1.8 branch, rev 13814

1. regression. create hostgroup : Undefined index: groupid[/srv/www/htdocs/ZBX-2815/hostgroups.php:82]
2. activate a hostgroup : hosts.status: 0 => 0
such non-changes should not be recorded in the auditlog
3. proxy name in auditlog entries has excess space added : [x ]
4. (could be added as a separate issue) modify a trigger, but don't change the expression. expression is rewritten & a new functionid is generated. should not happen.
5. (could be added as a separate issue) auditlog filter - resource dropdown not sorted (but contains lots of entries -> hard to use)
6. things still missing :
6.1. update hostgroup (modify hosts belonging to it)
6.2. edit host properties, modify group membership (both groups & new group)
6.3. add template
6.4. modify template (group membership, user macros)
6.5. modify host (user macros, profile + extended profile - status & details)
6.6. when deleting a template, it is registered as a host deletion
6.7. admin -> general -> images - change image type
6.8. admin -> general -> gui - "Event acknowledges" is recorded as the opposite in the auditlog details
6.9. modify global macro
6.11. delete action
6.12. delete slideshow from the list
6.13. delete graph
6.14. delete media type
6.15. delete global macro
6.16. update map

mm, 5. already reported as ZBX-1172

other issues regarding auditlog :

ZBX-1204
ZBX-1277 (server)
ZBX-1484
ZBX-2212
ZBX-4616
ZBX-4756
ZBX-4937

confirming the fix for item 1.
other problems not fixed - either should be split out in other issue[s], or this one left open

14. When disabling Actions in the Audit log in the "Description" column will not appear name of the action. Not so critical, but would be nice to fix as at this moment it is hard to understand what action has been disabled/enabled.

26 Aug 2010 17:32:24 Admin 192.168.3.37 Action Updated 0 [....] Actions [7] enabled
26 Aug 2010 17:31:43 Admin 192.168.3.37 Action Updated 0 [....] Actions [7] disabled

> following actions are not in audit log:

login - in v1.9.10 (rev # 25318) it is working fine, in the "auditlog" there are records for the "User Login"operation, but no records about "User Logout", more info is available in issue ZBX-4616;

create host group - in v1.9.10 (rev # 25318) in the "auditlog" it is working fine, there are records for the "Add Host group" operation;

update host group - in v1.9.10 (rev # 25318) in the "auditlog" it is working fine, there are records for the "Update Host group" operation;

activate host group - enable/disable actions is a big problem for any resource at this moment (for more info please see issue ZBX-4616), but in v1.9.10 (rev # 25318) info about enabling /disabling host group is available in the "auditlog" for the "Update" action: hosts.status: 0 => 1;

disable host group - enable/disable actions is a big problem for any resource at this moment (for more info please see issue ZBX-4616), but in v1.9.10 (rev # 25318) info about enabling /disabling host group is available in the "auditlog" for the "Update" action: hosts.status: 1 => 0

update host - in v1.9.10 (rev # 25318) info about host update is available in the "auditlog" for the "Update" action: hosts.name: H1 => H1 updated (but this is working not for all fields, there is not reflected info about changes in the host groups, interfaces, etc);

delete screen - in v1.9.10 (rev # 25318) info about deleting screen is available in the "auditlog" for the "Delete" action;

delete map - in v1.9.10 (rev # 25318) info about deleting screen is available in the "auditlog" for the "Delete" action;

general - create macro - this is working fine in v1.9.10 (rev # 25318), info about macro creation is available in the "auditlog" for the "Add" action;
general - delete macro - this is working fine in v1.9.10 (rev # 25318), info about macro creation is available in the "auditlog" for the "Delete" action;

1. regression. create hostgroup : Undefined index: groupid[/srv/www/htdocs/ZBX-2815/hostgroups.php:82] -not reproducible in v1.9.10 (rev # 25318);

2. activate a hostgroup - not reproducible in v1.9.10 (rev # 25318);

activate a hostgroup : hosts.status: 0 => 0 - can not reproduce the same case in v1.9.10 (rev # 25318);

