05-04-2016 09:12 PM
My team logs into our NBU 7.6 (RHEL) master server through Kerberos, authenticating back to AD. Based on entries in /usr/openv/java/auth.conf, they have the ability to perform all usual administrative functions, as expected.
My experience has been that if your credentials allow you to perform admin functions, those functions end up being run under the covers as root. As such, any logging for admin functions would be recorded as being run by root.
Here's what I'd like, however: A log entry that records when < team member> performs an administrative function, using the java GUI. For example, a log entry when one of my junior engineers accidently cancells all jobs from within Activity Monitor.
I haven't found this facility yet ... does it exist ?
thanks!
ty
05-04-2016 11:40 PM
I guess, additionally you need to configure NBAC on Master Server. NBAC = NetBackup Access Control.
https://www.veritas.com/support/en_US/article.HOWTO89754
05-04-2016 11:52 PM
https://www.veritas.com/support/en_US/article.000044103
Not sure you would get the user who carried out the action though, for this you would need nbac
05-05-2016 08:11 AM
Please look into these logs and you should be able to find the relevant information. Please create these directories if you don't have already setup.
bpjava-msvc - Java application server authentication service
bpjava-usvc - process that services Java requests
Here you may need to have the process id when the user is logged on the unix server. I have used these logs to figure out the user who killed the jobs and you should be able to. Just grep for netbackup commands and user id & relevant combination.
05-05-2016 10:03 AM
Thanks all for your suggestions. From what I understand, NBAC is still not a viable option for us due to concerns about its reliability.
Tape_Archvied, thank you for your suggestion to create those log directories. I've done so, along with bpjava-susvc, then restarted my Java Admin GUI after also validating that /usr/openv/java/Debug.properties contains
printcmds=true
printCmdLines=true
debugMask=0x0004000
... but in making changes to configurations in the Admin GUI when logged in as myself, I do not find those changes represented in any logs found inside the three directories above. I'll keep searching.