Axis Audit Log Strange Entry

[c hris527]

Hi All,
Long story short,I just Inherited another satellite building that has a AxisS1048 Mk2 NVR. The system was put in by contractors who basically were asked NOT to come back. I finally was able to get remote access to it and learn the system because I know very little about the Axis VMS. I was doing some poking around in the logs and have seen a strange re-occurring entry in the Audit log. This is showing up a few times a week and at the same time with the same message. To me it looks like it logging a playback entry. Always the same date and time and always the same playback date and time. Almost looks like a script. Any Idea where this is coming from? It is happening from the local machine and not from a remote access as far as I can tell. The logs are pretty clear when somebody remotes in.

 

[c hris527]

Bump

 

[tangent]

Seems like it might be some sort of automated task. idk.

 

[fenderman]

perhaps @john-ipvm can shed some light. There are very few axis users here.

 

[c hris527]

Seems like it might be some sort of automated task. idk.

Yea I agree with you on it being a repeating task but hells bells if I can find it. I have to make sure to the best of my ability that NVR is locked down because of the nature of where it is and whats it guarding. One of my issues is working with the local IT people at this site and will not or don't know answers. I have opened a account with AXIS and hopefully they can help me with this, they are pretty stingy with detailed workings of their VMS (on line) I did see that they have their own message forms and will consider asking for help in that form. I did try last week to the "CHAT" help desk but did not have a hour to wait.
I did find out that when this system was installed it was already at EOL status. When I start to see logs like that I have to wonder If I might be missing some back door or hidden account or some bot on the outside is probing it laying in wait for a attack. It is disconnected form the Internet and Wan this weekend for testing purposes to see if it goes away.

 

[fenderman]

Yea I agree with you on it being a repeating task but hells bells if I can find it. I have to make sure to the best of my ability that NVR is locked down because of the nature of where it is and whats it guarding. One of my issues is working with the local IT people at this site and will not or don't know answers. I have opened a account with AXIS and hopefully they can help me with this, they are pretty stingy with detailed workings of their VMS (on line) I did see that they have their own message forms and will consider asking for help in that form. I did try last week to the "CHAT" help desk but did not have a hour to wait.
I did find out that when this system was installed it was already at EOL status. When I start to see logs like that I have to wonder If I might be missing some back door or hidden account or some bot on the outside is probing it laying in wait for a attack. It is disconnected form the Internet and Wan this weekend for testing purposes to see if it goes away.

Looks like its a running a 2014 processor so should not be terribly old but it has been discontinued. It runs w10 iot enterprise so you should simply be able to upgrade the camera station software to the latest. Do you know what version its running? Seems like upgrades are free to v5 even from V3 and V4.
There is a download link here.
License information | Axis Communications

 

[c hris527]

Looks like its a running a 2014 processor so should not be terribly old but it has been discontinued. It runs w10 iot enterprise so you should simply be able to upgrade the camera station software to the latest. Do you know what version its running? Seems like upgrades are free to v5 even from V3 and V4.
There is a download link here.
License information | Axis Communications

I will get back there this week to take a look, I have been spread thin the last few weeks, I know nadda about this system but will get a handle on it one way or another. I really appreciate your input on this.

 

[tangent]

I did find out that when this system was installed it was already at EOL status.

Gotta love lowest bid contracts.

My hunch is that it's something like daily database maintenance or some other housekeeping procedure.

 

[VorlonFrog]

Here's a dumb, simple idea. Maybe just that one camera is set to reboot at the same day/time?

 

[c hris527]

Here's a dumb, simple idea. Maybe just that one camera is set to reboot at the same day/time?

It could be but to me it looks like some kind of command to play back video on 10-15-18. I did not encounter this until I had remote access, so when I get back to the station I will do a bit more testing. Right now I have NO access because I disconnected it for security and testing reasons. If I play back video locally or remotely, it will create a entry in the audit file of the time, date and user who played back video so It looks just like this entry but on different dates. That what has be a little concerned, Is there a another on line remote user running a Https: Trigger ? I will have that issue solved this week for sure.

 

[VorlonFrog]

Good luck with it. You're definitely wise to have disconnected it. Nothing beats physical intervention.

 

[tangent]

@Thorvald welcome to the forum, any chance you've seen this log entry before?

 

[c hris527]

So I did get to look closer at the logs and someplace in the embeded vms is doing that daily, disconnecting it from the network made no difference so for now I will just let it roll as is, I have NO idea where that is set to do that but I looked everyplace and saw nothing. When I get more time I will &uck with it.