topic Re: messages logs on our management server show actions from my account that I am not doing. in General Topics https://community.checkpoint.com/t5/General-Topics/messages-logs-on-our-management-server-show-actions-from-my/m-p/200559#M33463 <P>Running a "watch api status" for a few seconds produces this exact same set of log messages.</P> Wed, 13 Dec 2023 21:56:54 GMT Ian 2023-12-13T21:56:54Z messages logs on our management server show actions from my account that I am not doing. https://community.checkpoint.com/t5/General-Topics/messages-logs-on-our-management-server-show-actions-from-my/m-p/194116#M32488 <P>Hello! Quite a strange one, I happened to be looking into the /var/log/messages of our management server, and I saw continuous log entries from my own user account (lets call it "Bob"), seemingly running two different commands on repeat at different hours of the day. The commands running look to be "ver" and "show web ssl-port".</P><P>There doesn't look to be a pattern in the interval it occurs. It might not happen for a few hours, then it'll spam over several hours. I don't have any scripts running that I am aware of. In the secure logs, there are no suspicious authentication entries from my account. So this session must have been open for a long time.</P><P>Has anybody seen anything like this before? All I can imagine is that an old session is stuck or something like this, and it is randomly cycling through these commands.. so strange. And it goes back as far as I can see in "messages.10" from August.</P><P>Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6400 t<BR />Oct 3 00:31:34 2023 MgmtServer clish[6400]: User bob running clish -c with ReadWrite permission<BR />Oct 3 00:31:34 2023 MgmtServer clish[6400]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:34 2023 MgmtServer clish[6400]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6400<BR />Oct 3 00:31:34 2023 MgmtServer clish[6400]: User bob finished running clish -c from CLI shell<BR />Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6399 t<BR />Oct 3 00:31:34 2023 MgmtServer clish[6399]: User bob running clish -c with ReadWrite permission<BR />Oct 3 00:31:34 2023 MgmtServer clish[6399]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:34 2023 MgmtServer clish[6399]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6399<BR />Oct 3 00:31:34 2023 MgmtServer clish[6399]: User bob finished running clish -c from CLI shell<BR />Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6421 t<BR />Oct 3 00:31:34 2023 MgmtServer clish[6421]: User bob running clish -c with ReadWrite permission<BR />Oct 3 00:31:34 2023 MgmtServer clish[6421]: cmd by bob: Start executing : ver (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:34 2023 MgmtServer clish[6421]: cmd by bob: Processing : ver (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6421<BR />Oct 3 00:31:34 2023 MgmtServer clish[6421]: User bob finished running clish -c from CLI shell<BR />Oct 3 00:31:35 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6516 t<BR />Oct 3 00:31:35 2023 MgmtServer clish[6516]: User bob running clish -c with ReadWrite permission<BR />Oct 3 00:31:35 2023 MgmtServer clish[6516]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:35 2023 MgmtServer clish[6516]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)<BR />Oct 3 00:31:35 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6516<BR />Oct 3 00:31:35 2023 MgmtServer clish[6516]: User bob finished running clish -c from CLI shell</P><P><BR />Aug 30 15:13:05 2023 MgmtServer clish[27479]: cmd by bob: Processing : ver (cmd md5: fdsf3334234324esfsd)<BR />Aug 30 15:13:05 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27479<BR />Aug 30 15:13:05 2023 MgmtServer clish[27479]: User bob finished running clish -c from CLI shell<BR />Aug 30 15:13:06 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:27513 t<BR />Aug 30 15:13:06 2023 MgmtServer clish[27513]: User bob running clish -c with ReadWrite permission<BR />Aug 30 15:13:06 2023 MgmtServer clish[27513]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)<BR />Aug 30 15:13:06 2023 MgmtServer clish[27513]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)<BR />Aug 30 15:13:06 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27513<BR />Aug 30 15:13:06 2023 MgmtServer clish[27513]: User bob finished running clish -c from CLI shell<BR />Aug 30 15:13:07 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:27540 t<BR />Aug 30 15:13:07 2023 MgmtServer clish[27540]: User bob running clish -c with ReadWrite permission<BR />Aug 30 15:13:07 2023 MgmtServer clish[27540]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)<BR />Aug 30 15:13:07 2023 MgmtServer clish[27540]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)<BR />Aug 30 15:13:07 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27540<BR />Aug 30 15:13:07 2023 MgmtServer clish[27540]: User bob finished running clish -c from CLI shell<BR />Aug 30 15:13:13 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:27624 t<BR />Aug 30 15:13:13 2023 MgmtServer clish[27624]: User bob running clish -c with ReadWrite permission<BR />Aug 30 15:13:13 2023 MgmtServer clish[27624]: cmd by bob: Start executing : ver (cmd md5: fdsf3334234324esfsd)<BR />Aug 30 15:13:13 2023 MgmtServer clish[27624]: cmd by bob: Processing : ver (cmd md5: fdsf3334234324esfsd)<BR />Aug 30 15:13:13 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27624</P><P>&nbsp;</P><P>&nbsp;</P><P>I appreciate any thoughts!</P><P>Thanks</P> Tue, 03 Oct 2023 09:40:21 GMT https://community.checkpoint.com/t5/General-Topics/messages-logs-on-our-management-server-show-actions-from-my/m-p/194116#M32488 Parabol 2023-10-03T09:40:21Z Re: messages logs on our management server show actions from my account that I am not doing. https://community.checkpoint.com/t5/General-Topics/messages-logs-on-our-management-server-show-actions-from-my/m-p/194145#M32495 <P>Recommend a TAC case to investigate this: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Tue, 03 Oct 2023 14:44:26 GMT https://community.checkpoint.com/t5/General-Topics/messages-logs-on-our-management-server-show-actions-from-my/m-p/194145#M32495 PhoneBoy 2023-10-03T14:44:26Z Re: messages logs on our management server show actions from my account that I am not doing. https://community.checkpoint.com/t5/General-Topics/messages-logs-on-our-management-server-show-actions-from-my/m-p/200559#M33463 <P>Running a "watch api status" for a few seconds produces this exact same set of log messages.</P> Wed, 13 Dec 2023 21:56:54 GMT https://community.checkpoint.com/t5/General-Topics/messages-logs-on-our-management-server-show-actions-from-my/m-p/200559#M33463 Ian 2023-12-13T21:56:54Z