Search Engine: Elastic

Article ID: 116795, created on Aug 16, 2013, last review on May 1, 2016

  • Applies to:
  • Operations Automation 5.4
  • Plesk Automation 11.5

Symptoms

As a Provider, I want to find out who removed a mailbox or another object in the Odin Service Automtion (OSA) Provider or Customer Control Panel.

Resolution

  1. Find the task that removed the object in OSA Task Manager. Use any information you have about the removed object to find the necessary task - object ID, object name, subscription ID, etc.

    For example, the task that removed a mailbox may look like this:

    38095   Remove mailbox 'John.Doe' (id=5633)     Aug-06-2013 03:52:26    Aug-06-2013 03:52:26    DomainService00128380   1012278 Successful
    

    Remember the ID of the task you have found (it is 38095 in the example above).

  2. In the OSA debug log, poa.debug.log find the moment when the task was inserted in the POA database using the task name. For the above-mentioned task, for example, the log entry may be as follows:

    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7388:1274 Kernel]: STMT [Con: 123, 0A382298 txn:222717] ' INSERT INTO tm_tasks (name, description, location, method, next_start, status, timeout, subscription_id, parent_task_id) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ? )'($0 = 'Remove mailbox 'John.Doe' (id=5633)', $1 = 'Remove mailbox 'John.Doe' (id=5633)', $2 = 'OBJREF:Exchange:0:getMailBox:5633', $3 = 'removeHandler', $4 = '2013-08-06 03:52:25.000000',$5 = 'u', $6 = 3600, $7 = 1012278, $8 = 0)
    
  3. The log entry contains transaction ID - txn:222717 which means the transaction ID is 222717.

  4. Search above in the log for the following pattern:

    Beginning transaction '**TRANSACTION_ID**'
    

    Replace 'TRANSACTION_ID' with the transaction ID found in the previous step.

    The log entry will look like this:

    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7388:1b50 Kernel]: [Plesk::DB::TransactionManager::getTransaction] ########### Beginning transaction '222717'#######
    
  5. Checking the lines higher up in the log, you will see what initiated the transaction:

    If you see something like this:

    Mar 30 03:10:04 osscore : INF [openapi-firewall:b33ffbb0 1:5400:b33ffbb0 OpenAPI]: [OpenAPI::Firewall::grant] Allowed call to Open API from trusted location (11.12.13.14).
    Mar 30 03:10:04 osscore : INF [openapi:11.12.13.14:81581 1:5400:b3e1dbb0 OpenAPI]: ==>>> Executing OpenAPI method 'pem.unbindServicesFromDomain' with parameters: [{ 'domain_id' => 123123, 'subscription_id' => 11111, } ]
    

    this means that the transaction that removed the object was initiated by an API request (pem.unbindServicesFromDomain in this particular example, but it can be a different API call). In this example, 11.12.13.14 is the IP address from which the API request was initiated. If this IP address belongs to an Odin Business Automation (OBA) server, you should further check the subscription service status history and PEMGATE.log in OBA to understand why the operation was initiatied.

    If you see something like this:

    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7796:1418 lib]: CORBA_POAUI:3674cb49a92bfcad4e13b3d05294aba6 <1> IDL:Plesk/Exchange/MailBox_private:1.0::remove
    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7796:1418 Exchange]: [Plesk::Exchange::MailBoxImpl::remove] ===> ENTRY
    

    this means the request was initiated from the UI (control panel). CORBA_POAUI:3674cb49a92bfcad4e13b3d05294aba6 in the log entry above means the transaction was initiated by a request from UI, from a user logged in with session ID 3674cb49a92bfcad4e13b3d05294aba6.

  6. Open the OSA UI server debug log poa-ui.log on the UI server for the required time frame and search for the following pattern:

    Storing new session in cache:SESSION_ID

    Replace SESSION_ID in the pattern above with the OSA UI session ID found in the previous step. Look at the entries in the log below the found line.

    The required entries in the UI server log may look like these:

    2013-08-06 03:46:08,356            ssor3 DEBUG  SecurityManager      Storing new session in cache:3674cb49a92bfcad4e13b3d05294aba6
    2013-08-06 03:46:08,356            ssor3 DEBUG  PLoginHandler        User authenticated:customeradmin
    2013-08-06 03:46:08,356            ssor3 DEBUG  CORBA                #1094452: com.parallels.psa._AccountStub.getAccountMember(undefined) >>> entry
    2013-08-06 03:46:08,356            ssor3 DEBUG  CORBA                #1094452: com.parallels.psa._AccountStub.getAccountMember(undefined) <<< exit [0]
    2013-08-06 03:46:08,356            ssor3 DEBUG  PLoginHandler        User logged in. sid:3674cb49a92bfcad4e13b3d05294aba6
    2013-08-06 03:46:08,356            ssor3 DEBUG  WindowSessionFactory Create session:3674cb49a92bfcad4e13b3d05294aba6
    

    The required entry in the log is the following one - it contains the login of the user (customeradmin) who initiated the action in the Control Panel and a timestamp:

    2013-08-06 03:46:08,356            ssor3 DEBUG  PLoginHandler        User authenticated:**customeradmin**
    

    You may find the IP address the user came from in the OSA Provider Control Panel at System Director > Audit Manager > Login History > Users.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 ac82ce33439a9c1feec4ff4f2f638899 2554725ed606193dd9bbce21365bed4e e12cea1d47a3125d335d68e6d4e15e07 33a70544d00d562bbc5b17762c4ed2b3 e0aff7830fa22f92062ee4db78133079

Email subscription for changes to this article
Save as PDF