SINGLE CONNECT
...
GUIDES
SIEM Configuration & Log Expla...

Explanations of Siem Log Packets

19min

AuthLog

LOGIN_SUCCESS

The first log is the WebGUI login of a Single Connect User. The event source is specified as β€œui”. The second log is the authentication to a device. Event source is specified as β€œglobal-user-auth”. All LOGIN_SUCCESS events are labeled as β€œevent=0”

singleconnect SyslogSenderForAuthLog - - - AuthLogViewImpl{dbId=200515123916, id='1fb1359d-858b-4e9d-896b-918a3c191aa6', time=2020-05-15 12:39:16.303, event=0, eventSource='ui', clientIp='10.10.10.42', params='null', nasIp='null', nasHostname='null', userName='admin', externalDirectorySource='null', instanceName='singleconnect'}
singleconnect SyslogSenderForAuthLog - - - AuthLogViewImpl{dbId=200515124451, id='805753ff-24e4-46ca-b367-3aeaa66a8420', time=2020-05-15 12:44:51.207, event=0, eventSource='global-user-auth', clientIp='10.10.10.42', params='Global Username: root', nasIp='10.10.10.89', nasHostname='10.10.10.89', userName='admin', externalDirectorySource='null', instanceName='singleconnect'}

LOGIN_FAILURE

All LOGIN_FAILURE events are labeled as β€œevent=1”

singleconnect SyslogSenderForAuthLog - - - AuthLogViewImpl{dbId=200515124319, id='5f4135ff-0e93-4bcd-be52-34885efb0202', time=2020-05-15 12:43:19.796, event=1, eventSource='ui', clientIp='10.0.8.42', params='null', nasIp='null', nasHostname='null', userName='admin', externalDirectorySource='null', instanceName='singleconnect'}

LOGOUT

All LOGOUT events are labeled as β€œevent=2”

singleconnect SyslogSenderForAuthLog - - - AuthLogViewImpl{dbId=200515124019, id='28d1eb5f-fad5-4028-8c54-4c85f7508b0b', time=2020-05-15 12:40:19.02, event=2, eventSource='ui', clientIp='10.0.8.42', params='null', nasIp='null', nasHostname='null', userName='admin', externalDirectorySource='null', instanceName='singleconnect'}

LOGIN_TOKEN_PROVIDED

This log file generated when a new user created in Single Connect. All LOGIN_TOKEN_PROVIDED events are labeled as β€œevent=3”

singleconnect SyslogSenderForAuthLog - - - AuthLogViewImpl{dbId=200516100347, id='bf62e97d-0b73-4775-a7a2-0397f1008535', time=2020-05-16 10:03:47.224, event=3, eventSource='user-create', clientIp='null', params='null', nasIp='null', nasHostname='null', userName='test123', externalDirectorySource='null', instanceName='singleconnect'}

LOGIN_AUTH_CHALLANGE

This log indicates that the user has passed the authentication challenge step. User is waiting at the token entry step on the Token screen. AUTH_CHALLENGE evet as "event=4"

singleconnect SyslogSenderForAuthLog - - - AuthLogViewImpl{dbId=200516100347, id='bf62e97d-0b73-4775-a7a2-0397f1008535', time=2020-05-16 10:03:47.224, event=4, eventSource='radius', clientIp='176.237.102.203', params='MessageInfo: Token#-8:5**90 Token#-7:3*07 Token#-6:3*01 Token#-5:9*34 Token#-4:5*76 Token#-3:9*51 Token#-2:9*10 Token#-1:5*12 Token#0:4*19 Token#1:0*26 Token#2:3*08 Token#3:1*01 Token#4:2*09 Token#5:2*48 Token#6:6**12 Token#7:7', nasIp='10.0.8.42'}

CommandLog_ALL

This log file contains the all command log file as CommandLog_Command, CommandLog_FileTransfer, CommandLog_KeyLog and CommandLog_OCR logs

CommandLog_Command

This log file contains the all commands during SSH/TELNET sessions. If a user tried to run a black key(blocked command) the related log is labeled as β€œallowed=false”

ALLOWED COMMANDS

singleconnect SyslogSenderForCommandLog_Command - - - {sessionId='d8249e04b9d234cfab725d34', userName='admin', host='10.10.10.89', sessionStartTime=2020-05-15 12:12:32.023, sessionEndTime=null, globalUserName='root', clientIp='10.10.10.42', commandTime=2020-05-15 12:13:42.009, command='ls', allowed=true, instanceName='singleconnect'

BLOCKED COMMANDS

singleconnect SyslogSenderForCommandLog_Command - - - {sessionId='d8249e04b9d234cfab725d34', userName='admin', host='10.10.10.89', sessionStartTime=2020-05-15 12:12:32.023, sessionEndTime=null, globalUserName='root', clientIp='10.10.10.42', commandTime=2020-05-15 12:12:34.387, command='date', allowed=false, instanceName='singleconnect'}

CommandLog_FileTransfer

This log file contains the file transfer during an RDP session. You can find the name of transferred file in command part.

singleconnect SyslogSenderForCommandLog_FileTransfer - - - {sessionId='f6807c4a-87c5-4614-bb19-9065a97ac361', userName='admin', host='10.10.10.55', sessionStartTime=2020-05-15 14:13:28.699, sessionEndTime=null, globalUserName='Administrator',clientIp='10.10.10.42', commandTime=2020-05-15 14:13:54.021, command='test.txt', allowed=true, instanceName='singleconnect'}

