SMGR Log - How to send login/logout events

[vtt2019]

Hi Specialists:
I am trying to setup SMGR r7.1 to send login/logout events to an external SYSLOG SERVER following this URL as a guide:

https://documentation.avaya.com/bun...MGR_R7.1.3/page/ConfiguringSysLogServer.html.

Looking at the SMGR LOG VIEWER, I see that none event comes from "com.avaya.security.iam.audit" as says that URL (for some reason that PRODUCT TYPE is wrong), instead most of them come from "com.avaya.mgmt" including the LOGIN/LOGOUT events (see a extract in picture attached). However if I choose "com.avaya.mgmt", I dont find any PRODUCT TYPE to catch that LOGIN/LOGOUT events because they are using PROCESS NAME = jsvc(3073@smgr.mydomain.com) (what is jsvc?) and EVENTID = <blank> (why in blank?). These parameters are missing in the long list (+300) of LOGGERS to choose in SMGR LOG SETTINGS or I simply don´t understand how to use them.
Please help me to find how to do this setting right.

 

[kyle555]

I grepped vtt2019 in my /var/log/Avaya after logging in and out as you. See below.
I get 2 instances of the lines at the bottom of the snippet and a single instance of the line at the top when you login.
Then in quantumAudit.log you get one of these on logout: Action: Delete, Result: SUCCESS, ObjectType: User Session, ObjectName: Username - vtt2019

Then I looked in Events/Logs/Log Settings and looked for any logged that led to FilePath
/var/log/Avaya/mgmt/infra/infraOperationalLog.log or
/var/log/Avaya/mgmt/quantum/quantumAudit.log or
/var/log/Avaya/jboss/log/server.log

I noticed that the com.avaya.mgmt.infra.operational logger points to /var/log/Avaya/mgmt/infra/infraOperationalLog.log
I noticed that the com.avaya.mgmt.ucm.audit logger points to /var/log/Avaya/mgmt/quantum/quantumAudit.log

I clicked the edit button on com.avaya.mgmt.infra.operational, then I clicked Attach, then I selected SYSLOG from the drop down, then I clicked Commit, then I clicked the radio button next to SYSLOG and I clicked edit and I changed localhost for 1.1.1.1 and I clicked commit twice more. I repeated for the com.avaya.mgmt.ucm.audit logger.

Then I logged in and out as you and I got this in my pcap:

root >tshark -i eth0 host 1.1.1.1
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
  1 0.000000000 192.168.1.60 -> 1.1.1.1      Syslog 253 LOCAL7.INFO: 1 2020-01-22T10:34:51.099-05:00 - java 3528 com.avaya.mgmt.ucm.audit - \357\273\277LoginId: admin,  ClientHost: 100.125.78.90, Action: Delete, Result: SUCCESS, ObjectType: User Session, ObjectName: Username - admin.
  2 9.941619057 192.168.1.60 -> 1.1.1.1      Syslog 166 LOCAL7.ERR: 1 2020-01-22T10:35:01.052-05:00 - java 3528 com.avaya.mgmt.infra.operational - \357\273\277Entering :  enableCommandLineAccess()
  3 9.942481677 192.168.1.60 -> 1.1.1.1      Syslog 147 LOCAL7.ERR: 1 2020-01-22T10:35:01.053-05:00 - java 3528 com.avaya.mgmt.infra.operational - \357\273\277username : vtt2019
  4 14.228897980 192.168.1.60 -> 1.1.1.1      Syslog 257 LOCAL7.INFO: 1 2020-01-22T10:35:05.339-05:00 - java 3528 com.avaya.mgmt.ucm.audit - \357\273\277LoginId: vtt2019,  ClientHost: 100.125.78.90, Action: Delete, Result: SUCCESS, ObjectType: User Session, ObjectName: Username - vtt2019.

