• No results found

Configuration Console AUDIT log format to capture configuration changes

In VIP Enterprise Gateway, the configurations of most of the components are performed in the Configuration Console. VIP Enterprise Gateway creates a log message for such a configuration change.

NOTE

The vipegconsole.log also collects all the activities that an administrator performs.

See Configuration Console logging for administrator events.

The format of the Configuration Console log (vipegconsole) has been enhanced to capture the AUDIT log for specific configuration changes. Session ID, a unique identifier that is created for every user sign-in, tracks the user sign-in session responsible for the changes. However, this identifier must not be confused with the web application session ID that is used for the HTTP(S) sessions.

The following logging format has been defined for capturing the entire configuration changes in the TEXT part of the AUDIT logs:

text=TYPE<blank>ATTRIBUTES<blank>OPERATION_VALUES

Following are the log format productions rules in the Extended Backus-Naur Form (EBNF) notation:

Blank= +U-0020

text=TYPE<Blank>ATTRIBUTES<Blank>OPERATION_VALUES TYPE = CONF

OPERATION_VALUES = ADD_VALUES | EDIT_VALUES | DEL_VALUES ADD_VALUES = ADD<blank>VALUE

EDIT_VALUES = EDIT<blank>VALUE<blank>VALUE DEL_VALUES = DELETE<blank>VALUE

VALUE = <alpha numeric>+

ATTRIBUTES = CLASSES [.]PROPERTIES

CLASSES = CLASS | CLASS(INSTANCE) | CLASSES.CLASS(INSTANCE) CLASS = <alphanumeric>+

These production rules support the following three types of configuration changes:

• ADD - On adding a configuration, each line of addition is logged as an ADD operation in the following format:

TYPE<BLANK>ATTRIBUTES<BLANK>ADD<BLANK><NEWVALUE>

For example, configuring the user search filter as %s as part of configuring the first user store

CONF uerstoreIndex(0).connectionIndex(0).property (ldap.userFilterFormat) ADD cn=%s"

• EDIT - On editing a configuration, each line of modification is logged as an EDIT operation in the following format:

TYPE<BLANK>ATTRIBUTES<BLANK>EDIT<BLANK>NEWVALUE

<BLANK>OLDVALUE

For example, modifying the user search filter as samAccountName=%s

CONF uerstoreIndex(0).connectionIndex(0).property (ldap.userFilterFormat) EDIT samAccountName=%s cn=%s"

• DELETE - On deleting a configuration, each line of deletion is logged as a DELETE operation in the following format:

TYPE<BLANK>ATTRIBUTES<BLANK>DELETE<BLANK>OLDVALUE

For example, deleting the user search filter: samAccountName=%s

CONF uerstoreIndex(0).connectionIndex(0).property (ldap.userFilterFormat) DELETE samAccountName=%s"

The following scenario explains how the configuration changes are logged in the TEXT part of the AUDIT logs:

An administrator has been assigned with installing and configuring VIP Enterprise Gateway for Colossal Corporation.

After you install VIP Enterprise Gateway, the administrator signs in as admin. The administrator performs all the initial configurations and then proceeds to configure the user store US_1. When you add a new user store, all the configurations are logged as ADD operations. The following table lists the AUDIT log files that are created for configuring the user store US_1:

NOTE

The Session ID and the Transaction ID are highlighted in the first row of the AUDIT log file for reference purposes.

Table 23: Add User Store - AUDIT logs for ADD operation (legacy format)

AUDIT "2019-10-10 15:47:26.904 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).

property(dnsName) ADD COLOSSAL.COM,op=setuserstore"

AUDIT "2019-10-10 15:47:26.905 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).

property(ldap.baseDN) ADD cn=users\,dc=colossal\,dc=com,op=setuserstore"

AUDIT "2019-10-10 15:47:26.905 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).

property(ldap.cloudAttribute) ADD sAMAccountName,op=setuserstore"

...

...

AUDIT "2019-10-10 15:47:26.907 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).

property(netbiosName) ADD COLOSSAL,op=setuserstore"

Table 24: Add User Store - AUDIT logs for ADD operation (Common Event Format)

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 15:47:26.904 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0 "actor=

admin,text=CONF userstoreIndex(0).connectionIndex(0).property(dnsName) ADD COLOSSAL.COM,op=setuserstore"

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 15:47:26.905 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0

"actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).property ldap.baseDN) ADD cn=users\,dc=colossal\,dc=com,op=setuserstore"

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 15:47:

26.905 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).property (ldap.cloudAttribute) ADD sAMAccountName,op=setuserstore"

...

...

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 15:47:26.907 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4367046308347605 0

"actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).property (netbiosName) ADD COLOSSAL,op=setuserstore"

After a month, Colossal Corporation decided to change the group filter that is part of the search criteria. The administrator modified the User Filter to samaccountname=%s. and the AUDIT log files are now logged as EDIT operations. The log files created for this modification are described as follows:

Table 25: Edit User Store configuration - AUDIT logs for EDIT operation (legacy format)

AUDIT "2019-10-10 16:03:35.101 GMT+0530" 10.7.131.104 vipegconsole 1809195669 6116735916746959 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).

property(ldap.userFilterFormat) EDIT (&(&(objectClass=user)(objectCategory=

person))(sAMAccountName=%s)(cn=%s)) (&(&(objectClass=user)(objectCategory=

person))(sAMAccountName=%s)),op=setuserstore"

Table 26: Edit User Store configuration - AUDIT logs for EDIT operation Common Event Format)

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 16:03:35.101 GMT+0530"

10.7.131.104 vipegconsole 1809195669 6116735916746959 0 "actor

=admin,text=CONF userstoreIndex(0).connectionIndex(0).property(ldap.userFilterFormat) EDIT (&(&(objectClass=user)(objectCategory=person))(sAMAccountName=%s)(cn=%s)) (&(&(objectClass=user)(objectCategory=person))(sAMAccountName=%s)),op=

setuserstore"

After a year, Colossal Corporation has decided to decommission the user store US_1. The AUDIT log files that are created for these DELETE operations are described as follows:

Table 27: Delete User Store - audit logs for delete operation (legacy format)

AUDIT "2019-10-10 16:07:35.511 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4408564771685191 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex (0).property(dnsName) DELETE COLOSSAL.COM"

AUDIT "2019-10-10 16:07:35.511 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4408564771685191 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex (0).property(ldap.baseDN) DELETE cn=users\,dc=colossal\,dc=com"

...

...

AUDIT "2019-10-10 16:07:35.513 GMT+0530" 10.7.131.104 vipegconsole 1809195669 4408564771685191 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex (0).property(netbiosName) DELETE COLOSSAL"

Table 28: Delete User Store - audit logs for delete operation (Common Event Format)

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 16:07:35.511 GMT+0530"

10.7.131.104 vipegconsole 1809195669 4408564771685191 0 "actor=admin,text=

CONF userstoreIndex(0).connectionIndex(0).property(dnsName) DELETE COLOSSAL.COM"

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 16:07:35.511 GMT+0530"

10.7.131.104 vipegconsole 1809195669 4408564771685191 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).property(ldap.baseDN) DELETE cn=users\, dc=colossal\,dc=com"

...

...

CEF:0|Symantec|VIP Enterprise Gateway|9.9|AUDIT|"2019-10-10 16:07:35.513 GMT+0530"

10.7.131.104 vipegconsole 1809195669 4408564771685191 0 "actor=admin,text=CONF userstoreIndex(0).connectionIndex(0).property(netbiosName) DELETE COLOSSAL"

Related documents