ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-2815

Missing audit records for different actions in zabbix GUI and API

    Details

    • Type: Incident report Incident report
    • Status: READY TO DEVELOP
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: API (A), Frontend (F)
    • Labels:
    • Team:
      Team A
    • Sprint:
      Sprint 1

      Description

      following actions are not in audit log:

      login
      create host group
      update host group
      activate host group
      disable host group
      update host
      delete screen
      delete map
      general - create macro
      general - delete macro

      if action is for trigger or item, hostname should be added to description.

      changes performed via API missing in auditlog.

        Issue Links

          Activity

          Hide
          richlv added a comment - - edited

          1.8 branch, rev 13814

          1. regression. create hostgroup : Undefined index: groupid[/srv/www/htdocs/ZBX-2815/hostgroups.php:82]
          2. activate a hostgroup : hosts.status: 0 => 0
          such non-changes should not be recorded in the auditlog
          3. proxy name in auditlog entries has excess space added : [x ]
          4. (could be added as a separate issue) modify a trigger, but don't change the expression. expression is rewritten & a new functionid is generated. should not happen.
          5. (could be added as a separate issue) auditlog filter - resource dropdown not sorted (but contains lots of entries -> hard to use)
          6. things still missing :
          6.1. update hostgroup (modify hosts belonging to it)
          6.2. edit host properties, modify group membership (both groups & new group)
          6.3. add template
          6.4. modify template (group membership, user macros)
          6.5. modify host (user macros, profile + extended profile - status & details)
          6.6. when deleting a template, it is registered as a host deletion
          6.7. admin -> general -> images - change image type
          6.8. admin -> general -> gui - "Event acknowledges" is recorded as the opposite in the auditlog details
          6.9. modify global macro
          6.11. delete action
          6.12. delete slideshow from the list
          6.13. delete graph
          6.14. delete media type
          6.15. delete global macro
          6.16. update map

          Show
          richlv added a comment - - edited 1.8 branch, rev 13814 1. regression. create hostgroup : Undefined index: groupid [/srv/www/htdocs/ZBX-2815/hostgroups.php:82] 2. activate a hostgroup : hosts.status: 0 => 0 such non-changes should not be recorded in the auditlog 3. proxy name in auditlog entries has excess space added : [x ] 4. (could be added as a separate issue) modify a trigger, but don't change the expression. expression is rewritten & a new functionid is generated. should not happen. 5. (could be added as a separate issue) auditlog filter - resource dropdown not sorted (but contains lots of entries -> hard to use) 6. things still missing : 6.1. update hostgroup (modify hosts belonging to it) 6.2. edit host properties, modify group membership (both groups & new group) 6.3. add template 6.4. modify template (group membership, user macros) 6.5. modify host (user macros, profile + extended profile - status & details) 6.6. when deleting a template, it is registered as a host deletion 6.7. admin -> general -> images - change image type 6.8. admin -> general -> gui - "Event acknowledges" is recorded as the opposite in the auditlog details 6.9. modify global macro 6.11. delete action 6.12. delete slideshow from the list 6.13. delete graph 6.14. delete media type 6.15. delete global macro 6.16. update map
          Hide
          richlv added a comment -

          mm, 5. already reported as ZBX-1172

          Show
          richlv added a comment - mm, 5. already reported as ZBX-1172
          Hide
          richlv added a comment - - edited

          other issues regarding auditlog :

          ZBX-1204
          ZBX-1277 (server)
          ZBX-1484
          ZBX-2212
          ZBX-4616
          ZBX-4756
          ZBX-4937

          Show
          richlv added a comment - - edited other issues regarding auditlog : ZBX-1204 ZBX-1277 (server) ZBX-1484 ZBX-2212 ZBX-4616 ZBX-4756 ZBX-4937
          Hide
          richlv added a comment -

          confirming the fix for item 1.
          other problems not fixed - either should be split out in other issue[s], or this one left open

          Show
          richlv added a comment - confirming the fix for item 1. other problems not fixed - either should be split out in other issue [s] , or this one left open
          Hide
          Igor Danoshaites added a comment -

          14. When disabling Actions in the Audit log in the "Description" column will not appear name of the action. Not so critical, but would be nice to fix as at this moment it is hard to understand what action has been disabled/enabled.

