Hi all,
In our organisation someone made a mistake and changed some thresholds on root level, which caused a customer outage. Our SecOps Team somehow got informed about this incident and they are now asking me to monitor changes on root level rules. Is there a way to do this out of checkMK? any ideas? could I use the Filecheck somehow? is there a log file where those changes are stored so I can use logwatch?
Thanks for your help!
Regards
Sven
You could install git on the monitoring server and activate that in the global settings for the setup.
This way at least every change is logged with who did it.
You could add a git hook script to send out an email whenever a new commit is created.
Based on our experience the git commit is done in behalf of the user who is doing the activate changes. This means if userA alter a rule and userB activate the change you see something like this:
commit 475e408f0d6c1c3d9a7711f595e13a1d1e84bda1
Author: userB <userB@users.com>
Date: Wed Mar 1 08:13:03 2023 +0000
Changed properties of rule "Agent update" in folder "Main directory"
So git is not telling the full truth but one can say it brings you a bit closer 
Would it be an option to use Logwatch on the Checkmk Audit log?
(me, skating on very thin ice. The jersey number indicates how much I know about Checkmk audit logging. Or Logwatch, for that matter)
In 1.6 it was in ./var/check_mk/wato/log/audit.log but this file isnt updated anymore since upgrade to 2.0
Does one know where the audit log is stored now?
thanks a lot for the tips. I I’ll go the git hooks way. That way I can even learned something new about git.
For the ones that will follow me, there is a nice article that describes how git hooks work:
I have not used git status or other git commands in >2.0 but the Audit log at least in the enterprise version this is not true. All changes are shows as separate lines, including who did the activation. >2.0 also contains a more details log (What was changed) that did not exits in 1.6
We know this from the GUI but what we looking for is the file where this information is stored to build a monitoring.
That I understand and the Audit log in the GUI should come from git if you have enabled that. This is 100% true in 1.6 but as I’ve said I have not tested this in 2.x
Can you proof that?
The GUI isnt using the GIT at all. In 1.6 the audit log is in a log file. Since upgrade to 2.0 this file isnt updated anymore.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
