06-08-2016 10:09 AM
Hello All,
Is there a way to create a notification, that would inform us as to when an Administrator "Commits" an action he/she has made on the IronPort appliances?
06-08-2016 05:10 PM
Hello TBHernandez,
While there is no immediate option on the ESA to send a notification on this, you can run some grep commands in the logs (gui_logs / cli_logs) to locate when this occurs for auditing.
However note, these logs are not really human readable formatting, and are very general in terms of showing which user was looking at what pages, but will not outline the specific changes, but you can check when a commit was posted to the ESA.
on the CLI, use this command: grep -i "req.*post.*/commit" gui_logs
You will see outputs like:
Thu Jun 9 08:56:18 2016 Info: req:10.137.76.103 user:admin id:2Sc5L20JYgyaXgS3EM05 303 POST /commit HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Where you will see the IP of the CPU used to login, the account used and when a commit was posted.
You can audit command line logs as well to see commits done at the command line with:
grep "PID.*User.*entered 'commit'" cli_logs
You will see outputs like:
Wed Jun 8 10:26:23 2016 Info: PID 57555: User admin entered 'commit'; prompt was '\nC680.ironport.lab>
Where a commit was used.
Regards,
Matthew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide