Security Log

• What Is Security Log?

• Events Recorded by the Security Log

• Various Logging Levels

• Record format of Security Log

• Enabling Security Log file

• Configuring Security Log Parameters

• Backup for Security Log files

• Configuring Backup for Security log file

• Commands for Security Log

• Macros used in Security Log 

What Is Security Log?
 

Security log provides tools to establish an audit trial. If a security breach is suspected, an audit trial may be used to investigate whether/how the breach has occurred. The security log feature provides adequate capabilities to investigate unauthorized activities after they occur so that proper remedial action can be taken. This feature supports you to generate security logs and reports that help to establish audit trails.

Security logging has a backup option too. i.e. If the log file reaches the maximum size, a backup file will be created. By default, the backup option is disabled. In that case. the security log has a circular recording mechanism (i.e. oldest record overwritten by newest when the log file is full), and the administrator can retrieve, print, copy, and upload the security log (typically to some OS or some other facility for long-term storage).

Events Recorded by the Security Log

The WebNMS CLI Agent supports the Security log records for the following information or events.

• Records invalid user authentication attempts and the alarms/alerts generated due to the invalid authentication attempts

• Records the connection attempts.

• Records invalid user authentication attempts.

• Records the information of users logged in.

• Records the details of changes made in a user's security profiles and attributes

• Records the commands executed by the users.

• Records the execution of admin commands like adduser, deleteuser, edituser etc.,

Various Logging Levels

Following are the various logging levels supported in CLI agent security logging and the order of logging

• NOSECULOG : No Logging will be done. (Logging will be disabled)

• CONNECT : Logs only the connection established with the CLI Agent port. i.e. only socket connection is established and logged into the agent).
  In this case, the User ID will be NULL and all other fields will have the relevant value.

• MAX_INVL_LOGIN : Logs the details once the maximum invalid login attempts has been reached

• INV_LOGIN : Logs the individual invalid login attempts.

• ALL_LOGIN : Logs the successful, unsuccessful login attempts and logouts.

• ADMIN_CMDS : Logs the Admin privilege commands (like adduser, edituser, deleteuser etc.,)

• INV_OPRN : Logs the commands which has no privileges, commands with invalid options etc.,

• ALL_EVENTS : Logs all the above specified levels (except NOSECULOG)

Record Format of Security Log

For each recorded event, the record in the security log includes at least the following

Date#Time#User#IpAddress#SessionType#SessionID#EventType#Status#Event


Where

• Date --> Date of event. Format of the date is yyyymmdd and time of event.

• Time --> Time of event. Format of the time is hh:mm:ss:ms  .

• User --> User ID.

• IpAddress --> IpAddress of the Client

• Session ID --> ID of the Session through which the connection has been made

• Session Type --> Type of Session like TELNET / TCP / CRAFT / SERIAL

• Event Type --> Type of the event / Various logging levels (CONNECT / INV_LOGIN / ALL_EVENTS etc.,)

• Status --> Success or Failure status of the event. YES for success and NO for failure

• Event --> Details of the event like the command executed / action performed such as connected or logged in etc.,

For example, the recorded event in the security log text file will look like the following

1. 0070807#16:58:33:287#null#192.168.111.57#268435457#TELNET#CONNECT#YES#Connection Established 20070807#16:59:13:583#root#192.168.111.57#268435457#TELNET#ALL_LOGIN#YES#Login Successful 20070807#17:01:35:471#null#192.168.111.57#2#TCP#CONNECT#YES#Connection Established 20070807#17:02:53:924#root#192.168.111.57#268435457#TELNET#ADVENTADMIN_CMDS#YES#User cagent added 20070807#17:02:53:924#root#192.168.111.57#268435457#TELNET#ALL_EVENTS#YES#adduser -g 30 -a 70 -i ADVENTMAINT cagent ****** 20070807#17:07:25:142#vijays#192.168.111.66#3#TCP#ALL_LOGIN#YES#Login Successful 20070807#17:08:15:236#vijays#192.168.111.66#3#TCP#INV_OPRN#NO#printseculog 20070807#17:08:26:017#vijays#192.168.111.66#3#TCP#INV_OPRN#NO#dirlist 20070807#17:08:48:611#vijays#192.168.111.66#3#TCP#INV_OPRN#NO#list user 20070807#17:14:10:284#root#192.168.111.57#268435457#TELNET#ALL_EVENTS#YES#logout

Enabling Security Log file

Follow the steps given below to enable the Security Log :

1. In the Agent Compiler, choose Settings -> Project Settings from the menu bar or using the shortcut key Ctrl+Shift+S. A Dialog Box appears with Settings tree on the left frame of the box. 

2. Choose the node Protocols -> CLI -> Security in the Settings tree. 

3. Here you will find the option Enable Security Logging. By default, it is disabled. Enable the option.

Now you will find the Log file size, log file name and log level fields are enabled. You can modify these security log feature parameters.

Configuring Security Log Parameters

1. 1. Log File Size : This parameter specifies number of entries / record to be stored in the security log file. Default value is 60.

   2. Log File Name : It specifies the file name in which all the information has to be logged and also the path of the file. By default, the file name is seculog.txt and will be stored under the agent/conf/cli/ directory of the corresponding project directory.

   3. Log Level : As discussed in Various Logging Levels topic, this parameter contains various logging levels. By default, the log level is set to NOSECULOG.

Backup for Security Log files

Backup log files for the security log file will be created when the seculog.txt file reaches a maximum number of records configured in the Log File size. Once the size is reached, the contents of seculog.txt will be moved to a backup file (say seculog1.txt) and logging will be started a fresh in seculog.txt

Configuring Backup for Security log file

Following are the steps for enabling and configuring backup file for security log.

1. 1. In the Agent Compiler, choose Settings -> Project Settings from the menu bar or using the shortcut key Ctrl+Shift+S. A Dialog Box appears with Settings tree on the left frame of the box. 

   2. Choose the node Protocols -> CLI -> Security in the Settings tree. 

   3. Select the Enable Security Logging option.

   4. Choose any logging level except NOSECULOG from the Log Level drop down box. This would enable the Backup for Security Log Files option.

   5. Choose Backup for Security Log Files option.

   6. You can also configure number of backup log files in No. of Backup log files field. Default value is 10

Commands for Security Log

The following command is implemented for the security log feature

 

printseculog

This command can be used by an appropriate administrator to retrieve the following attributes associated with the security log allow or permit the system to print the events in the security log

Example : printseculog

This command can be used by the administrator to retrieve various records from the security log (primarily, for audit purposes)

 

Macros used in Security Log

Follow are the macros used in Security Log feature and these macro's will be present in the config.h file present under <project-name>/agent/source/system/include directory if the logging feature is enabled.

• CLI_SECULOG : Specifies that the security logging feature is enabled

• CLI_SECURITY_LOG_FILE : Holds the directory path and file name in which logging has to be done

• CLI_SECURITY_LOG_LEVEL : Specifies the logging level of security log

• MAX_CLI_SECULOG_SIZE : Holds the value of number of records to be stored in security log file

• CLI_SECULOG_BACKUP : Specifies the backup for security log files has been enabled

• MAX_CLI_SECU_BKUPLOGS : Holds the value of maximum number of backup log files