          26 Aug 2010 17:32:24 Admin 192.168.3.37 Action Updated 0 [....] Actions [7] enabled
          26 Aug 2010 17:31:43 Admin 192.168.3.37 Action Updated 0 [....] Actions [7] disabled

          Show
          Igor Danoshaites added a comment - 14. When disabling Actions in the Audit log in the "Description" column will not appear name of the action. Not so critical, but would be nice to fix as at this moment it is hard to understand what action has been disabled/enabled. 26 Aug 2010 17:32:24 Admin 192.168.3.37 Action Updated 0 [....] Actions [7] enabled 26 Aug 2010 17:31:43 Admin 192.168.3.37 Action Updated 0 [....] Actions [7] disabled
          Hide
          Igor Danoshaites added a comment -

          > following actions are not in audit log:

          login - in v1.9.10 (rev # 25318) it is working fine, in the "auditlog" there are records for the "User Login"operation, but no records about "User Logout", more info is available in issue ZBX-4616;

          create host group - in v1.9.10 (rev # 25318) in the "auditlog" it is working fine, there are records for the "Add Host group" operation;

          update host group - in v1.9.10 (rev # 25318) in the "auditlog" it is working fine, there are records for the "Update Host group" operation;

          activate host group - enable/disable actions is a big problem for any resource at this moment (for more info please see issue ZBX-4616), but in v1.9.10 (rev # 25318) info about enabling /disabling host group is available in the "auditlog" for the "Update" action: hosts.status: 0 => 1;

          disable host group - enable/disable actions is a big problem for any resource at this moment (for more info please see issue ZBX-4616), but in v1.9.10 (rev # 25318) info about enabling /disabling host group is available in the "auditlog" for the "Update" action: hosts.status: 1 => 0

          update host - in v1.9.10 (rev # 25318) info about host update is available in the "auditlog" for the "Update" action: hosts.name: H1 => H1 updated (but this is working not for all fields, there is not reflected info about changes in the host groups, interfaces, etc);

          delete screen - in v1.9.10 (rev # 25318) info about deleting screen is available in the "auditlog" for the "Delete" action;

          delete map - in v1.9.10 (rev # 25318) info about deleting screen is available in the "auditlog" for the "Delete" action;

          general - create macro - this is working fine in v1.9.10 (rev # 25318), info about macro creation is available in the "auditlog" for the "Add" action;
          general - delete macro - this is working fine in v1.9.10 (rev # 25318), info about macro creation is available in the "auditlog" for the "Delete" action;

          Show
          Igor Danoshaites added a comment - > following actions are not in audit log: login - in v1.9.10 (rev # 25318) it is working fine, in the "auditlog" there are records for the "User Login"operation, but no records about "User Logout", more info is available in issue ZBX-4616 ; create host group - in v1.9.10 (rev # 25318) in the "auditlog" it is working fine, there are records for the "Add Host group" operation; update host group - in v1.9.10 (rev # 25318) in the "auditlog" it is working fine, there are records for the "Update Host group" operation; activate host group - enable/disable actions is a big problem for any resource at this moment (for more info please see issue ZBX-4616 ), but in v1.9.10 (rev # 25318) info about enabling /disabling host group is available in the "auditlog" for the "Update" action: hosts.status: 0 => 1; disable host group - enable/disable actions is a big problem for any resource at this moment (for more info please see issue ZBX-4616 ), but in v1.9.10 (rev # 25318) info about enabling /disabling host group is available in the "auditlog" for the "Update" action: hosts.status: 1 => 0 update host - in v1.9.10 (rev # 25318) info about host update is available in the "auditlog" for the "Update" action: hosts.name: H1 => H1 updated (but this is working not for all fields, there is not reflected info about changes in the host groups, interfaces, etc); delete screen - in v1.9.10 (rev # 25318) info about deleting screen is available in the "auditlog" for the "Delete" action; delete map - in v1.9.10 (rev # 25318) info about deleting screen is available in the "auditlog" for the "Delete" action; general - create macro - this is working fine in v1.9.10 (rev # 25318), info about macro creation is available in the "auditlog" for the "Add" action; general - delete macro - this is working fine in v1.9.10 (rev # 25318), info about macro creation is available in the "auditlog" for the "Delete" action;
          Hide
          Igor Danoshaites added a comment -