root >grep -r "vtt2019" /var/log/Avaya/
/var/log/Avaya/mgmt/infra/infraOperationalLog.log:<35>Jan 22 10:03:15 mysmgrpri.thelab.com INFRA[1234]: -05:00 2020 944 1 com.avaya.mgmt | 0 com.nortel.quantum.ssh.UserSshManager username : vtt2019
/var/log/Avaya/mgmt/infra/infraOperationalLog.log:<35>Jan 22 10:13:13 mysmgrpri.thelab.com INFRA[1234]: -05:00 2020 373 1 com.avaya.mgmt | 0 com.nortel.quantum.ssh.UserSshManager username : vtt2019
/var/log/Avaya/mgmt/quantum/quantumAudit.log:<110>Jan 22 09:59:53 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 529 1 com.avaya.mgmt | 1 com.avaya.mgmt.ucm RBAC_AUD_0013 LoginId: admin, ClientHost: mysmgrpri.thelab.com, Action: Create, Result: SUCCESS, ObjectType: RoleUserAssociation, ObjectName: Avaya Services Administrator(id=Avaya.20Services.20Administrator), User: vtt2019
/var/log/Avaya/mgmt/quantum/quantumAudit.log:<110>Jan 22 10:01:18 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 122 1 com.avaya.mgmt | 1 com.avaya.mgmt.ucm RBAC_AUD_0016 LoginId: admin, ClientHost: mysmgrpri.thelab.com, Action: Delete, Result: SUCCESS, ObjectType: RoleUserAssociation, ObjectName: Avaya Services Administrator(id=Avaya.20Services.20Administrator), User: vtt2019
/var/log/Avaya/mgmt/quantum/quantumAudit.log:<110>Jan 22 10:01:18 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 136 1 com.avaya.mgmt | 1 com.avaya.mgmt.ucm RBAC_AUD_0013 LoginId: admin, ClientHost: mysmgrpri.thelab.com, Action: Create, Result: SUCCESS, ObjectType: RoleUserAssociation, ObjectName: Avaya Services Administrator(id=Avaya.20Services.20Administrator), User: vtt2019
/var/log/Avaya/mgmt/quantum/quantumAudit.log:<110>Jan 22 10:01:18 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 145 1 com.avaya.mgmt | 1 com.avaya.mgmt.ucm RBAC_AUD_0013 LoginId: admin, ClientHost: mysmgrpri.thelab.com, Action: Create, Result: SUCCESS, ObjectType: RoleUserAssociation, ObjectName: System Administrator(id=System.20Administrator), User: vtt2019
/var/log/Avaya/mgmt/quantum/quantumAudit.log:<110>Jan 22 10:12:59 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 477 1 com.avaya.mgmt | 1 com.avaya.mgmt.ucm UCMLO_AUD_0001 LoginId: vtt2019,  ClientHost: 192.168.1.90, Action: Delete, Result: SUCCESS, ObjectType: User Session, ObjectName: Username - vtt2019.
/var/log/Avaya/mgmt/quantum/quantumAudit.log:<110>Jan 22 10:14:00 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 721 1 com.avaya.mgmt | 1 com.avaya.mgmt.ucm UCMLO_AUD_0001 LoginId: vtt2019,  ClientHost: 192.168.1.90, Action: Delete, Result: SUCCESS, ObjectType: User Session, ObjectName: Username - vtt2019.
/var/log/Avaya/mgmt/quantum/quantumSecurity.log:<38>Jan 22 10:02:59 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 189 1 com.avaya.mgmt | 1 com.avaya.mgmt.ucm UCMPD0001F SECURITY: : ipAddress:192.168.1.90 INFO : User vtt2019 password reset successfully.
/var/log/Avaya/mgmt/spiritlogs/spiritSecurityAppender.log:<38>Jan 22 10:02:59 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 189 1 com.avaya.mgmt | 2 com.avaya.mgmt.ucm UCMPD0001F "SECURITY: : ipAddress:192.168.1.90 INFO " "vtt2019"
/var/log/Avaya/mgmt/spiritlogs/spiritOperationalAppender.log:<35>Jan 22 10:03:15 mysmgrpri.thelab.com INFRA[1234]: -05:00 2020 944 1 com.avaya.mgmt | 0 com.nortel.quantum.ssh.UserSshManager username : vtt2019
/var/log/Avaya/mgmt/spiritlogs/spiritOperationalAppender.log:<35>Jan 22 10:13:13 mysmgrpri.thelab.com INFRA[1234]: -05:00 2020 372 1 com.avaya.mgmt | 0 com.nortel.quantum.ssh.UserSshManager username : vtt2019
/var/log/Avaya/mgmt/spiritlogs/spiritAuditAppender.log:<110>Jan 22 09:59:53 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 529 1 com.avaya.mgmt | 2 com.avaya.mgmt.ucm RBAC_AUD_0013 "admin" "mysmgrpri.thelab.com" "Avaya Services Administrator(id=Avaya.20Services.20Administrator)" "vtt2019"
/var/log/Avaya/mgmt/spiritlogs/spiritAuditAppender.log:<110>Jan 22 10:01:18 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 122 1 com.avaya.mgmt | 2 com.avaya.mgmt.ucm RBAC_AUD_0016 "admin" "mysmgrpri.thelab.com" "Avaya Services Administrator(id=Avaya.20Services.20Administrator)" "vtt2019"
/var/log/Avaya/mgmt/spiritlogs/spiritAuditAppender.log:<110>Jan 22 10:01:18 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 135 1 com.avaya.mgmt | 2 com.avaya.mgmt.ucm RBAC_AUD_0013 "admin" "mysmgrpri.thelab.com" "Avaya Services Administrator(id=Avaya.20Services.20Administrator)" "vtt2019"
/var/log/Avaya/mgmt/spiritlogs/spiritAuditAppender.log:<110>Jan 22 10:01:18 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 144 1 com.avaya.mgmt | 2 com.avaya.mgmt.ucm RBAC_AUD_0013 "admin" "mysmgrpri.thelab.com" "System Administrator(id=System.20Administrator)" "vtt2019"
/var/log/Avaya/mgmt/spiritlogs/spiritAuditAppender.log:<110>Jan 22 10:12:59 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 476 1 com.avaya.mgmt | 2 com.avaya.mgmt.ucm UCMLO_AUD_0001 "vtt2019" "192.168.1.90"
/var/log/Avaya/mgmt/spiritlogs/spiritAuditAppender.log:<110>Jan 22 10:14:00 mysmgrpri.thelab.com OpenJDK[3528@mysmgrpri.thelab.com]: -05:00 2020 721 1 com.avaya.mgmt | 2 com.avaya.mgmt.ucm UCMLO_AUD_0001 "vtt2019" "192.168.1.90"
/var/log/Avaya/jboss/log/quantum.log:2020-01-22 10:00:48,843 INFO  [com.nortel.ems.mgmt.quantum.securityAdminWeb.RoleInfoController] (default task-92) role name Avaya.20Services.20Administrator is assigned to vtt2019
/var/log/Avaya/jboss/log/quantum.log:2020-01-22 10:01:03,839 INFO  [com.nortel.ems.mgmt.quantum.securityAdminWeb.RoleInfoController] (default task-201) role name Avaya.20Services.20Administrator is assigned to vtt2019
/var/log/Avaya/jboss/log/quantum.log:2020-01-22 10:01:05,922 INFO  [com.nortel.ems.mgmt.quantum.securityAdminWeb.RoleInfoController] (default task-259) role name Avaya.20Services.20Administrator is assigned to vtt2019
/var/log/Avaya/jboss/log/quantum.log:2020-01-22 10:01:18,268 INFO  [com.nortel.ems.mgmt.quantum.securityAdminWeb.RoleInfoController] (default task-276) role name System.20Administrator is assigned to vtt2019
/var/log/Avaya/jboss/log/quantum.log:2020-01-22 10:01:18,268 INFO  [com.nortel.ems.mgmt.quantum.securityAdminWeb.RoleInfoController] (default task-276) role name Avaya.20Services.20Administrator is assigned to vtt2019
/var/log/Avaya/jboss/log/server.log:2020-01-22 10:03:15,855 INFO  [stdout] (default task-48) userid is vtt2019
/var/log/Avaya/jboss/log/server.log:2020-01-22 10:03:15,895 INFO  [stdout] (default task-126) userid is vtt2019
/var/log/Avaya/jboss/log/server.log:2020-01-22 10:13:13,373 INFO  [stdout] (default task-154) userid is vtt2019
/var/log/Avaya/jboss/log/server.log:2020-01-22 10:13:13,416 INFO  [stdout] (default task-190) userid is vtt2019

