Security Log



What Is Security Log?
 

Security log provides tools to establish an audit trial. If a security breach is suspected, an audit trial may be used to investigate whether/how the breach has occurred. The security log feature provides adequate capabilities to investigate unauthorized activities after they occur so that proper remedial action can be taken. This feature supports you to generate security logs and reports that help to establish audit trails.

Security logging has a backup option too. i.e. If the log file reaches the maximum size, a backup file will be created. By default, the backup option is disabled. In that case. the security log has a circular recording mechanism (i.e. oldest record overwritten by newest when the log file is full), and the administrator can retrieve, print, copy, and upload the security log (typically to some OS or some other facility for long-term storage).

 

Events Recorded by the Security Log

 

The WebNMS CLI Agent supports the Security log records for the following information or events.

Various Logging Levels

 

Following are the various logging levels supported in CLI agent security logging and the order of logging

note_nc.jpg

Note:

  • Based on the logging level chosen, the previous log levels will also be included in the logging. For example, if you have chosen the log level as INV_LOGIN, then the CONNECT, MAX_INVL_LOGIN levels will also be included in the security logging.

  • For configuring the maximum invalid login limit, refer to CLI Callback APIs and Macros help topic

 

 

Record Format of Security Log

 

For each recorded event, the record in the security log includes at least the following

Date#Time#User#IpAddress#SessionType#SessionID#EventType#Status#Event


Where

For example, the recorded event in the security log text file will look like the following

  1. 0070807#16:58:33:287#null#192.168.111.57#268435457#TELNET#CONNECT#YES#Connection Established

    20070807#16:59:13:583#root#192.168.111.57#268435457#TELNET#ALL_LOGIN#YES#Login Successful

    20070807#17:01:35:471#null#192.168.111.57#2#TCP#CONNECT#YES#Connection Established

    20070807#17:02:53:924#root#192.168.111.57#268435457#TELNET#ADVENTADMIN_CMDS#YES#User cagent added

    20070807#17:02:53:924#root#192.168.111.57#268435457#TELNET#ALL_EVENTS#YES#adduser -g 30 -a 70 -i ADVENTMAINT cagent ******

    20070807#17:07:25:142#vijays#192.168.111.66#3#TCP#ALL_LOGIN#YES#Login Successful

    20070807#17:08:15:236#vijays#192.168.111.66#3#TCP#INV_OPRN#NO#printseculog

    20070807#17:08:26:017#vijays#192.168.111.66#3#TCP#INV_OPRN#NO#dirlist

    20070807#17:08:48:611#vijays#192.168.111.66#3#TCP#INV_OPRN#NO#list user

    20070807#17:14:10:284#root#192.168.111.57#268435457#TELNET#ALL_EVENTS#YES#logout

note_nc.jpg

Note: Password Parameter for the commands adduser,edituser and editpasswd will be masked (******) in the security logs.

  
 

Enabling Security Log file

 

Follow the steps given below to enable the Security Log :

  1. In the Agent Compiler, choose Settings -> Project Settings from the menu bar or using the shortcut key Ctrl+Shift+SA Dialog Box appears with Settings tree on the left frame of the box. 

  2. Choose the node Protocols -> CLI -> Security in the Settings tree. 

  3. Here you will find the option Enable Security Logging. By default, it is disabled. Enable the option.

Now you will find the Log file size, log file name and log level fields are enabled. You can modify these security log feature parameters.

 

Configuring Security Log Parameters

    1. Log File Size : This parameter specifies number of entries / record to be stored in the security log file. Default value is 60.

    2. Log File Name : It specifies the file name in which all the information has to be logged and also the path of the file. By default, the file name is seculog.txt and will be stored under the agent/conf/cli/ directory of the corresponding project directory.

    3. Log Level : As discussed in Various Logging Levels topic, this parameter contains various logging levels. By default, the log level is set to NOSECULOG.

Backup for Security Log files

 

Backup log files for the security log file will be created when the seculog.txt file reaches a maximum number of records configured in the Log File size. Once the size is reached, the contents of seculog.txt will be moved to a backup file (say seculog1.txt) and logging will be started a fresh in seculog.txt

 

Configuring Backup for Security log file

 

Following are the steps for enabling and configuring backup file for security log.

    1. In the Agent Compiler, choose Settings -> Project Settings from the menu bar or using the shortcut key Ctrl+Shift+SA Dialog Box appears with Settings tree on the left frame of the box. 

    2. Choose the node Protocols -> CLI -> Security in the Settings tree. 

    3. Select the Enable Security Logging option.

    4. Choose any logging level except NOSECULOG from the Log Level drop down box. This would enable the Backup for Security Log Files option.

    5. Choose Backup for Security Log Files option.

    6. You can also configure number of backup log files in No. of Backup log files field. Default value is 10

All the backup log files will be stored in the same directory where the security log file is stored. Default directory is <project-name>/agent/conf/cli.

 

note_nc.jpg

Note: If Backup for security log file option is not enabled, then the logging will be in a circular mode. i.e. once the maximum record size is reached, the oldest entry will be deleted and the new entry will get added.

 
 

Commands for Security Log

 

The following command is implemented for the security log feature

 

printseculog

 

This command can be used by an appropriate administrator to retrieve the following attributes associated with the security log allow or permit the system to print the events in the security log

 

Example : printseculog

 

This command can be used by the administrator to retrieve various records from the security log (primarily, for audit purposes)

 

CLI>>printseculog

+-------------------------------------------------------------------------------------------------------------------------+

| Date     | Time         | User | IpAddress      | SessionID | SessionType | EventType | Status | Event                  |

+-------------------------------------------------------------------------------------------------------------------------+

| 20070807 | 17:34:01:745 | null | 192.168.111.57 | 268435457 | TELNET      | CONNECT   | YES    | Connection Established |

| 20070807 | 17:34:08:682 | root | 192.168.111.57 | 268435457 | TELNET      | INV_LOGIN | NO     | Invalid Login          |

| 20070807 | 17:34:16:167 | root | 192.168.111.57 | 268435457 | TELNET      | ALL_LOGIN | YES    | Login Successful      |

+-------------------------------------------------------------------------------------------------------------------------+

CLI>>

 

 

 

Macros used in Security Log

 

Follow are the macros used in Security Log feature and these macro's will be present in the config.h file present under <project-name>/agent/source/system/include directory if the logging feature is enabled.

 

Copyright © 2012, ZOHO Corp. All Rights Reserved.