          1. regression. create hostgroup : Undefined index: groupid[/srv/www/htdocs/ZBX-2815/hostgroups.php:82] -not reproducible in v1.9.10 (rev # 25318);

          2. activate a hostgroup - not reproducible in v1.9.10 (rev # 25318);

          activate a hostgroup : hosts.status: 0 => 0 - can not reproduce the same case in v1.9.10 (rev # 25318);

          3. proxy name in auditlog entries has excess space added : [x ] - this case is also reproducible in v1.9.10 (rev # 25318);

          4. modify a trigger, but don't change the expression. expression is rewritten & a new functionid is generated. should not happen. - can not reproduce the same case in v1.9.10 (rev # 25318);

          5. auditlog filter - resource dropdown not sorted (but contains lots of entries -> hard to use) - this is already fixed in v1.9.10 (rev # 25318);

          6. things still missing :

          6.1. update hostgroup (modify hosts belonging to it) - this is still reproducible in trunk, v1.9.10 (rev # 25318);

          6.2. edit host properties, modify group membership (both groups & new group) - this is still reproducible in trunk, v1.9.10 (rev # 25318);

          6.3. add template - this is working fine in v1.9.10 (rev # 25318). When adding new template in the Auditlog will be appear new record "Template Added";

          6.4. modify template (group membership, user macros)

          6.5. modify host (user macros, profile + extended profile - status & details)

          6.6. when deleting a template, it is registered as a host deletion - the same problem is still reproducible in v1.9.10 (rev # 25318): when deleting template, in the "auditlog" table in the DB in the "resourcetype" column will be recorded incorrect value: there should be value "30" (AUDIT_RESOURCE_TEMPLATE), but is recorded value "4" (AUDIT_RESOURCE_HOST);

          6.7. admin > general -> images - change image type - in v1.9.10 (rev # 25318), in the Auditlog will be shown that something has been changed (will appear record "Image Updated"), but no details what exactly has been changed name, type or smth else;

          6.8. admin -> general -> gui - "Event acknowledges" is recorded as the opposite in the auditlog details - In v1.9.10 (rev # 25318), when disabling event acknowledges, in the "auditlog" table will be recorded "Event acknowledges []" (so empty value instead of 0). But when enabling event acknowledges, in the "auditlog" table will be recorded "Event acknowledges [1];

          6.9. modify global macro - this is working fine in v1.9.10 (rev # 25318);

          6.11. delete action - In v1.9.10 (rev # 25318), when deleting action, in the "auditlog" table there will be no records for the "Delete Action" operation, and hence no records in the "Audit Log" report for such operation;

          6.12. delete slideshow from the list - In v1.9.10 (rev # 25318) there is no record in the "Administration->Audit" report for the slide show delete operation, there is also no any record in the DB for this operation (no record for "delete" operation and no record for "update" operation);

          6.13. delete graph - In v1.9.10 (rev # 25318) there is no records in the DB in the "auditlog" table and in the "Audit" report for the "Delete graph" operation;

          6.14. delete Media type - In v1.9.10 (rev # 25318) there is the same problem: no appropriate record in the "Administration->Audit" report about Media type deletion, there is also no record in the DB in the "auditlog" table for this operation;