CommandLog_KeyLog

This log file contains the all keyboard and mouse operations during an RDP session.

singleconnect SyslogSenderForCommandLog_KeyLog - - - {sessionId='dd52c9b2-e2b1-4c27-8d0c-41e200d5661f', userName='admin', host='10.10.10.55', sessionStartTime=2020-05-15 14:17:09.189, sessionEndTime=null, globalUserName='Administrator', clientIp='10.10.10.42', commandTime=2020-05-15 14:17:33.893, command='[Shift] + T', allowed=true, instanceName='singleconnect'}
singleconnect SyslogSenderForCommandLog_KeyLog - - - {sessionId='dd52c9b2-e2b1-4c27-8d0c-41e200d5661f', userName='admin', host='10.10.10.55', sessionStartTime=2020-05-15 14:17:09.189, sessionEndTime=null, globalUserName='Administrator', clientIp='10.10.10.42', commandTime=2020-05-15 14:17:43.413, command='est ', allowed=true, instanceName='singleconnect'}
singleconnect SyslogSenderForCommandLog_KeyLog - - - {sessionId='dd52c9b2-e2b1-4c27-8d0c-41e200d5661f', userName='admin', host='10.10.10.55', sessionStartTime=2020-05-15 14:17:09.189, sessionEndTime=null, globalUserName='Administrator', clientIp='10.10.10.42', commandTime=2020-05-15 14:17:44.388, command='[BackSpace]', allowed=true, instanceName='singleconnect'}
singleconnect SyslogSenderForCommandLog_KeyLog - - - {sessionId='dd52c9b2-e2b1-4c27-8d0c-41e200d5661f', userName='admin', host='10.10.10.55', sessionStartTime=2020-05-15 14:17:09.189, sessionEndTime=null, globalUserName='Administrator', clientIp='10.0.8.42', commandTime=2020-05-15 14:17:46.71, command='[Enter]', allowed=true, instanceName='singleconnect'}

ο»Ώ

CommandLog_OCR

This log file contains the data of OCR(Optical Character Recognition). Single Connect records the characters by OCR during an RDP session. You can find the OCR data in command part of the log file.

singleconnect SyslogSenderForCommandLog_Ocr - - - {sessionId='30da490c-038f-48ba-ab04-ee6713a0f74c', userName='admin', host='10.10.10.55', sessionStartTime=2020-05-15 12:06:53.21, sessionEndTime=2020-05-15 12:08:12.852, globalUserName='Administrator', clientIp='10.10.10.42', commandTime=2020-05-15 12:06:55.729, command='Server Manager ' Dashboard I I Manage Tools View Help I Dash board I Local Server ii All Servers', allowed=true, instanceName='singleconnect'}

EventLog

This log file contains tha all activity of Single Connect Users on WebGUI. You can reach the same logs in Activity Logs page from WebGUI. Event type labeled as β€œtype=xxxxxxx”.

singleconnect SyslogSenderForEventLog - - - {type='/user/save', userName='admin',clientIp='10.10.10.6', instanceName='singleconnect', sourceId='8b6faf07-9d6b-4afa-bac4-1f8cb333e79c', time=2020-05-18 18:11:31.073, params='{isInternal=true, password=,csurname=userr, name=testt, userName=test1234, email=test@user.com, addedGroups=[System.users]}'}
singleconnect SyslogSenderForEventLog - - - {type='/policy/blackKey/save', userName='admin', clientIp='10.10.10.6', instanceName='singleconnect', sourceId='1', time=2020-05-18 18:12:29.69, params='{value=key=ls, type=BLACK}'}
singleconnect SyslogSenderForEventLog - - - {type='/policy/realm/search', userName='admin', clientIp='10.10.10.6', instanceName='singleconnect', sourceId='null', time=2020-05-18 18:12:12.145, params='null'}

ο»Ώ

SessionLog

This log file contains the sessions logs of Single Connect users. You can find the log time, device IP address, globalUsername and access protocol in the log file.

singleconnect SyslogSenderForSessionLog - - - ScSessionImpl{sessionId='28c293d16f0cb31d8cf017a2', userName='admin', host='10.10.10.89', hostName='10.10.10.89', startTime=2020-05-15 12:56:38.51, endTime=null, globalUserName='root', clientIp='10.10.10.42', instanceName='singleconnect', accessProtocol='SSHv2', idleDuration='null'}
singleconnect SyslogSenderForSessionLog - - - ScSessionImpl{sessionId='49eea60a-f81a-4a55-82f7-9a5981ec2157', userName='admin', host='10.10.10.55', hostName='10.10.10.55', startTime=2020-05-15 12:53:43.329, endTime=null, globalUserName='Administrator', clientIp='10.10.10.42', instanceName='singleconnect', accessProtocol='RDP', idleDuration='null'}
singleconnect SyslogSenderForSessionLog - - - ScSessionImpl{sessionId='3179c465-d5a8-4e30-8972-1f54e2663868', userName='admin', host='10.10.10.89', hostName='10.10.10.89', startTime=2020-05-15 13:00:07.896, endTime=null, globalUserName='root', clientIp='10.10.10.42', instanceName='singleconnect', accessProtocol='SFTP', idleDuration='null'}

TacacsLog

This log file contains the Tacacs Accounting Logs. You can reach the same log records on Tacacs Accounting Logs page on WebGUI.