03-12-2018 12:50 AM
We are using WinSCP client to manage files on Infoblox. Is it possible to configure audit logs for activities made via third party ftp client ( add/remove/modify files)?
I see audit logs if file was deleted via GUI but no logs at all if it was deleted via ftp client.
Thank you in advacne.
Solved! Go to Solution.
03-12-2018 08:10 AM
Chapter “File Distribution Services” from NIOS administrator guide 8.2 states : ‘The logs for file transfers using third party clients can be found in syslog’. It also states the following :
“File uploads and downloads by FTP and TFTP file distribution clients are logged in the syslog under the Administration -> Logs tabs. The logs store the following information:
- Client IP
- Date and Time
- Event type
- File(s) downloaded and/or uploaded”
This does give a perception that it is expected to see such events only in the syslogs. In that case, you may need to work with Infoblox support in order to file a feature request on your behalf for seeing such events in the Audit logs as well(If they confirm this limitation to be working as expected).
I hope this addresses your concern.
03-12-2018 11:11 AM
You are right, I see logs on Infoblox syslog Tab but not on remote Syslog server. Seems I have to check closer to why these logs are not being sent to Syslog server.
03-12-2018 06:18 PM
I am assuming that you have configured the external syslog server as described in ‘Using a Syslog Server’ section of chapter ‘Monitoring the Appliance’, from the NIOS administrator guide.
If yes, are you able to see other syslogs in the external server, except these specific logs which you are looking for ? In that case, please consider the following :
- Check what is the severity/Source/Logging category under : Grid -> Grid manager -> Members -> Edit the specific member/master -> Monitoring -> Edit the defined server under ‘External Syslog Servers’. You may refer the snippet below for reference :
- While ‘Severity’ & ‘Logging category’ may be something critical in this case. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. The severity levels range from the lowest, debug, to the highest, emerg. For example, if you choose debug, the appliance sends all syslog messages to the server. If you choose err, the appliance sends messages with severity levels err, crit, alert, and emerg. Logging category is something which may be important here, in case if we are looking at a problem where some of the syslogs seems to be missing in the external syslog server.
- In case if the severity level selected is ‘Debug’ & if the ‘Logging category’ selected is ‘Send all’, I would expect all the syslog messages to be forwarded to your external syslog server.
Now if we are looking at a problem where none of the syslogs are being forwarded to your external syslog server, you may need to consider the following to begin with :
- Try pinging the external syslog server’s IP address from the CLI of the server & see if its reachable.
- Or, a traffic capture collected from the server would help you understand whether there is any such connectivity problems which could be a hindrance. The default destination port number used is 514 for TCP and UDP. For Secure TCP, the default port is 6514. So this is something worth checking to start with. You may apply 'ip.addr==<IP address of your syslog server>' as filter in the collected traffic capture which, which would help you to be specific in review.
Please let us know if there are any questions.
03-12-2018 10:51 PM
Indeed, "Notice" severity level was configured but messages were sent with "Info" level.
After changing severity on members I see required logs on remote syslog server.
Thank you for your help and detailed explanation!