Active IQ Unified Manager Discussions

QUESTION - If i disable an alarm, is it logged in one of the log files?

emanuel
3,119 Views

Hello

I have a number of alarms that were disbaled by parties unknown; I want to search the log files to see which alarm was disabled so i can enable them.

Which log file contains this information?

Thanks

4 REPLIES 4

agireesh
3,119 Views

Hi Emanuel,

You can look into dfmcmd.log log file to check the information of the alarm enabled or disabled by admin user.

Content of dfmcmd.log file

[root@lnx186-77 log]# tail -f dfmcmd.log

Sep 03 15:34:16 [dfm: INFO]: [29932:0x2b98285af030]: Created alarm 1 with 1 email recipient.

Sep 03 15:36:02 [dfm: INFO]: [30106:0x2b7566051030]: Changed disabled for alarm 1 to Yes.

Sep 03 15:36:38 [dfm: INFO]: [30158:0x2abb2a0cb030]: Changed disabled for alarm 1 to No.

You can also use the operation manager GUI to see which alarms are disabled and then you can enable the disabled alarms. Please use below steps to enable the disabled alarm in operation manager GUI.

1.  Login to operation manger.

2.  Use “Setup->Alarms” link to launch the “Alarms” page.

3.  Alarms page will list the all alarm created by admin user with all details.

4.  Check the disable field in “Alarms” page, if “Disable” field value is “Yes” that mean your alarm is disable.

5.  Now, use the edit link for disabled alarm, From Disable drop-down box Change select “NO” and click on update.

Please let me know for any further assignment.

Regards,

Gireesh

pradeepl
3,119 Views

Hi Emanuel,

Use dfm alarm list -d command to get the list of disabled alarms.

For enabling alarms you can use dfm alarm enable <alarm-id>

Thanks

Pradeep L

emanuel
3,119 Views

Hello ... good answers guys but now i have a follow up question.

I found the log file and the events when the alarms were disabled but now I need to know *who* did this ... here is the sample: ( i changed the name of the account logging in ) but this is the actual log file and in sequence.  As you can see our secret user did log in and the next events were the alarms being disabled.  My question is ... is this same user who just logged in the same user who disabled the alarms?

Aug 27 08:49:05 [dfm: INFO]: [5136:0x1d90]: Logged in as <B>DOMAIN\secretuser</B>.

Aug 27 08:50:19 [dfm: INFO]: [3548:0xbf4]: Changed disabled for alarm 33 to Yes.

Aug 27 08:50:34 [dfm: INFO]: [4588:0xb30]: Changed disabled for alarm 35 to Yes.

Aug 27 08:50:41 [dfm: INFO]: [7912:0x18bc]: Changed disabled for alarm 36 to Yes.

Aug 27 08:50:52 [dfm: INFO]: [7144:0x1bd8]: Changed disabled for alarm 38 to Yes.

Aug 27 08:51:02 [dfm: INFO]: [7676:0xedc]: Changed disabled for alarm 39 to Yes.

Aug 27 08:51:16 [dfm: INFO]: [6612:0xc4c]: Changed disabled for alarm 51 to Yes.

dhruvd
3,119 Views

Hi emanuel,

The audit.log is the log you need to look for.

Not only will tell you the user, but also the command or API that was executed at an instant.

Example:

Sep 09 04:34:22 [dfm:NOTIC]: root:CMD:in:[127.0.0.1]:dfm about

Here, the 'dfm about' command was executed as the 'root' user.

Regards,

Dhruv

Public