Symptoms

As a Provider, I want to find out who removed a mailbox or another object in the Odin Automtion (OA) Provider or Customer Control Panel.

Resolution

  1. Find the task that removed the object in Task Manager. Use any information you have about the removed object to find the necessary task - object ID, object name, subscription ID, etc.

    For example, the task that removed a mailbox may look like this:

    38095   Remove mailbox 'John.Doe' (id=5633)     Aug-06-2013 03:52:26    Aug-06-2013 03:52:26    DomainService00128380   1012278 Successful
    

    Remember the ID of the task you have found (it is 38095 in the example above).

  2. In the OA /var/log/pa/core.log on the Management Node find the moment when the task was inserted in the OA database using the task name. For the above-mentioned task, for example, the log entry may be as follows:

    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7388:1274 Kernel]: STMT [Con: 123, 0A382298 txn:222717] ' INSERT INTO tm_tasks (name, description, location, method, next_start, status, timeout, subscription_id, parent_task_id) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ? )'($0 = 'Remove mailbox 'John.Doe' (id=5633)', $1 = 'Remove mailbox 'John.Doe' (id=5633)', $2 = 'OBJREF:Exchange:0:getMailBox:5633', $3 = 'removeHandler', $4 = '2013-08-06 03:52:25.000000',$5 = 'u', $6 = 3600, $7 = 1012278, $8 = 0)
    
  3. The log entry contains transaction ID - txn:222717 which means the transaction ID is 222717.

  4. Search above in the log for the following pattern:

    Beginning transaction '**TRANSACTION_ID**'
    

    Replace 'TRANSACTION_ID' with the transaction ID found in the previous step.

    The log entry will look like this:

    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7388:1b50 Kernel]: [Plesk::DB::TransactionManager::getTransaction] ########### Beginning transaction '222717'#######
    
  5. Checking the lines higher up in the log, you will see what initiated the transaction:

    If you see something like this:

    Mar 30 03:10:04 osscore : INF [openapi-firewall:b33ffbb0 1:5400:b33ffbb0 OpenAPI]: [OpenAPI::Firewall::grant] Allowed call to Open API from trusted location (11.12.13.14).
    Mar 30 03:10:04 osscore : INF [openapi:11.12.13.14:81581 1:5400:b3e1dbb0 OpenAPI]: ==>>> Executing OpenAPI method 'pem.unbindServicesFromDomain' with parameters: [{ 'domain_id' => 123123, 'subscription_id' => 11111, } ]
    

    this means that the transaction that removed the object was initiated by an API request (pem.unbindServicesFromDomain in this particular example, but it can be a different API call). In this example, 11.12.13.14 is the IP address from which the API request was initiated. If this IP address belongs to an Odin Business Automation (BA) server, you should further check the subscription service status history and PEMGATE.log in BA to understand why the operation was initiatied.

    If you see something like this:

    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7796:1418 lib]: CORBA_POAUI:3674cb49a92bfcad4e13b3d05294aba6 <1> IDL:Plesk/Exchange/MailBox_private:1.0::remove
    Aug  6 03:52:25 poacore : DBG [1:7796:1418:22 1:7796:1418 Exchange]: [Plesk::Exchange::MailBoxImpl::remove] ===> ENTRY
    

    this means the request was initiated from the UI (control panel). CORBA_POAUI:3674cb49a92bfcad4e13b3d05294aba6 in the log entry above means the transaction was initiated by a request from UI, from a user logged in with session ID 3674cb49a92bfcad4e13b3d05294aba6.

  6. Open the OA UI server debug log poa-ui.log on the UI server for the required time frame and search for the following pattern:

    Storing new session in cache:SESSION_ID

    Replace SESSION_ID in the pattern above with the OA UI session ID found in the previous step. Look at the entries in the log below the found line.

    The required entries in the UI server log may look like these:

    2013-08-06 03:46:08,356            ssor3 DEBUG  SecurityManager      Storing new session in cache:3674cb49a92bfcad4e13b3d05294aba6
    2013-08-06 03:46:08,356            ssor3 DEBUG  PLoginHandler        User authenticated:customeradmin
    2013-08-06 03:46:08,356            ssor3 DEBUG  CORBA                #1094452: com.parallels.psa._AccountStub.getAccountMember(undefined) >>> entry
    2013-08-06 03:46:08,356            ssor3 DEBUG  CORBA                #1094452: com.parallels.psa._AccountStub.getAccountMember(undefined) <<< exit [0]
    2013-08-06 03:46:08,356            ssor3 DEBUG  PLoginHandler        User logged in. sid:3674cb49a92bfcad4e13b3d05294aba6
    2013-08-06 03:46:08,356            ssor3 DEBUG  WindowSessionFactory Create session:3674cb49a92bfcad4e13b3d05294aba6
    

    The required entry in the log is the following one - it contains the login of the user (customeradmin) who initiated the action in the Control Panel and a timestamp:

    2013-08-06 03:46:08,356            ssor3 DEBUG  PLoginHandler        User authenticated:**customeradmin**
    

    You may find the IP address the user came from in the OA Provider Control Panel at System Director > Audit Manager > Login History > Users.

Internal content

Link on internal Article