In our organisation someone made a mistake and changed some thresholds on root level, which caused a customer outage. Our SecOps Team somehow got informed about this incident and they are now asking me to monitor changes on root level rules. Is there a way to do this out of checkMK? any ideas? could I use the Filecheck somehow? is there a log file where those changes are stored so I can use logwatch?
Based on our experience the git commit is done in behalf of the user who is doing the activate changes. This means if userA alter a rule and userB activate the change you see something like this:
commit 475e408f0d6c1c3d9a7711f595e13a1d1e84bda1
Author: userB <userB@users.com>
Date: Wed Mar 1 08:13:03 2023 +0000
Changed properties of rule "Agent update" in folder "Main directory"
So git is not telling the full truth but one can say it brings you a bit closer
In 1.6 it was in ./var/check_mk/wato/log/audit.log but this file isnt updated anymore since upgrade to 2.0
Does one know where the audit log is stored now?
I have not used git status or other git commands in >2.0 but the Audit log at least in the enterprise version this is not true. All changes are shows as separate lines, including who did the activation. >2.0 also contains a more details log (What was changed) that did not exits in 1.6
That I understand and the Audit log in the GUI should come from git if you have enabled that. This is 100% true in 1.6 but as I’ve said I have not tested this in 2.x
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.