Guest

Preview Tool

Cisco Bug: CSCvs80140 - MSO GUI and API audit logs incomplete

Last Modified

Feb 20, 2020

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

2.2(3i)

Description (partial)

Symptom:
MSO GUI Log - shows testport_l was created but no port/protocol/... information
Jan 14, 2U20
1:3U;13PM
Jan 14. 202U
1:30:13 PM
Jan 14. 2BZU
1:'JU:i3h'M
Created Filter Filter tesifllterj on Template
Dispiay Name on Fiiter testfiiter_1 was set to testf[!teM
FilterEntry testporM was added on Filter testfi!tei?_1
API Output - filter and port listed but no detail included about the port numbers/protocol/..
"user": {
"userld": "XXXXXX",
"username": "XXXXXX",
"domainld": "XXXXXX",
"domainName": "XXXXXX"
},
"timestamp":"2020-01-14T02:30:13"
L
{
"id": "XXXXXX",
"type": "filter",
"key":"/schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l",
"name": "testfilter_l",
"event":"created",
"container": {
"type": "template",
"key":"/schemas/XXXXXX/templates/XXXXXX",
"name": "XXXXXX"
},
"user": {
"userld": "XXXXXX",
"username": "XXXXXX",
"domainld": "XXXXXX",
"domainName": "XXXXXX"
},
"timestamp": "2020-01-14702:30:13"
},
{
"id": "XXXXXX",
"type": "attribute",
"key": "/schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l/displayName",
"event":"created",
"container": {
"type": "filter",
"key":"/schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l",
"name": "testfilter 1"
},
"newValue": "testfilter_l",
"user": {
"userld": "XXXXXX",
"username": "XXXXXX",
"domainld": "XXXXXX",
"domainName": "XXXXXX"
"timestamp":"2020-01-14T02:30:13"
},
{
"id": "XXXXXX",
"type": "attribute",
"key":7schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l/filterEntry",
"event": "added",
"container": {
"type": "filter",
"key":"/schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l",
"name": "testfilter 1"
},
"newValue": "testport_l",
"user":{
"userld": "XXXXXX",
"username": "XXXXXX",
"domainld": "XXXXXX",
"domainName": "XXXXXX"
},
"timestamp":"2020-01-14T02:30:13"
}
File system application log - interestingly the testport_l detail is contained in a separate log entry.
Note it is not associated with a username or the filter it was created under (other than the separate
filter log entry)?
2020-01-14702:30:13+00:00 containerlog {"time":"2020-01-14T02:30:13. 204218676Z", "event":"2020-01-14 02:30:13, 201
[\u001B[37minfo\u001B[Om] audit.service.AuditService -
AUDIT_LOG:{\"id\":\"XXXXXX\", \"type\":\"attribute\", \"key\":\"/schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l/filterEntry\", \"na
me\":\"\", \"event\":\"added\", \"container_type\":\"filter\", \"container_key\":\"/schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l\
", \"container_name\":\"testfilter_l\", \"container_context_type\":\"\", \"container_context_key\":\"\", \"container_context_name\":\"\",\
"oldValue\":\"\", \"newValue\":\"testport_l\", \"userld\":\"XXXXXX\", \"username\":\"XXXXXX\", \"fir5tName\":\"\", \"lastName\":\"\", \"do
mainld\":\"XXXXXX\", \"domainName\":\"XXXXXX\", \"timestamp\":\"2020-01-14T02:30:13\"}\n", "hostname":"XXXXXX"}
2020-01-14T02:30:15+00:00 containerlog {"time":"2020-01-14T02:30:15.298011788Z","event":" <vzEntry name=\"testport_l\"
descr=\"\" prot=\"tcp\" etherT=\"ipv4\" arp0pc=\"unspecified\" stateful=\"no\" applyToFrag=\"no\" sFromPort=\"unspecified\"
sToPort=\"unspecified\" dFromPort=\"lllll\" dToPort=\"lllll\" tcpRules=\"unspecified\" annotation=\"orchestrator:msc\">
</vzEntry>\n", "hostname":"XXXXXX"}
2020-01-14T02:30:15+00:00 containerlog {"time":"2020-01-14T02:30:15. 32688114Z", "event":" <vzEntry name=\"testport_l\"
descr=\"\" prot=\"tcp\" etherT=\"ipv4\" arp0pc=\"unspecified\" stateful=\"no\" applyToFrag=\"no\" sFromPort=\"unspecified\"
sToPort=\"unspecified\" dFromPort=\"lllll\" dToPort=\"lllll\" tcpRules=\"unspecified\" annotation=\"orchestrator:msc\">
</vzEntry>\n", "hostname":"XXXXXX"}
Splunk-shows the same thing, of course-that is, a separate log entry for the port and its detail but without
the associated user or parent object. We can reconcile these objects but should we really have to hunt for this
information or should it be provided to us?
14, { I_l
01, event: <vzEntry name="testport_l" descr="" prot="tcp" etherT="ipv4"
20 arp0pc="unspecified" stateful="no" applyToFrag="no" sFromPort="unspecified"
20 sToPort="unspecified" dFromPort="lllll" dToPort="lllll" tcpRules="unspecified"
13: annotation="orchestrator:msc"> </vzEntry>
30: hostname: XXXXXX
15. time: 2020-01-14T02:30:15.32688114Z
00 }
Show as raw text
14,
01,
20
20
30:
15.
host = msc-loaaina-service
source = containerloa
sourcetype = ison
{I_l
event: <vzEntry name="testport_l" descr="" prot="tcp" etherT="ipv4"
arp0pc="unspecified" stateful="no" applyToFrag="no" sFromPort="unspecified"
sToPort="unspecified" dFromPort="lllll" dToPort="lllll" tcpRules="unspecified"
13: annotation="orchestrator:msc"> </vzEntry>
hostname: XXXXXX
00
0
time: 2020-01-14T02:30:15.298011788Z
}
Show as raw text
host = msc-loqginQ-service
source = containerloq
sourcetype = Ison
14, { L=l
01, event: 2020-81-14 02:30:13, 201 [•[37minfo-[0m] audit. service.AuditService -
20 AUDIT_LOG:{"id":"XXXXXX", "type":"attribute", "key":"/schemas/XXXXXX/templates/XXXX
20 XX/filters/testfilter_l/filterEntry"/'name":""/'event":"added", "container_type": "
13: filter", "container_key":"/schemas/XXXXXX/templates/XXXXXX/filters/testfilter_l","
30: container name":"testfilter_l", "container_context_type":"", "container_context_key
13. ":""j"container_context_name":"", "oldValue":"", "newValue":"testport_l", "userld":
00 XXXXXX", "username":"XXXXXX", "firstName": "", "lastName":"", "domainld": "XXXXXX", "dom
0 ainName":"XXXXXX", "timestamp":"2020-01-14T02:30:13"}
hostname: XXXXXX
time: 2020-01-14T02:30:13.204218676Z
}
Show as raw text
host = msc-loagina-service
source = containerloa
sourcetype = json

Conditions:
For example:- When you create a filter, the protocol/port/... information is not included in either the GUI log or the API audit log.  
However, this information "is" contained in the operating system application log file (/opt/cisco/msc/fluentd/log/...)?
And, is forwarded to the splunk server.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.