3. proxy name in auditlog entries has excess space added : [x ] - this case is also reproducible in v1.9.10 (rev # 25318);

4. modify a trigger, but don't change the expression. expression is rewritten & a new functionid is generated. should not happen. - can not reproduce the same case in v1.9.10 (rev # 25318);

5. auditlog filter - resource dropdown not sorted (but contains lots of entries -> hard to use) - this is already fixed in v1.9.10 (rev # 25318);

6. things still missing :

6.1. update hostgroup (modify hosts belonging to it) - this is still reproducible in trunk, v1.9.10 (rev # 25318);

6.2. edit host properties, modify group membership (both groups & new group) - this is still reproducible in trunk, v1.9.10 (rev # 25318);

6.3. add template - this is working fine in v1.9.10 (rev # 25318). When adding new template in the Auditlog will be appear new record "Template Added";

6.4. modify template (group membership, user macros)

6.5. modify host (user macros, profile + extended profile - status & details)

6.6. when deleting a template, it is registered as a host deletion - the same problem is still reproducible in v1.9.10 (rev # 25318): when deleting template, in the "auditlog" table in the DB in the "resourcetype" column will be recorded incorrect value: there should be value "30" (AUDIT_RESOURCE_TEMPLATE), but is recorded value "4" (AUDIT_RESOURCE_HOST);

6.7. admin > general -> images - change image type - in v1.9.10 (rev # 25318), in the Auditlog will be shown that something has been changed (will appear record "Image Updated"), but no details what exactly has been changed name, type or smth else;

6.8. admin -> general -> gui - "Event acknowledges" is recorded as the opposite in the auditlog details - In v1.9.10 (rev # 25318), when disabling event acknowledges, in the "auditlog" table will be recorded "Event acknowledges []" (so empty value instead of 0). But when enabling event acknowledges, in the "auditlog" table will be recorded "Event acknowledges [1];

6.9. modify global macro - this is working fine in v1.9.10 (rev # 25318);

6.11. delete action - In v1.9.10 (rev # 25318), when deleting action, in the "auditlog" table there will be no records for the "Delete Action" operation, and hence no records in the "Audit Log" report for such operation;

6.12. delete slideshow from the list - In v1.9.10 (rev # 25318) there is no record in the "Administration->Audit" report for the slide show delete operation, there is also no any record in the DB for this operation (no record for "delete" operation and no record for "update" operation);

6.13. delete graph - In v1.9.10 (rev # 25318) there is no records in the DB in the "auditlog" table and in the "Audit" report for the "Delete graph" operation;

6.14. delete Media type - In v1.9.10 (rev # 25318) there is the same problem: no appropriate record in the "Administration->Audit" report about Media type deletion, there is also no record in the DB in the "auditlog" table for this operation;

6.15. delete global macro - in v1.9.10 (rev # 25318) in the Audit report is displayed "Macro Deleted" when deleting global macro, but there is incorrect description in the "auditlog.resourcename" field when deleting globalmacro: there is written "Array ⇒ abcd" (and hence in the "Audit" report in the "description" column is visible the following text: "Array ⇒ abcd", this is not correct. Should be written the following text: "{$A} ⇒ abcd";

6.16. update map - in some cases (for example, when adding/deleting map elements) when updating map, in the Audit log record about map update will not appear;

(17) Let's continue numbering from (17)

Regression: in 1.8 adding an item is audited, in 2.0 - doesn't

<richlv> also reported as ZBXNEXT-2802

(18) Changing a host IP address is not auditing. (v 2.0.4)

Hello, any news about this bug?
Thanks

(19) nothing about iconmaps

(20) we have resource for trigger prototype, but nothing for item/graph prototypes and lld rules;
also, apparently only updates and deletions of trigger protos are registered, additions are not

zalex_ua as for 2014-07-14 on v2.2.4 I can see that only trigger proto deletion is registered, any other action - do not.