          6.15. delete global macro - in v1.9.10 (rev # 25318) in the Audit report is displayed "Macro Deleted" when deleting global macro, but there is incorrect description in the "auditlog.resourcename" field when deleting globalmacro: there is written "Array ⇒ abcd" (and hence in the "Audit" report in the "description" column is visible the following text: "Array ⇒ abcd", this is not correct. Should be written the following text: "{$A} ⇒ abcd";

          6.16. update map - in some cases (for example, when adding/deleting map elements) when updating map, in the Audit log record about map update will not appear;

          Show
          Igor Danoshaites added a comment - 1. regression. create hostgroup : Undefined index: groupid [/srv/www/htdocs/ZBX-2815/hostgroups.php:82] -not reproducible in v1.9.10 (rev # 25318); 2. activate a hostgroup - not reproducible in v1.9.10 (rev # 25318); activate a hostgroup : hosts.status: 0 => 0 - can not reproduce the same case in v1.9.10 (rev # 25318); 3. proxy name in auditlog entries has excess space added : [x ] - this case is also reproducible in v1.9.10 (rev # 25318); 4. modify a trigger, but don't change the expression. expression is rewritten & a new functionid is generated. should not happen. - can not reproduce the same case in v1.9.10 (rev # 25318); 5. auditlog filter - resource dropdown not sorted (but contains lots of entries -> hard to use) - this is already fixed in v1.9.10 (rev # 25318); 6. things still missing : 6.1. update hostgroup (modify hosts belonging to it) - this is still reproducible in trunk, v1.9.10 (rev # 25318); 6.2. edit host properties, modify group membership (both groups & new group) - this is still reproducible in trunk, v1.9.10 (rev # 25318); 6.3. add template - this is working fine in v1.9.10 (rev # 25318). When adding new template in the Auditlog will be appear new record "Template Added"; 6.4. modify template (group membership, user macros) 6.5. modify host (user macros, profile + extended profile - status & details) 6.6. when deleting a template, it is registered as a host deletion - the same problem is still reproducible in v1.9.10 (rev # 25318): when deleting template, in the "auditlog" table in the DB in the "resourcetype" column will be recorded incorrect value: there should be value "30" (AUDIT_RESOURCE_TEMPLATE), but is recorded value "4" (AUDIT_RESOURCE_HOST); 6.7. admin > general -> images - change image type - in v1.9.10 (rev # 25318), in the Auditlog will be shown that something has been changed (will appear record "Image Updated"), but no details what exactly has been changed name, type or smth else; 6.8. admin -> general -> gui - "Event acknowledges" is recorded as the opposite in the auditlog details - In v1.9.10 (rev # 25318), when disabling event acknowledges, in the "auditlog" table will be recorded "Event acknowledges []" (so empty value instead of 0). But when enabling event acknowledges, in the "auditlog" table will be recorded "Event acknowledges [1] ; 6.9. modify global macro - this is working fine in v1.9.10 (rev # 25318); 6.11. delete action - In v1.9.10 (rev # 25318), when deleting action, in the "auditlog" table there will be no records for the "Delete Action" operation, and hence no records in the "Audit Log" report for such operation; 6.12. delete slideshow from the list - In v1.9.10 (rev # 25318) there is no record in the "Administration->Audit" report for the slide show delete operation, there is also no any record in the DB for this operation (no record for "delete" operation and no record for "update" operation); 6.13. delete graph - In v1.9.10 (rev # 25318) there is no records in the DB in the "auditlog" table and in the "Audit" report for the "Delete graph" operation; 6.14. delete Media type - In v1.9.10 (rev # 25318) there is the same problem: no appropriate record in the "Administration->Audit" report about Media type deletion, there is also no record in the DB in the "auditlog" table for this operation; 6.15. delete global macro - in v1.9.10 (rev # 25318) in the Audit report is displayed "Macro Deleted" when deleting global macro, but there is incorrect description in the "auditlog.resourcename" field when deleting globalmacro: there is written "Array ⇒ abcd" (and hence in the "Audit" report in the "description" column is visible the following text: "Array ⇒ abcd", this is not correct. Should be written the following text: "{$A} ⇒ abcd"; 6.16. update map - in some cases (for example, when adding/deleting map elements) when updating map, in the Audit log record about map update will not appear;
          Hide
          Oleksiy Zagorskyi added a comment - - edited

