AuthLog
AuthLog contains usersβ authentication attempts in Kron PAM. You can also see the AuthLog in the WebGUI through the Logging > User Auth Log menu. The table below shows the Authlog variables.
Variable | Description |
---|---|
dbld | Database ID of the authentication log in the Kron PAM Database. |
id | The specific ID of the log in the Kron PAM Database. |
time | Authentication attempt interval, |
event | The event takes on the following values: 0: LOGIN_SUCCESS 1: LOGIN_FAILURE 2: LOGOUT 3: LOGIN_TOKEN_PROVIDED 4: AUTH_CHALLENGE |
eventSource | Event source for the authentication log. It can take on the following values: ui, api, Tacacs, global-user-auth, kcore-rest-api, scproxy-ssh-key, scproxy |
clientlp | Source IP that sends the auth request. |
Params | Whether the Authentication is a success or a failure, the related parameters are sometimes noted in this field. Ex: Active Directory Error 52e: Invalid Credentials, Global Username: root |
naslp | The IP address of the target device. |
nasHostname | The IP hostname of the target device. |
username | The user name is entered in the interface. |
externalDirectorySource | This is the LDAP source name in Kron PAM. This field is filled if the user is an LDAP/AD user. |
instanceName | Kron PAM instance by which the auth request is started. |
Login Sucess The first log is the WebGUI login of a Kron PAM User. The event source is specified as ui. The second log is the authentication of a device. The event source is specified as global-user-auth. All LOGIN_SUCCESS events are labeled as event=0.
ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ |
---|
ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - ο»ΏCEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210326080805, id\='d54f9b7f-89a9-4ada-ba69-da2e9287cb84', time\=2021-03-26 08:08:05.551, event=0, eventSource\='ui', clientIp\='62.242.222.125', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ |
ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210326083233, id\='b3c3c14d-8bb7-46a7-ba2a-68926ac29ad4', time\=2021-03-26 08:32:33.717,event=0 , eventSource\='global-user-auth', clientIp\='62.242.222.125', params\='Global Username: pam-test11', nasIp\='83.91.179.22', nasHostname\='Linux-Test', userName\='admin', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ |
Login Failure
All LOGIN_FAILURE events are labeled as event=1
ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ |
---|
ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event=1, eventSource\='ui', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ |
Logout
All LOGOUT events are labeled as event=2.
ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ |
---|
ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event=2, eventSource\='ui', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ |
Login Token Provided
This log file is generated when a new user is created in Kron PAM. All LOGIN_TOKEN_PROVIDED events are labeled as event=3.
ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ |
---|
ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event\=3, eventSource\='user-create', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ |
Auth Challenge
This log file is generated when a 2FA token is asked from the user. All AUTH_CHALLENGE events are labeled as event=4.
ο»ΏSyslog Version | Syslog Timestamp | Syslog Hostname | Syslog App Name | Syslog Process ID | Syslog Log Messageο»Ώ |
---|
ο»Ώ1 2021-03-26T07:08:06.449Z d-scon01 SyslogSenderForAuthLog - - - CEF:0|KRONTECH|singleconnect|2.20.0|100|AuthLog|10|AuthLogViewImpl{dbId\=210330074342, id\='9c7e3ae1-c0df-4e6f-ba52-14d437628218', time\=2021-03-30 07:43:42.466, event\=4, evenSource\='null', clientIp\='62.242.222.24', params\='null', nasIp\='127.0.0.1', nasHostname\='127.0.0.1', userName\='siemtest', externalDirectorySource\='null', instanceName\='d-scon01'}ο»Ώ |
ο»Ώ