Solved: It's coming...

sksujeet · ‎07-07-2010

We have a group of people who administrator our netbackup 6.5. Is there any way to check in the logs if someone creates any job, run the job manually or delete any job or policy.

Har-D · ‎07-07-2010

Hi,

Yes it's true there's no exact way to track the things, however, if you (and rest in the groups) are using Java console, you can enable debugging of the Java console in such a way that it will print the commands in the JBP log file of the console opened.

Check out this for more info: http://support.veritas.com/docs/295324

The above TechNote mentions the default location of log files (<NBU>/logs/user_ops/nbjlogs/jbp.user.yyyymmddhhmmss**.log )

Enable just printCmdLines=true in Debug.Properties leaving other parameters commented. This parameters will enable logging of all the commands that are triggerred in backend by Java for any kind of operation done by any user.

In this way also there's one issue of logs getting created on local workstations if you use Java admin console from your workstations.

Using X-Windows softwares and exporting the Java DISPLAY will create the logs on server only.

View solution in original post

David_McMullin · ‎07-07-2010

NO - LOL

There are starting to be some of these, I think NOM can track policy changes, but you MUST define unique signons - if everyone logs in as admin or root, you are SOL.

There is currently no way to my knowledge to determine which person cancelled a job from the java admin console, for example.

If you desire tight controls, you will need to severely limit java console access, and have users sign on using unique accounts to the system and run command lines - then you can track at the OS level.

IMHO - this is one of the major issues with NetBackup at this time - granularity of control and tracking of changes.

Ed_Wilts · ‎07-07-2010

David summed it well but NetBackup 7.0.1 is starting to add the audit controls. From the 7.0.1 First Availability Program announcement:

Audit Trails Phase 1 (will be limited to using the CLI and only tracking policies and restore jobs)

There are a LOT of audit controls that different people have asked for but it will be a matter of time before they're all there and then you'll have to decide how much disk space you want to dedicate to your audit logs.

Har-D · ‎07-07-2010

Hi,

Yes it's true there's no exact way to track the things, however, if you (and rest in the groups) are using Java console, you can enable debugging of the Java console in such a way that it will print the commands in the JBP log file of the console opened.

Check out this for more info: http://support.veritas.com/docs/295324

The above TechNote mentions the default location of log files (<NBU>/logs/user_ops/nbjlogs/jbp.user.yyyymmddhhmmss**.log )

Enable just printCmdLines=true in Debug.Properties leaving other parameters commented. This parameters will enable logging of all the commands that are triggerred in backend by Java for any kind of operation done by any user.

In this way also there's one issue of logs getting created on local workstations if you use Java admin console from your workstations.

Using X-Windows softwares and exporting the Java DISPLAY will create the logs on server only.

Ed_Wilts · ‎07-07-2010

The other thing to consider is what the purpose of the audit logs are. Remember that the people running your environment can change the logs - after all, they're administrators.

The first rule of trying to figure out who made the changes is to ask them. Ask them to keep a log of configuration changes. Sometimes the low-tech approach is enough for informal auditing.

sksujeet · ‎07-07-2010

I would like to clarify that everyone doesn't login to the server with same username and password. There are different accounts and those are part of some administrator group. So all the administrator who login to the javaconsole usies there own userid and password. So there are no logs getting generated on the backround stating this user has changed or modified a particular policy or job.

Har-D · ‎07-08-2010

Hello,

As I said, currently there are no logs available that will help you to track the exact changes however you can get clues from the Java logs only (as far as I know and do).

Are you (everyone) exporting DISPLAY or installed Java console on your workstations?

Try making some changes and check if the JBP logs helps you :

> If exporting the DISPLAY then can check the logs files under <NBU>/logs/user_ops/nbjlogs/ . The format of log files are: jbp.<user_name>.yyyymmddhhmmss**.log

> If installed on workstations, will need to check the log files under the same location over the workstations.

Deepak_G · ‎07-09-2010

But it can be done to a certain extent in the OS level which would allow us to gain some control.

We have added this following script in crontab and it will send us a list of all policies modified within 24 hrs

find /usr/openv/netbackup/db/class/ -type f -mtime -1 -ls |tr '/' ' ' |egrep -v "info" | awk '{print$16}' | uniq > modified_policies

modifiled_policies file will contain the list of policies that has been modifed for the pas 24 hrs from the time this script executes.

Will_Restore · ‎07-09-2010

after you hire a guy that looks like Colonel Klink from Hogan's Heroes

"Ve haf vays of vinding zees sings !!"

VOX

Logs to find out who changed the things in netbackup