Who did that?

Now who did that? This is a question occasionally heard in many places, IT workplaces included. Weird configuration changes and unsolicited reboots; accountability and a trace of actions help a lot to determine whether the questioner was the one who made the change and then forgot about it. For Zabbix configuration changes, an internal audit log is available. Just like most functionality, it's conveniently accessible from the web frontend. During our configuration quest, we made quite a lot of changes; let's see what footprints we left. Navigate to Reports | Audit and set the filter time to a period that approximately matches the initial installation of this Zabbix instance. We're presented with a list of the things we did, although you can also only see logging in and out on the first page of the audit records:

And what if you set up Zabbix frontend monitoring, like we did in Chapter 12, Monitoring Web Pages? You're likely to see only such records as our web scenario logs in and out every minute. But notice the filter; we may also filter by user, action, and resource:

Expand the Action and Resource drop-down menus; notice that they're quite fine-grained, especially the Resource drop-down menu.

In the Zabbix 1.8 version of this book, it said:

"In the first Zabbix 1.8 releases some actions aren't registered in the audit log. Such issues are expected to be fixed in the near future."

Oh well. Unfortunately, it didn't get fixed in further 1.8 releases: 2.0, 2.2, 2.4 ,3.0, and—to the best of my knowledgeneither in 4.0. The Zabbix audit log is still missing lots of operations performed, especially when the API is used. While the audit log can be extremely useful, it can easily miss the specific operation you're interested in. Perform a test with the version you're interested in to be sure; the list of operations that aren't logged can easily change in a minor version.

Moving forward from the sad fact of the broken audit log, as an exercise, try to find out at what time you added the Restart Apache action.

While looking at this section, let's remind ourselves of another logging area; the action log that we briefly looked at before. Go to Reports | Action log. Here, all actions performed by the Zabbix server are recorded. This includes sending emails, executing remote commands, sending SMS messages, and executing custom scripts. This view provides information on what content was sent to whom, whether it was successful, and error messages, if any. It's useful for verifying whether Zabbix has sent a particular message, as well as figuring out whether the configured actions are working as expected.

Together, the action and log audit sections provide a good overview of internal Zabbix configuration changes, as well as debugging help to determine what action operations have been performed.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.198.49