Description
This article describes how the log 'Configuration is changed in the admin session' is triggered.
Solution
1) Sometimes, it is possible to notice that the log message for configuration change is being triggered, but there are no details for the log on what configuration change has been made:
date=2021-03-12 time=14:06:09 logid="0100032102" type="event" subtype="system" level="alert" vd="root" eventtime=1615529168900386234 tz="+0800" logdesc="Configuration changed" user="admin" ui="https(192.168.244.133)" msg="Configuration is changed in the admin session"
2) The above log is generated when the admin logs out, or when the admin session had timed out.
3) The meaning of the log is that while the admin is logged in, the admin had made some changes to the configuration, and in order to locate the changes, it is necessary to locate the date/time that the admin logs in:
date=2021-03-12 time=14:02:59 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1615528979676440368 tz="+0800" logdesc="Admin login successful" sn="1615528979" user="admin" ui="https(192.168.244.133)" method="https" srcip=192.168.244.133 dstip=10.47.1.59 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(192.168.244.133)"
4) After that, it is possible to locate the changes that is being made by the admin:
date=2021-03-12 time=14:03:37 logid="0100044547" type="event" subtype="system" level="information" vd="root" eventtime=1615528897288320196 tz="+0800" logdesc="Object attribute configured" user="admin" ui="GUI(192.168.244.133)" action="Add" cfgtid=8388615 cfgpath="router.static" cfgobj="49" cfgattr="dst[4.4.4.3 255.255.255.255]device[CRK04-IPSEC]" msg="Add router.static 49"
