User and roles syslog messages

Whenever a user or role undergoes creation, modification, or deletion within ASMS, a corresponding log entry is automatically generated in the /var/log/messages directory..

Tip: AFA can also send syslog messages to a remote server. Configure the remote server in the AFA Administration area. For more details, see Configure ASMS to generate and send Syslog messages .

Users and roles syslog message contents

Syslog entries for user and roles events include the following details:

Date and time
ASMS build version
Event name, consisting of both the Event ID and Event name
Severity level: 0
The domain ID. This should always appear as NONE.
Event description: consisting of:
- The username.
- The IP address of the browsing computer. Internal events do not include the IP address, because it will always be the localhost.
- Other relevant attributes

User and roles syslog event reference

The following table lists basic user and roles events that generate Syslog messages. Your system may generate additional messages depending on your configuration.

Event	Description
Create User	Create a new user.
Modify User	These three cases: Update user with no changes to permissions. Update user with changes to permissions. Update user password.
Delete User	Delete user.
Create Role	Create a new role.
Modify Role	Update a role.
Delete Role	Delete a role

Sample role Syslog messages

Create User Event

Jan 31 10:53:09 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Create User|Create User|0|NONE|user=admin ip=192.168.12.42 Created user 'userfortextcheck' (This user has the following attributes: permissions: 'Enable Analysis from file, Enable Trusted Traffic -> global', roles: 'abc, qqq', authorized views and actions: 'report_all, action_views, action_analyze, action_query, action_trusted, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Modify User Event (with no changes to permissions)

Jan 31 10:54:03 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify User|Modify User|0|NONE|user=admin ip=192.168.12.42 Updated User 'userfortextcheck' (No change to permissions. Current attributes are: roles: 'abc, newyael', authorized views and actions: 'report_changes, report_optimize, action_views, action_analyze, action_query, action_trusted, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Modify User Event (with changes to permissions)

Feb  1 05:05:29 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify User|Modify User|0|NONE|user=admin ip=192.168.12.28 Updated User 'yaelnewuser' (Added permissions: 'Enable Trusted Traffic -> global'Removed permissions: 'Enable Analysis from file'. Current attributes are: roles: 'kkk, newyael, newyael2', authorized views and actions: 'report_risks, report_changes, report_optimize, action_views, action_all, view_edit_reporting_tool', authorized devices: 'no firewalls assigned')

Modify User Event (update user password)

Feb  1 05:21:08 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify User|Modify User|0|NONE|user=admin ip=192.168.12.28 Updated the password of user 'yaelmag'

Delete User Event

Jan 31 10:55:33 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Delete User|Delete User|0|NONE|user=admin ip=192.168.12.42 Deleted user: 'userfortextcheck'

Create Role Event

Jan 31 10:56:13 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Create Role|Create Role|0|NONE|user=admin ip=192.168.12.42 Created role 'roleforcheck' (The role has the following attributes: general permissions: 'Enable Analysis from file, Enable Trusted Traffic -> global', authorized views and actions: 'report_risks, report_changes, report_optimize, report_vpn, action_views, action_all, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Modify Role Event

Jan 31 10:57:26 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify Role|Modify Role|0|NONE|user=admin ip=192.168.12.42 Updated role 'roleforcheck' (Current attributes are: permissions:'Enable Analysis from file', authorized views and actions: 'report_risks, report_changes, report_optimize, report_vpn, action_views, action_query, action_trusted, action_topology, action_compare, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Delete Role Event

Jan 31 10:57:58 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Delete Role|Delete Role|0|NONE|user=admin ip=192.168.12.42 Deleted role: 'roleforcheck'

Yes No

Send Feedback

Sorry about that

Why wasn't this helpful? (check all that apply)

Couldn't find what I was looking for

Instructions confusing or unclear

Instructions didn't work

Thanks for your feedback!

Great!

Thanks for taking the time to give us your feedback.

ASMS
- ASMS
- AlgoSec Cloud
- ObjectFlow
- Prevasio
- AlgoBot
Version: A33.00
- Earlier Versions

Search Tips

Use a different search method

AlgoSec Documentation supports the following search methods: