Discussion:
Tracing websphere console login
(too old to reply)
i***@alessandrobarel.net
2008-04-29 10:07:50 UTC
Permalink
Hi all,

I am new in websphere world and I have a question.

In my websphere (version 6) console there are 3 users:

1-Administrator

2-Operator

3-Guest

I need to know which user is logged at any time but I'm not able to find anything in log trace.

How can I find this info?

Is there a possibility with jacl script?



Thaks
Ben_
2008-04-29 12:28:30 UTC
Permalink
AFAIK, only login failures are logged.

Changes are also logged, so you can see if someone recently modified
something.

There is a page in the console showing the users currently logged in (the
page were you grant access to individual users), but it's only useful when
you grant permissions user per user and this is far less convenient than
granting permissions to a group.
i***@alessandrobarel.net
2008-04-29 14:44:05 UTC
Permalink
I've just noticed that failures ad modified item are logged...anything else?

Maybe with jacl?

I have to know who is logged into the console whithout using the console.
Ben_
2008-04-29 15:06:56 UTC
Permalink
Not that I know of. Maybe other people in this forum. You could also place a
call to IBM Support if you entitle for support.
Infyniti
2008-04-29 15:41:06 UTC
Permalink
With jacl, only the modified items are logged.



If the user does not have proper os privileges, he cannot invoke wsadmin.



You can prevent users from logging on to wsadmin by changing the group and file ownership.



Hope this helps.



Thanks

Anant
i***@alessandrobarel.net
2008-04-30 09:14:55 UTC
Permalink
Thanks for all the info.

The problem is that I don't wanto to prevent users access from logging, I only have to know who is in.

Can you possibly explain how can I test a login via jacl script?

I think that simultaneous login are not possible so, if I try to log via script I think I will have a particular output if anybody else is just using that account into the console.



Thank you very much.
Ben_
2008-04-30 09:21:31 UTC
Permalink
Why do you care to know who is logged in ?

Maybe there is another solution to your problem.
i***@alessandrobarel.net
2008-04-30 09:34:45 UTC
Permalink
Lots people have the possibility to access using the administrative account (even if for their job activity they can use the monitor user) and my bos want to know who are them.

I have to know who is logged in because its impossible to change the users's pwd.
Ben_
2008-04-30 10:02:24 UTC
Permalink
Post by i***@alessandrobarel.net
Lots people have the possibility to access using the administrative
account (even if for their job activity they can use the monitor user) and
my bos want to know who are them.
I have to know who is logged in because its impossible to change the users's pwd.
That's fairly different than what you depicted so far.

The administrative account is one account.

So, when you wanted to know who logged in, all you'd get is that the
administrative account is logged in. You still don't know the name of the
person.

The easiest way is to change the password and manage complaints.

Never used it, but there is a way to activate a log similar to the
access.log of IHS/Apache (Application Server > Web container transport
chains > Web container > Custom Properties > HTTP error and NCSA access
logging). The NCSA log format has field with the user name and the IP
address. This should help you point to the bad guys.
i***@alessandrobarel.net
2008-04-30 12:07:13 UTC
Permalink
To locate the person who is logged in I've just written a script that analyze the port of the administrative console. The problem is that if that person simply forgive the connection open (without doing anything) the port is not in ESTABLISHED status but in LISTEN status and so I can't know who is in.

With the method you've just suggested the problem is solved, infact I'll analyze the port (tracing the ip) only if in the log trace there is the expected field.

Why this method is not to use?



Thank you very much.
i***@alessandrobarel.net
2008-04-30 12:37:48 UTC
Permalink
Transport Chain ) but I've just only seen WCInboundAdmin, WCInboundAdminSecure, WCInboundDefault and WCInboundDefaultSecure;



I'm wrong in something....
i***@alessandrobarel.net
2008-04-30 14:15:24 UTC
Permalink
I'm going to study the functionality you have described ad I foud it that at the path Application servers server-name HTTP error and NCSA access logging .

Actual configuration:



no check for Enable service at server startup



NCSA Access log :

x Enable access logging

NCSA access log format = common



Error log

x Enable error logging

Error log level = warning



The log files http_access.log and http_error.log are empty.

Do I have to check the * Enable service at server startup*?

Are the other parameters OK?



Thanks
Ben_
2008-04-30 14:18:07 UTC
Permalink
Post by i***@alessandrobarel.net
Do I have to check the * Enable service at server startup*?
Yes, better check it if you want it to start... :-)
Post by i***@alessandrobarel.net
Are the other parameters OK?
Yes, I'd go with the defaults to start with.
i***@alessandrobarel.net
2008-04-30 14:31:01 UTC
Permalink
Do I have to enable that functionality on all the 82 Application server of the cell?
i***@alessandrobarel.net
2008-04-30 15:15:10 UTC
Permalink
It doesn't seem to work propertly, http_error.log and http_access.log are empty...

I also tried to change log severity but without any kind of results?

