View Source

h4. How to audit Monarch commit operations

Customers require that changes to the configuration of _Nagios_ be logged. The _Monarch_ tool is used to make changes to the configuration of _Nagios_. When the user of _Monarch_ wishes these changes to be pushed to _Nagios_ a commit operation is performed. As part of the commit operation the timestamp at which the commit is done and the name of the user performing the commit are written into the main _Nagios_ configuration file. This is also true in the case of _Monarch Groups_ when a build instance is completed. This document to allow customers to add auditing of commit operations by logging the timestamp and name of the user performing commits and build instance operations to the _Event Console_. A new application type _AUDIT_ is created in the _Event Console_ and the _GroundWork Reports Event History_ (gw-event-history) report can be used by the customer to list all audit events.
{Note}The AUDIT type won't show up in the Event Console (under System Filters > Filter Events > Applications) until it has a reason to refresh the list of application types from the database. The simplest way to force this is to stop displaying the Event Console (e.g. redirect your browser to the Status viewer instead, and then come back to the Event Console).{Note}

h5. Prerequisites

These instructions will work on an installed _GroundWork Monitor_ _Enterprise_ or _Professional_ 5.2.0 or later.

h5. Installation

As user {{nagios}} on the _GroundWork_ server perform the following steps:
# Place the contents of [#Appendix A] into a file:
{code}/usr/local/groundwork/core/migration/add_audit_application_type.pl{code}
# Execute the following commands:
{code}cd /usr/local/groundwork/core/migration
chmod 744 add_audit_application_type.pl
./add_audit_application_type.pl{code}
# Place the contents of [#Appendix B] into a file:
{code}/usr/local/groundwork/foundation/feeder/audit-nagios.pl{code}
# Execute the following commands:
{code}cd /usr/local/groundwork/foundation/feeder
chmod 744 audit-nagios.pl
/usr/local/groundwork/common/bin/mkservice nagios nagios /usr/local/groundwork/core/services/feeder-nagios-audit{code}
# Replace the contents of the following file with the contents of [#Appendix C]:
{code}/usr/local/groundwork/core/services/feeder-nagios-audit/run{code}
# Append the contents of [#Appendix D] to {{syslog-ng.conf}}:
{code}/usr/local/groundwork/common/etc/syslog-ng.conf{code}

As user {{root}} on the _GroundWork_ server perform the following steps:
# Restart syslog
{code}/usr/local/groundwork/ctlscript.sh restart syslog-ng{code}
# Restart GroundWork services
{code}/usr/local/groundwork/ctlscript.sh restart gwservices{code}

h6. Appendix A

add_audit_application_type.pl

{code}
#!/usr/local/groundwork/perl/bin/perl -w --
#
# Database updater for audit logging within GroundWork Monitor
#
# Original version by Dr. Dave Blunt.
# Now modified for use with PostgreSQL.
#
# Last modified: 2011-11-09
#
# Usage: add_audit_application_type.pl
#
# Description:
#
# This script will access the GWCollageDB database based on the settings
# determined with the CollageQuery methods.  Thus, the script must be run
# on the relevant GroundWork server.
#
# It will add rows to the ApplicationType, ConsolidationCriteria and
# ApplicationEntityProperty tables to support delivery and reporting on
# audit messages supplied by an external script 'audit-nagios.pl' that
# watches for commit operations on the Monarch database.

use strict;
use DBI;
use CollageQuery;

my ( $dbname, $dbhost, $dbuser, $dbpass, $dbtype ) = CollageQuery::readGroundworkDBConfig('collage');
my $dsn = '';
if ( defined($dbtype) && $dbtype eq 'postgresql' ) {
    $dsn = "DBI:Pg:dbname=$dbname;host=$dbhost";
}
else {
    $dsn = "DBI:mysql:database=$dbname;host=$dbhost";
}
my $dbh = DBI->connect( $dsn, $dbuser, $dbpass, { 'AutoCommit' => 1 } )
    or die "Cannot connect to database $dbname. Error: " . $DBI::errstr;
my $query;
my $sth;