          (17) Let's continue numbering from (17)

          Regression: in 1.8 adding an item is audited, in 2.0 - doesn't

          <richlv> also reported as ZBXNEXT-2802

          Show
          Oleksiy Zagorskyi added a comment - - edited (17) Let's continue numbering from (17) Regression: in 1.8 adding an item is audited, in 2.0 - doesn't < richlv > also reported as ZBXNEXT-2802
          Hide
          Oleksiy Zagorskyi added a comment -

          (18) Changing a host IP address is not auditing. (v 2.0.4)

          Show
          Oleksiy Zagorskyi added a comment - (18) Changing a host IP address is not auditing. (v 2.0.4)
          Hide
          Denis Losakovs added a comment -

          Hello, any news about this bug?
          Thanks

          Show
          Denis Losakovs added a comment - Hello, any news about this bug? Thanks
          Hide
          richlv added a comment -

          (19) nothing about iconmaps

          Show
          richlv added a comment - (19) nothing about iconmaps
          Hide
          richlv added a comment - - edited

          (20) we have resource for trigger prototype, but nothing for item/graph prototypes and lld rules;
          also, apparently only updates and deletions of trigger protos are registered, additions are not

          Oleksiy Zagorskyi as for 2014-07-14 on v2.2.4 I can see that only trigger proto deletion is registered, any other action - do not.

          Show
          richlv added a comment - - edited (20) we have resource for trigger prototype, but nothing for item/graph prototypes and lld rules; also, apparently only updates and deletions of trigger protos are registered, additions are not Oleksiy Zagorskyi as for 2014-07-14 on v2.2.4 I can see that only trigger proto deletion is registered, any other action - do not.
          Hide
          Oleksiy Zagorskyi added a comment -

          ZBX-4842 asks for missing auditing in API, linked just in case

          Show
          Oleksiy Zagorskyi added a comment - ZBX-4842 asks for missing auditing in API, linked just in case
          Hide
          Oleksiy Zagorskyi added a comment - - edited

          (21) bad usability, probably it's logical to post in this issue:

          I needed to do some log auditing. Very specific auditing - disabling of hosts.
          One would think that for that criteria, under Administration --> Audit you would set "User" to the appropriate user ID, set Action to "Disable" and set Resource to "Host".

          I get NOTHING in return even though I've just disabled many servers.
          Apparently if you want to see hosts that you have disabled, you should not use "disable" under the action, you have to use an "update" action.

          Show
          Oleksiy Zagorskyi added a comment - - edited (21) bad usability, probably it's logical to post in this issue: I needed to do some log auditing. Very specific auditing - disabling of hosts. One would think that for that criteria, under Administration --> Audit you would set "User" to the appropriate user ID, set Action to "Disable" and set Resource to "Host". I get NOTHING in return even though I've just disabled many servers. Apparently if you want to see hosts that you have disabled, you should not use "disable" under the action, you have to use an "update" action.
          Hide
          Sergey Okun added a comment -

          > (18) Changing a host IP address is not auditing

          Today I had some problems just because of this. Pleeease, implement feature.

          Show
          Sergey Okun added a comment - > (18) Changing a host IP address is not auditing Today I had some problems just because of this. Pleeease, implement feature.
          Hide
          v99glu added a comment - - edited

          (22) Adding host to hostgroup or removing host from hostgroup is not audited.
          (Zabbix 2.4.0 on CentOS 6.5).

          Show
          v99glu added a comment - - edited (22) Adding host to hostgroup or removing host from hostgroup is not audited. (Zabbix 2.4.0 on CentOS 6.5).
          Hide
          richlv added a comment - - edited

          (23) failed login attempts should be added to the audit log, too

          Oleg Ivanivskyi moved to a separate issue (ZBX-9224).

