User and roles syslog messages

Whenever a user or role undergoes creation, modification, or deletion within ASMS, a corresponding log entry is automatically generated in the /var/log/messages directory..

Tip: AFA can also send syslog messages to a remote server. Configure the remote server in the AFA Administration area. For more details, see Configure ASMS to generate and send Syslog messages .

Users and roles syslog message contents

Syslog entries for user and roles events include the following details:

  • Date and time

  • ASMS build version

  • Event name, consisting of both the Event ID and Event name

  • Severity level: 0

  • The domain ID. This should always appear as NONE.

  • Event description: consisting of:

    • The username.
    • The IP address of the browsing computer. Internal events do not include the IP address, because it will always be the localhost.
    • Other relevant attributes

User and roles syslog event reference

The following table lists basic user and roles events that generate Syslog messages. Your system may generate additional messages depending on your configuration.

Event

Description

Create User

Create a new user.

Modify User

These three cases:

  • Update user with no changes to permissions.

  • Update user with changes to permissions.

  • Update user password.

Delete User

Delete user.

Create Role

Create a new role.

Modify Role

Update a role.

Delete Role

Delete a role

Sample role Syslog messages

Create User Event

Jan 31 10:53:09 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Create User|Create User|0|NONE|user=admin ip=192.168.12.42 Created user 'userfortextcheck' (This user has the following attributes: permissions: 'Enable Analysis from file, Enable Trusted Traffic -> global', roles: 'abc, qqq', authorized views and actions: 'report_all, action_views, action_analyze, action_query, action_trusted, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Modify User Event (with no changes to permissions)

Jan 31 10:54:03 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify User|Modify User|0|NONE|user=admin ip=192.168.12.42 Updated User 'userfortextcheck' (No change to permissions. Current attributes are: roles: 'abc, newyael', authorized views and actions: 'report_changes, report_optimize, action_views, action_analyze, action_query, action_trusted, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Modify User Event (with changes to permissions)

Feb  1 05:05:29 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify User|Modify User|0|NONE|user=admin ip=192.168.12.28 Updated User 'yaelnewuser' (Added permissions: 'Enable Trusted Traffic -> global'Removed permissions: 'Enable Analysis from file'. Current attributes are: roles: 'kkk, newyael, newyael2', authorized views and actions: 'report_risks, report_changes, report_optimize, action_views, action_all, view_edit_reporting_tool', authorized devices: 'no firewalls assigned')

Modify User Event (update user password)

Feb  1 05:21:08 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify User|Modify User|0|NONE|user=admin ip=192.168.12.28 Updated the password of user 'yaelmag'

Delete User Event

Jan 31 10:55:33 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Delete User|Delete User|0|NONE|user=admin ip=192.168.12.42 Deleted user: 'userfortextcheck'

Create Role Event

Jan 31 10:56:13 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Create Role|Create Role|0|NONE|user=admin ip=192.168.12.42 Created role 'roleforcheck' (The role has the following attributes: general permissions: 'Enable Analysis from file, Enable Trusted Traffic -> global', authorized views and actions: 'report_risks, report_changes, report_optimize, report_vpn, action_views, action_all, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Modify Role Event

Jan 31 10:57:26 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Modify Role|Modify Role|0|NONE|user=admin ip=192.168.12.42 Updated role 'roleforcheck' (Current attributes are: permissions:'Enable Analysis from file', authorized views and actions: 'report_risks, report_changes, report_optimize, report_vpn, action_views, action_query, action_trusted, action_topology, action_compare, view_edit_reporting_tool', authorized devices: 'ALL_FIREWALLS')

Delete Role Event

Jan 31 10:57:58 algosec CEF:0|AlgoSec|Suite|v3300.0.0-b399|Delete Role|Delete Role|0|NONE|user=admin ip=192.168.12.42 Deleted role: 'roleforcheck'