HI, last night I have strage behavior. Some users was removed - by script I think
only in configuration backup is logged
<revision>
<username>(root)</username>
<description>The users "user1,...,user6(changed real name)" where successfully removed.</description>
<time>1775862000.71</time>
</revision>
This 6 users was LDAP users not local on firewall. But there are another 32 users without any problems.
I try to find some differencies but unsucessfully.
Which script is stared at 01:00 ? My cron is empty (thru web UI). User root is disabled for web logon.
Have you checked /var/log/system.log or the audit logs around 01:00? Even if the GUI cron is empty, system-level cron or package tasks might still trigger something
/var/log/system/latest.log is clear only systemctl log is here with some activity, and acme logs
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="26"] event @ 1775859304.15 msg: Apr 11 00:15:04 firewall config[56811]: config-event: new_config /conf/backup/config-1775859304.1084.xml
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="28"] event @ 1775859304.15 exec: system event config_changed response: OK
/var/log/audit/latest - is clear also
crontab -e
yes there is some scheduled scripts - byt nothing suspisious
firewall has installed all patches/updates