          Alexander Vladishev CLOSED

          Show
          richlv added a comment - - edited (23) failed login attempts should be added to the audit log, too Oleg Ivanivskyi moved to a separate issue ( ZBX-9224 ). Alexander Vladishev CLOSED
          Hide
          Oleg Ivanivskyi added a comment -

          For successful login actions of a user, the 'Details' column shows no information. Please make audit more consistent and show the message like 'Login successful "Admin"', similar to failed attempt where we see message in 'Details' column as 'Login failed "Admin"'.

          Show
          Oleg Ivanivskyi added a comment - For successful login actions of a user, the 'Details' column shows no information. Please make audit more consistent and show the message like 'Login successful "Admin"', similar to failed attempt where we see message in 'Details' column as 'Login failed "Admin"'.
          Hide
          Igor Ivanov added a comment -

          Added logging of adding/deleting host from hostgroup from host configuration page.

          Show
          Igor Ivanov added a comment - Added logging of adding/deleting host from hostgroup from host configuration page.
          Hide
          Aleksandrs Saveljevs added a comment -

          ZBXNEXT-3385 mentions trigger and trigger prototype dependencies.

          Show
          Aleksandrs Saveljevs added a comment - ZBXNEXT-3385 mentions trigger and trigger prototype dependencies.
          Hide
          Dimitri Bellini added a comment -

          I would also suggest to record the "global script" execution, maybe with the output of the run (like what we saw on popup windows) and the relative user. On enterprise customers is very important the logging feature and zabbix have some lack on the actual implementation.
          Thanks so much

          Show
          Dimitri Bellini added a comment - I would also suggest to record the "global script" execution, maybe with the output of the run (like what we saw on popup windows) and the relative user. On enterprise customers is very important the logging feature and zabbix have some lack on the actual implementation. Thanks so much
          Hide
          Andrey Denisov added a comment - - edited

          ZBX-11261: Audit on create/update item is broken in 3.2.0

          Show
          Andrey Denisov added a comment - - edited ZBX-11261 : Audit on create/update item is broken in 3.2.0
          Hide
          orogor added a comment -

          couldnt find disabled host in the audit log either

          I searched by disabled and host for all periode, shows only 5 entries from a year ago
          but i disabled hosts just yesterday

          Show
          orogor added a comment - couldnt find disabled host in the audit log either I searched by disabled and host for all periode, shows only 5 entries from a year ago but i disabled hosts just yesterday
          Hide
          Alexander Vladishev added a comment -

          Under ZBX-3783 audit logging has been added for these API methods:

          • application: create(), update() and delete()
          • hostgroup: create(), update() and delete()
          • script: create(), update(), delete() and execute(}
          • user: create(), update(), delete(), login(), logout() and checkauthenticate()
          • usergroup: create(), update() and delete()
          • usermacro: createglobal(), updateglobal() and deleteglobal()
          • valuemap: create(), update() and delete()
          • iconmap: create(), update() and delete()
          • httptest: create(), update() and delete()
          Show
          Alexander Vladishev added a comment - Under ZBX-3783 audit logging has been added for these API methods: application : create() , update() and delete() hostgroup : create() , update() and delete() script : create() , update() , delete() and execute( } user : create() , update() , delete() , login() , logout() and checkauthenticate() usergroup : create() , update() and delete() usermacro : createglobal() , updateglobal() and deleteglobal() valuemap : create() , update() and delete() iconmap : create() , update() and delete() httptest : create() , update() and delete()
          Hide
          Alexander Kuznetsov added a comment -

          Thanks you for new audit feature.
          I would like to add logging facility "add\unlink" operations template to host.

          Show
          Alexander Kuznetsov added a comment - Thanks you for new audit feature. I would like to add logging facility "add\unlink" operations template to host.

            People

            • Assignee:
              Alexander Vladishev
              Reporter:
              Alexey Fukalov
            • Votes:
              24 Vote for this issue
              Watchers:
              26 Start watching this issue

              Dates

              • Created:
                Updated:

                Agile