Ideas?
Ben_
2008-04-30 16:44:02 UTC
Permalink
Yes, you're getting empty files, until you know you need to check the option
in two places...

See instructions in
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PK24036 and in the
InfoCenter
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.express.doc/info/exp/ae/utrb_httperrlogs.html.

Now, this was the "easy" part... :-)

It's getting tricky because, you need to activate it on the Dmgr Application
Server.

However, IBM purposely made it not visible in the Administrative Console, so
you don't mess with it.

But you still can via scripting... :-)

Here is a wsadmin script to do it.

There is a dirty hack because I couldn't figure out better.

set dmgrid [$AdminConfig getid /Server:dmgr/]
set dmgr [$AdminConfig list Server $dmgrid]
set http [$AdminConfig list HTTPAccessLoggingService $dmgr]
$AdminConfig modify $http {{enable true}}
puts [$AdminConfig show $http]
# Dirty because assumed the first HTTP_2 of the list of the dmgr
set http_2 [lindex [$AdminConfig getid /TransportChannel:HTTP_2/] 0]
$AdminConfig show $http_2
$AdminConfig modify $http_2 {{enableLogging true}}
puts ""
puts [$AdminConfig show $http_2]
$AdminConfig save

It will output the configuration so you can verify it's enabled ("enable
true" and "enabledLogging true"):

C:\WebSphere\AppServer\profiles\Dmgr01\bin>wsadmin -f "C:\temp\HTTP-NCSA
log.jacl"
WASX7209I: Connected to process "dmgr" on node CellManager01 using SOAP
connector; The type of process is: DeploymentManager
{accessLog
(cells/Cell01/nodes/CellManager01/servers/dmgr|server.xml#LogFile_2)}
{accessLogFormat COMMON}
{context
dmgr(cells/Cell01/nodes/CellManager01/servers/dmgr|server.xml#Server_1)}
{enable true}
{enableAccessLogging true}
{enableErrorLogging true}
{errorLog
(cells/Cell01/nodes/CellManager01/servers/dmgr|server.xml#LogFile_1)}
{errorLogLevel WARNING}
{properties {}}

{discriminationWeight 10}
{enableLogging true}
{keepAlive true}
{maximumPersistentRequests 100}
{name HTTP_2}
{persistentTimeout 30}
{properties {}}
{readTimeout 60}
{writeTimeout 60}

Now after all this effort (and a restart of dmgr), you get an
http_access.log with what people have accessed as pages in the
Administrative Console.

The pitty is that the user id is not logged. This is because form based
authentication is used and the user field in the NCSA log is for the HTTP
basic authentication user info.

Still better than nothing:
127.0.0.1 - - [30/Apr/2008:18:24:02 +0200] "GET /ibm/console HTTP/1.1" 302 5
127.0.0.1 - - [30/Apr/2008:18:24:06 +0200] "GET /ibm/console/ HTTP/1.1" 302
1002
127.0.0.1 - - [30/Apr/2008:18:24:17 +0200] "GET
/ibm/console/login.do?action=secure HTTP/1.1" 200 1199
127.0.0.1 - - [30/Apr/2008:18:24:17 +0200] "GET
/ibm/console/css/ISCTheme/ie/en/Styles.css HTTP/1.1" 304 0
127.0.0.1 - - [30/Apr/2008:18:24:17 +0200] "GET
/ibm/console/secure/isclite/tiles/bannerframe.jsp HTTP/1.1" 200 2254
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET
/ibm/console/images/iscbannerLeft-.gif HTTP/1.1" 304 0
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET
/ibm/console/images/toolbar_separator.gif HTTP/1.1" 304 0
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET
/ibm/console/images/iscbanner-mosaic.gif HTTP/1.1" 304 0
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET /ibm/console/nsc.do
HTTP/1.1" 200 46124
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET
/ibm/console/images/isclite/dot.gif HTTP/1.1" 304 0
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET
/ibm/console/images/title_maximize.gif HTTP/1.1" 304 0
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET
/ibm/console/images/isclite/grpfilter_background.gif HTTP/1.1" 304 0
127.0.0.1 - - [30/Apr/2008:18:24:18 +0200] "GET
/ibm/console/navigation.do?wpageid=com.ibm.isclite.welcomeportlet.layoutElement.A&moduleRef=com.ibm.isclite.ISCAdminPortlet
HTTP/1.1" 200 11018

Now you know the IP address of the people accessing the Administrative
Console.

HTH.
i***@alessandrobarel.net
2008-05-05 08:32:14 UTC
Permalink
Do you mean that into the log trace I can find all the "used" pages but I can't see the user who is "using" them?
Ben_
2008-05-05 09:28:25 UTC
Permalink
Post by i***@alessandrobarel.net
Do you mean that into the log trace I can find all the "used" pages but I
can't see the user who is "using" them?
You can see the IP address of the user but not the username he specified to
login:
127.0.0.1 - - [30/Apr/2008:18:24:02 +0200] "GET /ibm/console HTTP/1.1" 302 5

One of the two dashes between IP address and date is reserved for the
username, but it's not filled in when form-based authentication is used.

