How-To Guides
...
Integrate with SIEM Systems
Log Packets Explanations

AuthLog

3min

AuthLog contains users’ authentication attempts in Kron PAM. You can also see the AuthLog in the WebGUI through the Logging > User Auth Log menu. The table below shows the Authlog variables.

Variable

Description

dbld

Database ID of the authentication log in the Kron PAM Database.

id

The specific ID of the log in the Kron PAM Database.

time

Authentication attempt interval,

event

The event takes on the following values: 0: LOGIN_SUCCESS 1: LOGIN_FAILURE 2: LOGOUT 3: LOGIN_TOKEN_PROVIDED 4: AUTH_CHALLENGE

eventSource

Event source for the authentication log. It can take on the following values: ui, api, Tacacs, global-user-auth, kcore-rest-api, scproxy-ssh-key, scproxy

clientlp

Source IP that sends the auth request.

Params

Whether the Authentication is a success or a failure, the related parameters are sometimes noted in this field. Ex: Active Directory Error 52e: Invalid Credentials, Global Username: root

naslp

The IP address of the target device.

nasHostname

The IP hostname of the target device.

username

The user name is entered in the interface.

externalDirectorySource

This is the LDAP source name in Kron PAM. This field is filled if the user is an LDAP/AD user.

instanceName

Kron PAM instance by which the auth request is started.

Login Sucess The first log is the WebGUI login of a Kron PAM User. The event source is specified as ui. The second log is the authentication of a device. The event source is specified as global-user-auth. All LOGIN_SUCCESS events are labeled as event=0.

ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ

ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - ο»ΏCEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210326080805, id\='d54f9b7f-89a9-4ada-ba69-da2e9287cb84', time\=2021-03-26 08:08:05.551, event=0, eventSource\='ui', clientIp\='62.242.222.125', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ

ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210326083233, id\='b3c3c14d-8bb7-46a7-ba2a-68926ac29ad4', time\=2021-03-26 08:32:33.717,event=0 , eventSource\='global-user-auth', clientIp\='62.242.222.125', params\='Global Username: pam-test11', nasIp\='83.91.179.22', nasHostname\='Linux-Test', userName\='admin', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ

Login Failure

All LOGIN_FAILURE events are labeled as event=1

ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ

ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event=1, eventSource\='ui', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ

Logout

All LOGOUT events are labeled as event=2.

ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ

ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event=2, eventSource\='ui', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ

Login Token Provided

This log file is generated when a new user is created in Kron PAM. All LOGIN_TOKEN_PROVIDED events are labeled as event=3.

ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ

ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event\=3, eventSource\='user-create', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ

Auth Challenge

This log file is generated when a 2FA token is asked from the user. All AUTH_CHALLENGE events are labeled as event=4.

ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ

ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event\=4, evenSource\='null', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ

ο»Ώ

PREVIOUS
Log Packets Explanations
NEXT
CommandLog_All
Docs powered byΒ Archbee