# Add the AUDIT application type.
$query = "insert into ApplicationType values(DEFAULT,'AUDIT','Audit logs for GroundWork Monitor','Device')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

# Get back the AUDIT ApplicationTypeID for later reference.
$query = "select ApplicationTypeID as \"ApplicationTypeID\" from ApplicationType where Name='AUDIT'";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
my $appID;
while ( my $row = $sth->fetchrow_hashref() ) {
    $appID = $$row{ApplicationTypeID};
}
$sth->finish();

# Add the Consolidation criteria for AUDIT messages.
$query = "insert into ConsolidationCriteria values(DEFAULT,'AUDIT','OperationStatus;Device;MonitorStatus;ipaddress;ErrorType;SubComponent')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

# Add the ApplicationEntityProperty settings that control what is displayed in the NOC Console.

$query = "select EntityTypeID as \"EntityTypeID\" from EntityType where Name='LOG_MESSAGE'";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
my $enttypeID;
while ( my $row = $sth->fetchrow_hashref() ) {
    $enttypeID = $$row{EntityTypeID};
}
$sth->finish();

$query = "select PropertyTypeID as \"PropertyTypeID\", Name as \"Name\" from PropertyType";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
my %proptypeID;
while ( my $row = $sth->fetchrow_hashref() ) {
    $proptypeID{ $$row{Name} } = $$row{PropertyTypeID};
}
$sth->finish();

$query = "insert into ApplicationEntityProperty values(DEFAULT,'$appID','$enttypeID','$proptypeID{SubComponent}','2')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

$query = "insert into ApplicationEntityProperty values(DEFAULT,'$appID','$enttypeID','$proptypeID{ErrorType}','3')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

$query = "insert into ApplicationEntityProperty values(DEFAULT,'$appID','$enttypeID','$proptypeID{ipaddress}','1')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

$dbh->disconnect();
print "Database update completed.\n";
exit 0;{code}

h6. Appendix B

audit-nagios.pl

{code}#!/usr/local/groundwork/perl/bin/perl

my $check_interval=60;
my $last_check_time=time;
while(1) {
# build a list of nagios.cfg files to stat
my @files=();
my @files=`find /usr/local/groundwork/nagios/etc -name nagios.cfg`;
foreach $file (@files) {
my $message='';
chomp $file;
my $result=`/usr/bin/stat -c %Y $file`;
chomp $result;
if ($result gt $last_check_time ) { # if file has changed
my $line = `/bin/grep "nagios.cfg generated" $file`;
chomp $line;
my ($date,$user) = $line=~/generated\s(\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d)\sby\s(\S+)\sfrom/;
$message="File $file updated by user $user at $date.";
log_audit_message($file,$message);
}
}
$last_check_time=time;
sleep $check_interval;
}
exit 0;
sub log_audit_message {
my $file = shift;
my $message = shift;
my $result = `/usr/bin/logger -p local4.info $message`;
}{code}

h6. Appendix C

run

{code}#!/bin/sh
# Script for Supervise : Audit Nagios Feeder
exec 2>&1
sleep 30
exec /usr/local/groundwork/common/bin/setuidgid nagios /usr/local/groundwork/foundation/feeder/audit-nagios.pl{code}

h6. Appendix D

syslog-ng.conf settings
{code}filter f_audit-nagios { message('nagios\.cfg updated by user'); };
template t_gw_audit-nagios_feeder
{
template("<GENERICLOG MonitorServerName='localhost' Device='$HOST' ApplicationType='AUDIT' MonitorStatus='WARNING' ReportDate='$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC' Severity='WARNING' ipaddress='$HOST' SubComponent='$PROGRAM' TextMessage='$MSGONLY' />\n");
};
destination d_gw_audit-nagios_feeder { tcp("localhost" port(4913) template(t_gw_audit-nagios_feeder)); };
log { source(s_local); filter(f_audit-nagios); destination(d_gw_audit-nagios_feeder); };{code}