ZBX-4842 asks for missing auditing in API, linked just in case

(21) bad usability, probably it's logical to post in this issue:

I needed to do some log auditing. Very specific auditing - disabling of hosts.
One would think that for that criteria, under Administration --> Audit you would set "User" to the appropriate user ID, set Action to "Disable" and set Resource to "Host".

I get NOTHING in return even though I've just disabled many servers.
Apparently if you want to see hosts that you have disabled, you should not use "disable" under the action, you have to use an "update" action.

> (18) Changing a host IP address is not auditing

Today I had some problems just because of this. Pleeease, implement feature.

(22) Adding host to hostgroup or removing host from hostgroup is not audited.
(Zabbix 2.4.0 on CentOS 6.5).

(23) failed login attempts should be added to the audit log, too

oleg.ivanivskyi moved to a separate issue (ZBX-9224).

sasha CLOSED

For successful login actions of a user, the 'Details' column shows no information. Please make audit more consistent and show the message like 'Login successful "Admin"', similar to failed attempt where we see message in 'Details' column as 'Login failed "Admin"'.

Added logging of adding/deleting host from hostgroup from host configuration page.

ZBXNEXT-3385 mentions trigger and trigger prototype dependencies.

I would also suggest to record the "global script" execution, maybe with the output of the run (like what we saw on popup windows) and the relative user. On enterprise customers is very important the logging feature and zabbix have some lack on the actual implementation.
Thanks so much

ZBX-11261: Audit on create/update item is broken in 3.2.0

couldnt find disabled host in the audit log either

I searched by disabled and host for all periode, shows only 5 entries from a year ago
but i disabled hosts just yesterday

Under ZBX-3783 audit logging has been added for these API methods:

• application: create(), update() and delete()
• hostgroup: create(), update() and delete()
• script: create(), update(), delete() and execute(}
• user: create(), update(), delete(), login(), logout() and checkauthenticate()
• usergroup: create(), update() and delete()
• usermacro: createglobal(), updateglobal() and deleteglobal()
• valuemap: create(), update() and delete()
• iconmap: create(), update() and delete()
• httptest: create(), update() and delete()

Thanks you for new audit feature.
I would like to add logging facility "add\unlink" operations template to host.

And about logging ADD/UPDATE/DELETE hosts?
My Version 3.2

I would also like to see trigger.create, trigger.delete and trigger.update if possible

thanks

Disabling/enabling a discovery rule against a host doesn't generate anything in the audit log.

None of usergroup permission changes are shown in audit log.

I can revoke all permissions for given group using either frontend or API and nobody will be able to find out who did it.

Adding/changing/disabling/enabling an "Event correlation" doesn't generate anything in the audit also. Meanwhile, there is a record about deleted rules.

Continuing numbering from above:

(24): Enabling/Disabling mediatype via the status button (Under Administation -> Media types) gives no Audit log entry. Editing the media type (F/E: Under Administation -> Media types -> Email) and clicking update does generate a Audit log entry (Zabbix 4.0.5)

@Zabbix Development Team is there any update on this?

I'd like to add some more comments (we have Zabbix Server 4.0.9 now).

1. When somebody modifies the maintenance period, the audit log looks like the following:

2019-09-27 10:32:38 UserN 192.168.105.21 Maintenance Updated 141 NODE2SQL
maintenances.active_since: 1561040400 => 1569570000
maintenances.active_till: 1561112400 => 1569829200

It's good; however, more comfortable could be have timestamps in human readable format (instead of, or, better, additional to the unixtime integer).

2. When somebody adds the maintenance period, the audit log looks like the following:

2019-09-26 13:21:47 UserX 192.168.105.21 Maintenance Added 147 NODE1SQL

It is not enough, because we don't see any details about added maintenance period besides its name and ID.
For example, we just had the case when the wrong host group has been added to maintenance period (by mistake); so we spent a lot of time to discover the reason: why notifications have not been sent in time.
More detailed audit log would certainly help in this investigation.

In version 4.4.7: no additional record appears in auditlog if:

• new item is created in a host or template
• item gets modified

Here is a query to follow up on 4.4

SELECT FROM_UNIXTIME(auditlog.clock) as clock,
       users.alias,
       CASE
           WHEN action=0 THEN 'ADD'
           WHEN action=1 THEN 'UPDATE'
           WHEN action=2 THEN 'DELETE'
           WHEN action=3 THEN 'LOGIN'
           WHEN action=4 THEN 'LOGOUT'
           WHEN action=5 THEN 'ENABLE'
           WHEN action=6 THEN 'DISABLE'
       END AS action,
       CASE
           WHEN resourcetype=0 THEN 'USER'
           WHEN resourcetype=2 THEN 'ZABBIX_CONFIG'
           WHEN resourcetype=3 THEN 'MEDIA_TYPE'
           WHEN resourcetype=4 THEN 'HOST'
           WHEN resourcetype=5 THEN 'ACTION'
           WHEN resourcetype=6 THEN 'GRAPH'
           WHEN resourcetype=7 THEN 'GRAPH_ELEMENT'
           WHEN resourcetype=11 THEN 'USER_GROUP'
           WHEN resourcetype=12 THEN 'APPLICATION'
           WHEN resourcetype=13 THEN 'TRIGGER'
           WHEN resourcetype=14 THEN 'HOST_GROUP'
           WHEN resourcetype=15 THEN 'ITEM'
           WHEN resourcetype=16 THEN 'IMAGE'
           WHEN resourcetype=17 THEN 'VALUE_MAP'
           WHEN resourcetype=18 THEN 'IT_SERVICE'
           WHEN resourcetype=19 THEN 'MAP'
           WHEN resourcetype=20 THEN 'SCREEN'
           WHEN resourcetype=22 THEN 'SCENARIO'
           WHEN resourcetype=23 THEN 'DISCOVERY_RULE'
           WHEN resourcetype=24 THEN 'SLIDESHOW'
           WHEN resourcetype=25 THEN 'SCRIPT'
           WHEN resourcetype=26 THEN 'PROXY'
           WHEN resourcetype=27 THEN 'MAINTENANCE'
           WHEN resourcetype=28 THEN 'REGEXP'
           WHEN resourcetype=29 THEN 'MACRO'
           WHEN resourcetype=30 THEN 'TEMPLATE'
           WHEN resourcetype=31 THEN 'TRIGGER_PROTOTYPE'
           WHEN resourcetype=32 THEN 'ICON_MAP'
           WHEN resourcetype=33 THEN 'DASHBOARD'
           WHEN resourcetype=34 THEN 'CORRELATION'
           WHEN resourcetype=35 THEN 'GRAPH_PROTOTYPE'
           WHEN resourcetype=36 THEN 'ITEM_PROTOTYPE'
           WHEN resourcetype=37 THEN 'HOST_PROTOTYPE'
           WHEN resourcetype=38 THEN 'AUTOREGISTRATION'
       END AS resourcetype,
	   resourceid
FROM auditlog
JOIN users ON (users.userid=auditlog.userid)
WHERE action NOT IN (3,4)
  AND clock > UNIX_TIMESTAMP(NOW() - INTERVAL 1 DAY)
ORDER BY clock
;

Same problem on 5.0.3.

Not all user activity logged into auditlog.

In my instance planning create postgresql trigger on auditlog table, run script (with personal data of user) and export changed resource to GIT. Implement some kind version-control-of-zabbix-resources.

After 5.2 released - this be more easy with built-in export to YAML.

But my plan crashed when find this problem in 5.0.3

Hi!

Read topic again and can't understand - problem spreaded on several main versions of Zabbix?

There were changes for 6.0 in ZBXNEXT-6470, ZBXNEXT-6920, ZBXNEXT-6951, ZBXNEXT-6868 and many other, which possibly made this report as not actual anymore.
https://www.zabbix.com/documentation/6.0/en/manual/introduction/whatsnew600#audit-log