How to find the administrator account used to upgrade Prisma Access cloud_services plugin in Panorama
997
Created On 08/03/22 09:32 AM - Last Modified 05/23/24 21:01 PM
Objective
To identify the user who installed a specific Prisma Access cloud_services plugin on Panorama.
Environment
- Panorama managed Prisma Access
- Cloud Services Plugin
Procedure
- Start by looking at the system logs under Monitor > System tab and apply a filter ( description contains 'cloud_services-' ) to find the date and time stamp when the plugin was installed.
- The log will give the date and time but will not have information about the administrator account who performed the operation.
- Now SSH to the Panorama device and review req_stats.log or req_stats.log.old log files using CLI command less mp-log req_stats.log
- The log message below the user test-admin logged in to the Panorama at 10.54.36 from IP address 10.47.136.17 and cookie 7553808638723286 was generated for that account.
2022-08-03 10:54:36.159 | 1970-01-01 01:00:00.000 | 2022-08-03 10:54:36.159 | 2022-08-03 10:54:36.267 | 0 | 0.00 msecs | | <auth-request username="test-admin" ip-address="10.47.136.17" protocol="https"/>
2022-08-03 10:54:36.311 | 2022-08-03 10:54:36.314 | 2022-08-03 10:54:36.560 | 2022-08-03 10:54:36.560 | 1 | 536.87 msecs | 7553808638723286 | <request cmd="op" cookie="7553808638723286"><operations xml="yes"><show><system><i
nfo/></system></show></operations></request>
- Then at 10:57:34, 'Check Now' was performed under Panorama > Plugins tab to fetch the latest list of available plugins. This action is tied to cookie 7553808638723286.
2022-08-03 10:57:34.578 | 2022-08-03 10:57:34.581 | 2022-08-03 10:57:34.578 | 2022-08-03 10:57:35.592 | 0 | 1073.74 msecs | 7553808638723286 | <request cmd="op" cookie="7553808638723286"><operations xml="yes"><request><plugi
ns><check/></plugins></request></operations></request>
- At 10:58:27 a request to download cloud_services-3.0.0-h29 was made and one can see the same cookie 7553808638723286.
2022-08-03 10:58:27.819 | 2022-08-03 10:58:27.822 | 2022-08-03 10:58:27.819 | 2022-08-03 10:58:28.506 | 0 | 1073.74 msecs | 7553808638723286 | <request cmd="op" cookie="7553808638723286"><operations xml="yes"><request><plugins><download><file>cloud_services-3.0.0-h29</file></download></plugins></request></operations></request>
- Finally, at 10:59:42 a request to install cloud_services-3.0.0-h29 plugin was made which is tied to cookie 7553808638723286.
2022-08-03 10:59:42.308 | 2022-08-03 10:59:42.311 | 2022-08-03 10:59:42.308 | 2022-08-03 10:59:42.312 | 0 | 0.00 msecs | 7553808638723286 | <request cmd="op" cookie="7553808638723286"><operations xml="yes"><request><plugins>
<install>cloud_services-3.0.0-h29</install></plugins></request></operations></request>
Additional Information
Additionally, configd.log (less mp-log configd.log) file can also be analyzed which shows when a plugin is upgraded/downgraded.
2022-08-03 10:58:48.523 +0200 Successfully downloaded cloud_services-3.0.0-h29
..
2022-08-03 10:59:42.314 +0200 Plugin: start installing plugin cloud_services-3.0.0-h29
..
2022-08-03 11:00:17.738 +0200 Plugin cloud_services-3.0.0-h29 installed.