audit searches fail
Hi there,
I have inherited two Piler systems, and I am having issues in one of them. On one system, I am able to do auditor searches with no issue. However, on my second system, any audit search I do returns the following error:
Empty search result. Try adding the wildcard character() after a word snippet, eg. duplic to find "duplicate", "duplicated", etc.
I have not been able to find much information about what might be happening here, and I don't have much Linux experience.
Comments (13)
-
repo owner -
reporter There was not even a line for that setting. I added it to the site that was not working, but the problem still exists.
-
repo owner When you do some actions, then an sql entry should be created in the table audit. I'd like you to check this table:
select * from audit limit 10;
-
reporter mysql> select * from audit limit 10; +----+------------+-----------------------------------+-----------------------+--------+-------------+---------+------------------------------------+-------+ | id | ts | email | domain | action | ipaddr | meta_id | description | vcode | +----+------------+-----------------------------------+-----------------------+--------+-------------+---------+------------------------------------+-------+ | 1 | 1378929120 | admin@local | local | 3 | 10.3.40.100 | 0 | failed auth against user table | NULL | | 2 | 1378929128 | admin@local | local | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 3 | 1378931245 | admin@local | local | 4 | 10.3.40.100 | 0 | | NULL | | 4 | 1378931251 | mbrzozowski@selectquotesenior.com | selectquotesenior.com | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 5 | 1378931417 | mbrzozowski@selectquotesenior.com | selectquotesenior.com | 4 | 10.3.40.100 | 0 | | NULL | | 6 | 1378931423 | admin@local | local | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 7 | 1378931463 | admin@local | local | 4 | 10.3.40.100 | 0 | | NULL | | 8 | 1378931469 | auditor@local | local | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 9 | 1378931473 | auditor@local | local | 10 | 10.3.40.100 | 0 | any= test&sort=1&order=date | NULL | | 10 | 1378931474 | auditor@local | local | 5 | 10.3.40.100 | 1 | | NULL | +----+------------+-----------------------------------+-----------------------+--------+-------------+---------+------------------------------------+-------+ 10 rows in set (0.00 sec)
-
repo owner OK, the try the following: login as an auditor or administrator user, then select the audit search, and just hit the search button, and see the results, and the logged sql query.
-
reporter ------------+-------+ | 1 | 1378929120 | admin@local | local | 3 | 10.3.40.100 | 0 | failed auth against user table | NULL | | 2 | 1378929128 | admin@local | local | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 3 | 1378931245 | admin@local | local | 4 | 10.3.40.100 | 0 | | NULL | | 4 | 1378931251 | mbrzozowski@selectquotesenior.com | selectquotesenior.com | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 5 | 1378931417 | mbrzozowski@selectquotesenior.com | selectquotesenior.com | 4 | 10.3.40.100 | 0 | | NULL | | 6 | 1378931423 | admin@local | local | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 7 | 1378931463 | admin@local | local | 4 | 10.3.40.100 | 0 | | NULL | | 8 | 1378931469 | auditor@local | local | 2 | 10.3.40.100 | 0 | successful auth against user table | NULL | | 9 | 1378931473 | auditor@local | local | 10 | 10.3.40.100 | 0 | any= test&sort=1&order=date | NULL | | 10 | 1378931474 | auditor@local | local | 5 | 10.3.40.100 | 1 | | NULL | +----+------------+-----------------------------------+-----------------------+--------+-------------+---------+------------------------------------+-------+ 10 rows in set (0.00 sec)
-
repo owner OK, I saw the contents of the audit table at the first time, however after that I was interested in the logged sql query (see mail log), and whether you can see anything after you just hit the search button.
-
reporter my apologies, I am not that familiar with how to accomplish that. According to some googling, it suggests doing "cat ~/.mysql_history
which returns (passwords changed)
root@mailarchive:/var/log# cat ~/.mysql_history FLUSH PRIVILEGES; SET PASSWORD FOR root@'localhost' = PASSWORD('xxxxx'); FLUSH PRIVILEGES; USE mysql UPDATE user SET Password = PASSWORD('xxxxx') WHERE Host = 'localhost' AND User = 'root'; UPDATE user SET Password = PASSWORD('xxxxx') WHERE Host = 'localhost' AND User = 'root'; FLUSH PRIVILEGES; list databasets; list databases; list databases ; use piles UPDATE user SET Password=PASSWORD('yyyyyyy') WHERE User='root'; FLUSH PRIVILEGES; exit; show databases; use piler; update user set password='$1$PItc7d$zsUgON3JRrbdGS11t9JQW1' where uid=0; use piler; select * from users limit 1; select * from user limit 1; update user set password = '$5$TXL7EX$s17XtxwbCs1MDAzuulF/STauTkH0h/KJGHudlNQt3R4' where uid=0; use piler show databases show databases; use piler SELECT * FROM main1,dailydelta1,delta1 LIMIT 10; SELECT * FROM dailydelta1,delta1 LIMIT 10; show tables; show databases; show tables; use piler show tables;
-
repo owner Well, not quite. I'd suggest you to catch me on skype (janos.suto), and let's see it via teamviewer. It would be a much faster resolution.
-
reporter I have sent you a contact request. thanks!
-
repo owner I can't see any contact request. I'll check it tomorrow again.
-
reporter I sent along another contact request to janos.suto .
-
repo owner - changed status to resolved
Mnaaged to fix it. It turned out that it wasn't an audit issue at all.
- Log in to comment
check config-site.php on both sites, and see if $config['ENABLE_AUDIT'] = 1; is set.