000039383 - How to identify the user that triggered calculations from the Application Builder when audit logging is enabled in Archer

Document created by RSA Customer Support Employee on Nov 4, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039383
Applies ToProduct Set: Archer
Product/Service Type: Archer (On-Premise)
Version/Condition: 6.7.0.4
Issue
  1. In some situations, it is possible for an application owner or Administrator to trigger very large numbers of long-running calculation jobs.
  2. Audit Logging is enabled which captures every detail about everything every user does but it may not be clear how to find the information in the audit log data that are related to the event that caused the creation of calculation jobs.
Tasks Audit Logging must be enabled and functioning on the Archer instance BEFORE the jobs are created.
ResolutionThe audit logging will capture the event of a recalculation that is triggered in the Application Builder.

The syslog server needs to be queried for the event data. The process to query the syslog server will vary depending on what capabilities/features/software is being used on the syslog server.

Below is an example of the audit logging message that gets sent to the configured Audit Logging (syslog) server when any user clicks the recalculate button from the application builder:
 

vendor:RSA, product:Archer, version:1.0, ArcherVersion:6.6.00400.1038,
ArcherInstance:archer,LogSourceIdentifier:192.168.4.100:0,eventtime:9/1/2020 8:42:15 PM,
eventid:14, ArcherLog:" UserId:2 UserName:"Administrator, System"
LogDate:9/1/2020 8:42:15 PM
MethodName:ModuleManager.RecalculateLevel
InputParameter:levelId<System.Int32>:<ROOT><V a="37" />
</ROOT> OutputValues:void Success:True "

 

  1. The eventtime highlighted above indicates the date and time the action was triggered by the user.
  2. The "MethodName:ModuleManager.RecalculateLevel" highlighted above is the key event that indicates a level recalculation has been triggered by a user from the Application Builder.  
  3. The UserName:  "Administrator, System" highlighted above indicates the user that triggered the level recalculation.
  4. The 37 highlighted above indicates the level ID that was triggered for recalculation. This levelID is associated with an application/module. The LevelID is also in the payload (XML) of the Archer level recalculation job.

Attachments

    Outcomes