If you're in an environment where you can reliably associate IP address of a
workstation with a person, then you can identify the person.
i***@alessandrobarel.net
2008-05-05 12:14:57 UTC
Permalink
Unfortunately this is not usefull to me because I have to notify only when the console has accessed by the administrator account.

Do you know how could I see that information?

Is it possible to see that info?
i***@alessandrobarel.net
2008-05-05 14:37:18 UTC
Permalink
Change Log Detail Levels) changing it from info to all I can see who is logged.

I can't configure all to the max log level, I have specifically to know the class to configure.

Could you help me?
Ben_
2008-05-05 14:57:10 UTC
Permalink
Post by i***@alessandrobarel.net
Change Log Detail Levels) changing it from info to all I can see who is logged.
Good, I was going to propose you tested this... :-)
Post by i***@alessandrobarel.net
I can't configure all to the max log level, I have specifically to know
the class to configure.
Could you help me?
Well, not directly.

If I had to do it, I'd go no better than trial & error, and search the
InfoCenter.

Can't you guess something from the log entries to correlate with a Component
or Group name in the console ?
i***@alessandrobarel.net
2008-05-06 08:41:03 UTC
Permalink
I've just found that I have to modify the log detail level enabling com.ibm.ISecurityUtilityImpl.StateofCurrObj=finest.

I tested other methods but they don't work.

Now the problem is to correctely parse the log, infact there is not the "login" word but only a generic description like the above one:

5/6/08 10:22:02:508 CEST 00000070 StateofCurrOb 3 setWSReceivedCreds() null subject

5/6/08 10:22:02:508 CEST 00000070 StateofCurrOb 3 setWSOwnCred() null subject

5/6/08 10:22:02:508 CEST 00000070 StateofCurrOb 3 setWSInvocationCred() null subject

5/6/08 10:22:02:580 CEST 00000070 StateofCurrOb 3 secConfig has been initialized.

5/6/08 10:22:02:580 CEST 00000070 StateofCurrOb 3 setInvocationSubject() principal "cowb9bdbc1-tam.hbl.local:389/operator"

5/6/08 10:22:02:580 CEST 00000070 StateofCurrOb 3 setCallerSubject() principal "cowb9bdbc1-tam.hbl.local:389/operator"



Any other ideas?



Thank you!
Ben_
2008-05-06 19:30:12 UTC
Permalink
Isn't "operator" in "cowb9bdbc1-tam.hbl.local:389/operator" the name of user
account used to log in ??
i***@alessandrobarel.net
2008-05-08 07:37:55 UTC
Permalink
Yes it is.

I've just finished a script to parse the log.



Thank you vary much for your help.
S***@gmail.com
2008-05-16 14:43:46 UTC
Permalink
Post by i***@alessandrobarel.net
Yes it is.
I've just finished a script to parse the log.
Thank you vary much for your help.
Dear Alessandro,
I am facing th same problem. I need to know who logged in and who
failed to login (username + date)
Can you tell me, how you made WebSphere to write such events to log?
I didn't understand clearly, did you use wsadmin.sh to configure
output or you just enabled logging through admin console?

Please, help me.
S***@gmail.com
2008-05-16 15:05:32 UTC
Permalink
Post by i***@alessandrobarel.net
.
've just found that I have to modify the log detail level enabling com.ibm.ISecurityUtilityImpl.StateofCurrObj=finest.
Thank you vary much for your help.
how did you avoid multiple actions of the same user?
For example, user entered the admin console and started to surf there.
You get hundreds of messages about his movements.
How do you detect that the same user left the admin console and then
came back after few hours?
I have to parse it dynamically. I have to log login event of the user
immediately to the special security monitoring table of application
database.

Infyniti
2008-04-30 14:59:15 UTC
Permalink
As Ben mentioned, its impossible to track the actual user who logged.



If you want to track the users who are logging in using wsadmin.sh, i would suggest



1) Change the admin password.

2) incorporate some kind of logging when wsadmin.sh is invoked. this can be either done by a wrapper script or modifying the actual wsadmin.sh


Guest wrote:

Lots people have the possibility to access using the administrative

account (even if for their job activity they can use the monitor user) and

my bos want to know who are them.



I have to know who is logged in because its impossible to change the

users's pwd. HTTP error and NCSA access

logging). The NCSA log format has field with the user name and the IP

address. This should help you point to the bad guys.
i***@alessandrobarel.net
2008-04-30 15:18:03 UTC
Permalink
I can't change the admin passwdord....unfortunately.

What about modifying the actual wsadmin.sh? Any advice?



Thank you very much!
Ken Hygh
2008-04-30 16:53:12 UTC
Permalink
Post by i***@alessandrobarel.net
I can't change the admin passwdord....unfortunately.
What about modifying the actual wsadmin.sh? Any advice?
Thank you very much!
Don't.

Do not.

Besides, in your wide-open environment, anyone could just change it back.

Ken
Loading...