 

[vtt2019]

Thanks Kyle555!! Excellent method!! I can´t believe how Avaya makes something so useful so hard to use it.
For capturing LOGOUT events, "Logger = com.avaya.mgmt.ucm.audit" is perfect (one entry for each logout event in Syslog Server). Unfortunately for capturing LOGIN events (the most important for me), if I use "Logger = com.avaya.mgmt.infra.operational" I receive tens of confused messages for LOGIN (not explicitly written) and other events for other processes. I used your command "grep -r "user1@domain.com" /var/log/Avaya/" but since I don´t have root access by now I can´t check all files found (I am the default System Administrator by web).

Please, could you help me to identify which would be the correct Logger based in the picture attached (a Login Success event), maybe typing grep -r "user1@domain.com, Login Success" or something like that?

 

[kyle555]

well, we have

/var/log/Avaya/mgmt/infra/infraOperationalLog.log:<35>Jan 22 10:13:13 mysmgrpri.thelab.com INFRA[1234]: -05:00 2020 373 1 com.avaya.mgmt | 0 com.nortel.quantum.ssh.UserSshManager username : vtt2019

and

/var/log/Avaya/mgmt/spiritlogs/spiritOperationalAppender.log:<35>Jan 22 10:13:13 mysmgrpri.thelab.com INFRA[1234]: -05:00 2020 372 1 com.avaya.mgmt | 0 com.nortel.quantum.ssh.UserSshManager username : vtt2019

and

/var/log/Avaya/jboss/log/server.log:2020-01-22 10:13:13,373 INFO  [stdout] (default task-154) userid is vtt2019
/var/log/Avaya/jboss/log/server.log:2020-01-22 10:13:13,416 INFO  [stdout] (default task-190) userid is vtt2019

All the logging facilities do is define the logging parameters for the various java apps that make up SMGR. You're not going to "just" send login information.

What do you have to receive it? Like, punt it to a Splunk and make a easy enough pattern match and just call that your login report? I'm no developer, so I do quick'n'dirty sed regexes to get csv that my buddy databases for me.