Skip to main content
Stanford
NetDB Help

Log Search

Log Search allows users to search the NetDB record log on any of the logged fields. Note that not all fields are logged so it is rarely possible to reconstruct a deleted record from just the log. Additionally, the logs only go back to June 27th, 2006 (The day of NetDB 4.0.0 rollout). The logs were not carried over from the previous version of NetDB.

Log Search is most often used to find out who modified a record, who changed the name of a node or who took an IP address. Note that Log Search is not as intuitive as it might seem. Often multiple searches are needed. Common examples are found in Search Fields and More Examples.

Search Fields

Date of Action - Date

Date of action is the date when a record has been added, modified or deleted.

Example: 
    search for log entries on June 27th, 2006
    On or After = 6/27/2006        Before = 6/28/2006
Record Name - String

For a node or network, if no domain is entered, all domains are searched. The record name must be the actual name - not an alias, interface name or an address.

Example: 
    search for log entries for records starting with "bob"
    Record Name = bob*
Record ID - String

The record ID stays with a particular record, even if it is renamed, until it is deleted.

Example: 
    search for node "bob" which has been renamed to some unknown name
    Search #1 - Record Name = bob.  Note record ID.
    Search #2 - Record ID = ID from Search #1.
Record Type - Checkbox

Select the relevant record types. This will shorten the search.

IP Address - IP Address

NetDB logs the IP addresses associated with a record after an action has occurred. This means that deleted IP addresses are NOT logged - it takes 2 searches to find a deleted IP address. IPC addresses are NOT logged for Nodes. Dynamic DHCP addresses are NOT logged for Networks.

Example: 
    search for when IP address 9.9.9.9 was deleted
    Search #1 - IP Address = 9.9.9.9.   Note record ID.
    Search #2 - Record ID = ID from Search #1.  Look for the last record with 9.9.9.9 in the
    IP address column.  The next record is when 9.9.9.9 was deleted.
State - String

The state a record had when it was added, modified or deleted.

User - String

User refers to the NetDB user who created/updated/modified the record. Search by either SUNet ID (account name) or full name. For best results, use the unique SUNet ID.

Example: 
    search for records modified by a user with first name "Dave"
    User Name: "Dave*"
Action - Checkbox

NetDB logs what action has happened to a record.

  • Insert - a record has been created
  • Update - a record has been changed
  • Delete - a record has been deleted

More Examples

Find all node records changed on subnet 171.64.20.0 on July 11th, 2006
Use the following parameters:
  • Date (On or After = 7/11/06), Before = 7/12/06
  • Record Type = Node
  • IP Address = 171.64.20.*
  • Action = update
Find why record "bob" cannot be found in searches
Use the following 2 searches.
  • Search #1: Record Name = "bob". Note Record ID in results
  • Search #2: Record ID = ID from Search #1.
Find out what happened to IP address 9.9.9.9
  • Search for IP Address = 9.9.9.9
  • Look at results - if Record ID changes, that means the address has moved from one record to another.
  • To see if the IP address was deleted, look for the most recent Record ID with IP address 9.9.9.9. Perform another search with that Record ID (no IP address). If the most recent log entry shows address 9.9.9.9, that address is still in use. If the most recent log entry does not show 9.9.9.9, that address has been deleted.

Display Options

For custom display, see Display Options.

Interpreting Search Results

Log results are not always intuitive. Here are some common patterns to look for:

Search for name. Record ID changes.

This means that the name moved from one record to another. Look at the last log entry for the first record ID. If the action is "delete", the first record was deleted which freed up the name. The name was then taken by the next record. If the last log entry for the first record ID is not "delete", then the first record was modified. Search on the first record ID to confirm. 

  #  Date of Action       Record Name  Record ID   Action
  1  Dec  8 2000  1:44PM  bob          60442       insert
  2  Dec  8 2000  1:48PM  bob          60442       update
  3  Dec  8 2000  1:55PM  bob          60443       update
  4  Dec  8 2000  1:57PM  bob          60443       update

In the above example, the record 60442 was created with the name "bob". Then it was modified (line 2) with no name change. Sometime between 1:48pm and 1:55 pm, the name of record 60442 was changed. To find the changed name, do a separate search on record id 60442. At 1:55pm, record 60443 changes its name to "bob".

Search for one record. IP address disappears
  #  Date of Action       Record Name  Record ID  IP Address    Action
  1  Jun 18 2001  3:46PM  bob          10060111   175.1.5.2     insert
                                                  175.1.6.2
  2  Jun 18 2001  3:46PM  bob          10060111   175.1.5.2     update
                                                  175.1.6.3

In the above example, note that 175.1.6.2 disappears in log record 2 and is replaced by 175.1.6.3. Searching for 175.1.6.2 yields the below results. 

  #  Date of Action       Record Name  Record ID  IP Address  Action
  1  Jun 18 2001  3:46PM  bob          10060111   175.1.5.2   insert
                                                  175.1.6.2
  2  Jun 18 2001  3:48PM  jim          29071      175.1.6.2   update

These results show that 175.1.6.2 was added to bob when bob was created. We can infer that bob was modified to remove 175.1.6.2 because if bob were deleted, record 2 would be record "bob" with action "deleted". Then record jim picked up 175.1.6.2.