL

operator (Index)

Name of the user who performed the operation.

varchar(255)

NOT NULL

This query shows how to select all instances of failed login attempts, using the t_login_logout_audit table:

SELECT username, description, operation_time
FROM t_login_logout_audit
WHERE description = 'Failed Login'
ORDER BY operation_time DESC;

t_user_details_audit

The t_user_details_audit table tracks user-related operations performed on Management Station users.

Field name

Description

Type

Constraints

username (Composite Key)

Name of the user who is created or updated.

varchar(255)

NOT NULL

operation (Index)

Operation performed on user:

  • Adding New User—Defined a new user account.
  • Editing User Information—Modified an existing user’s contact information.
  • Editing User Privileges—Modified the privileges accorded to an existing user.
  • Removing User—Deleted an existing user.
  • Locking User Account—System automatically locked the user account following five unsuccessful attempts to log in.
  • UnLocking User Account—An administrator or other user with administrator rights unlocked a locked user account.

varchar(255)

NOT NULL

details

Additional details about the operation. The details depend on the type of the operation that was performed:

  • Adding New User—The Username and default Privileges accorded to the new user.
  • Editing User Information—The user’s First Name, Last Name, Email, Phone Number, and Pager.
  • Editing User Privileges—The user‘s Privileges.
  • Removing User—“Removing User from the Database”.
  • Locking User Account—Username and Failed Login Attempts.
  • UnLocking User Account—The Username and Failed Login Attempts (automatically reset to 0).

text

  

operation_time (Composite Key)

Time when the operation was performed.

    

operator (Index)

Name of the user who performed the operation.

   

This query shows how to select all user-related operations performed during a specific 24-hour period, using the t_user_details_audit table:

SELECT * FROM t_user_details_audit p
WHERE p.operation_time BETWEEN 
      '2012-07-15 13:07:17' AND '2012-07-16 13:07:17'
ORDER BY operation_time DESC;

t_system_details_audit

The t_system_details_audit table tracks operations performed by Management Station users.

Field name

      

operation (Index)

Operation performed (for example, adding a cluster, removing a cluster, assigning a role to a host, and so on).

   

scope (Index)

Defines the level at which the operation was performed (Network/Cluster/Host or Service).

   

details

Additional details about the item. Depending on the operation performed, these can include items such as the Host Name or Cluster Name, Host Role, Parent Name, and Service Type.

   

operation_time (Index)

Time when the operation was performed.

   

operator (Index)

Name of the user who performed the operation.

   

This query shows how to select all operations performed by Management Station users during a specific 24-hour period, using the t_system_details_audit table: 

SELECT * FROM t_system_details_audit p 
WHERE p.operation_time BETWEEN 
      '2010-07-15 13:07:17' AND '2010-07-16 13:07:17'
ORDER BY operation_time DESC;