1 Reply Latest reply on Oct 14, 2020 11:16 AM by Steve Gibbs

    How to parse Master Server Audit Log (Hidden Patches, Hidden Bulletins)

    Steve Gibbs
      Share This:

      I was working with a customer that wanted to be alerted whenever an admin "hid" either a patch or bulletin. I created an Operational rule that does ust that and felt it would be good to share. You can take this same concept and apply to any item in the master server audit log.

       

      Step 1

      You need to identify the item in audit log you are interested in capturing. In this use case I am using the word "Hide" to locate every row in the audit log where Hide is used. I tested it out to see if the results returned just returned my item or more than what I need.  Here is a screen shot:

       

       

       

      Step 2

      I will be using the Op Rule step "File Analysis via Regular Expression". In order to TEST my regular expression i use https://regex101.com. I copied all the contents of the Audit Log and pasted it the test window of regex101 tester.  See screen shot:

      I found that using (.*Hide.*) captured the rows of data I was interested in collecting.

       

      Step 3

      Create Operational Rule using 2 steps and assign that rule to the MASTER server and test it once to validate the results and then set it to run on a schedule based on customer preference.

       

      The first step is located under "Custom Inventory folder - "File Analysis via Regular Expression" and configure like the screen shot below. The default file location of this step is already pointing to the relative path of the log folder. Just change the filename to "mtxagent_audit.log"

      The configuration items above can be modified to local preference. This works for my customer.

      The second step of the op rule needs to be the default settings of "update custom inventory". See screen shot below:

      Step 4

      Review the results. Go to the Master Server under device topology and expand menu to Inventory > Custom Inventory > Hidden Patches.

       

      If you have entries in the audit log where an admin hid either a patch or a bulletin then you should have entries to view. See Screen Shot:

      I am not sure why instance 1 is missing but it was captured in the "Alerts and Events" module (bottom of left menu). This does show the first instance so I am going to assume that after the alert was created it was removed.  See screen shot:

      Detailed view:

       

      I also got an email alerting me to this finding: