SINGLE CONNECT
...
SIEM Configuration & Log Expla...
Explanations of Siem Log Packets
19 min
authlog login success the first log is the webgui login of a single connect user the event source is specified as “ui” the second log is the authentication to a device event source is specified as “global user auth” all login success events are labeled as “ event=0 ” singleconnect syslogsenderforauthlog authlogviewimpl{dbid=200515123916, id='1fb1359d 858b 4e9d 896b 918a3c191aa6', time=2020 05 15 12 39 16 303, event=0, eventsource='ui' , clientip='10 10 10 42', params='null', nasip='null', nashostname='null', username='admin', externaldirectorysource='null', instancename='singleconnect'} singleconnect syslogsenderforauthlog authlogviewimpl{dbid=200515124451, id='805753ff 24e4 46ca b367 3aeaa66a8420', time=2020 05 15 12 44 51 207, event=0, eventsource='global user auth' , clientip='10 10 10 42', params='global username root', nasip='10 10 10 89', nashostname='10 10 10 89', username='admin', externaldirectorysource='null', instancename='singleconnect'} login failure all login failure events are labeled as “ event=1 ” singleconnect syslogsenderforauthlog authlogviewimpl{dbid=200515124319, id='5f4135ff 0e93 4bcd be52 34885efb0202', time=2020 05 15 12 43 19 796, event=1, eventsource='ui' , clientip='10 0 8 42', params='null', nasip='null', nashostname='null', username='admin', externaldirectorysource='null', instancename='singleconnect'} logout all logout events are labeled as “ event=2 ” singleconnect syslogsenderforauthlog authlogviewimpl{dbid=200515124019, id='28d1eb5f fad5 4028 8c54 4c85f7508b0b', time=2020 05 15 12 40 19 02, event=2, eventsource='ui' , clientip='10 0 8 42', params='null', nasip='null', nashostname='null', username='admin', externaldirectorysource='null', instancename='singleconnect'} login token provided this log file generated when a new user created in single connect all login token provided events are labeled as “ event=3 ” singleconnect syslogsenderforauthlog authlogviewimpl{dbid=200516100347, id='bf62e97d 0b73 4775 a7a2 0397f1008535', time=2020 05 16 10 03 47 224, event=3, eventsource='user create' , clientip='null', params='null', nasip='null', nashostname='null', username='test123', externaldirectorysource='null', instancename='singleconnect'} login auth challange this log indicates that the user has passed the authentication challenge step user is waiting at the token entry step on the token screen auth challenge evet as " event=4 " singleconnect syslogsenderforauthlog authlogviewimpl{dbid=200516100347, id='bf62e97d 0b73 4775 a7a2 0397f1008535', time=2020 05 16 10 03 47 224, event=4, eventsource='radius', clientip='176 237 102 203', params='messageinfo token# 8 5 90 token# 7 3 07 token# 6 3 01 token# 5 9 34 token# 4 5 76 token# 3 9 51 token# 2 9 10 token# 1 5 12 token#0 4 19 token#1 0 26 token#2 3 08 token#3 1 01 token#4 2 09 token#5 2 48 token#6 6 12 token#7 7', nasip='10 0 8 42'} commandlog all this log file contains the all command log file as commandlog command, commandlog filetransfer, commandlog keylog and commandlog ocr logs commandlog command this log file contains the all commands during ssh/telnet sessions if a user tried to run a black key(blocked command) the related log is labeled as “ allowed=false ” allowed commands singleconnect syslogsenderforcommandlog command {sessionid='d8249e04b9d234cfab725d34', username='admin', host='10 10 10 89', sessionstarttime=2020 05 15 12 12 32 023, sessionendtime=null, globalusername='root', clientip='10 10 10 42', commandtime=2020 05 15 12 13 42 009, command='ls', allowed=true , instancename='singleconnect' blocked commands singleconnect syslogsenderforcommandlog command {sessionid='d8249e04b9d234cfab725d34', username='admin', host='10 10 10 89', sessionstarttime=2020 05 15 12 12 32 023, sessionendtime=null, globalusername='root', clientip='10 10 10 42', commandtime=2020 05 15 12 12 34 387, command='date', allowed=false , instancename='singleconnect'} commandlog filetransfer this log file contains the file transfer during an rdp session you can find the name of transferred file in command part singleconnect syslogsenderforcommandlog filetransfer {sessionid='f6807c4a 87c5 4614 bb19 9065a97ac361', username='admin', host='10 10 10 55', sessionstarttime=2020 05 15 14 13 28 699, sessionendtime=null, globalusername='administrator',clientip='10 10 10 42', commandtime=2020 05 15 14 13 54 021, command='test txt' , allowed=true, instancename='singleconnect'} commandlog keylog this log file contains the all keyboard and mouse operations during an rdp session singleconnect syslogsenderforcommandlog keylog {sessionid='dd52c9b2 e2b1 4c27 8d0c 41e200d5661f', username='admin', host='10 10 10 55', sessionstarttime=2020 05 15 14 17 09 189, sessionendtime=null, globalusername='administrator', clientip='10 10 10 42', commandtime=2020 05 15 14 17 33 893, command='\[shift] + t' , allowed=true, instancename='singleconnect'} singleconnect syslogsenderforcommandlog keylog {sessionid='dd52c9b2 e2b1 4c27 8d0c 41e200d5661f', username='admin', host='10 10 10 55', sessionstarttime=2020 05 15 14 17 09 189, sessionendtime=null, globalusername='administrator', clientip='10 10 10 42', commandtime=2020 05 15 14 17 43 413, command='est ' , allowed=true, instancename='singleconnect'} singleconnect syslogsenderforcommandlog keylog {sessionid='dd52c9b2 e2b1 4c27 8d0c 41e200d5661f', username='admin', host='10 10 10 55', sessionstarttime=2020 05 15 14 17 09 189, sessionendtime=null, globalusername='administrator', clientip='10 10 10 42', commandtime=2020 05 15 14 17 44 388, command='\[backspace]' , allowed=true, instancename='singleconnect'} singleconnect syslogsenderforcommandlog keylog {sessionid='dd52c9b2 e2b1 4c27 8d0c 41e200d5661f', username='admin', host='10 10 10 55', sessionstarttime=2020 05 15 14 17 09 189, sessionendtime=null, globalusername='administrator', clientip='10 0 8 42', commandtime=2020 05 15 14 17 46 71, command='\[enter]' , allowed=true, instancename='singleconnect'} commandlog ocr this log file contains the data of ocr(optical character recognition) single connect records the characters by ocr during an rdp session you can find the ocr data in command part of the log file singleconnect syslogsenderforcommandlog ocr {sessionid='30da490c 038f 48ba ab04 ee6713a0f74c', username='admin', host='10 10 10 55', sessionstarttime=2020 05 15 12 06 53 21, sessionendtime=2020 05 15 12 08 12 852, globalusername='administrator', clientip='10 10 10 42', commandtime=2020 05 15 12 06 55 729, command='server manager ' dashboard i i manage tools view help i dash board i local server ii all servers' , allowed=true, instancename='singleconnect'} eventlog this log file contains tha all activity of single connect users on webgui you can reach the same logs in activity logs page from webgui event type labeled as “ type=xxxxxxx ” singleconnect syslogsenderforeventlog { type='/user/save' , username='admin',clientip='10 10 10 6', instancename='singleconnect', sourceid='8b6faf07 9d6b 4afa bac4 1f8cb333e79c', time=2020 05 18 18 11 31 073, params='{isinternal=true, password=,csurname=userr, name=testt, username=test1234, email=test\@user com, addedgroups=\[system users]}'} singleconnect syslogsenderforeventlog { type='/policy/blackkey/save' , username='admin', clientip='10 10 10 6', instancename='singleconnect', sourceid='1', time=2020 05 18 18 12 29 69, params='{value=key=ls, type=black}'} singleconnect syslogsenderforeventlog { type='/policy/realm/search' , username='admin', clientip='10 10 10 6', instancename='singleconnect', sourceid='null', time=2020 05 18 18 12 12 145, params='null'} sessionlog this log file contains the sessions logs of single connect users you can find the log time, device ip address, globalusername and access protocol in the log file singleconnect syslogsenderforsessionlog scsessionimpl{sessionid='28c293d16f0cb31d8cf017a2', username='admin', host='10 10 10 89', hostname='10 10 10 89', starttime=2020 05 15 12 56 38 51, endtime=null, globalusername='root', clientip='10 10 10 42', instancename='singleconnect', accessprotocol='sshv2' , idleduration='null'} singleconnect syslogsenderforsessionlog scsessionimpl{sessionid='49eea60a f81a 4a55 82f7 9a5981ec2157', username='admin', host='10 10 10 55', hostname='10 10 10 55', starttime=2020 05 15 12 53 43 329, endtime=null, globalusername='administrator', clientip='10 10 10 42', instancename='singleconnect', accessprotocol='rdp' , idleduration='null'} singleconnect syslogsenderforsessionlog scsessionimpl{sessionid='3179c465 d5a8 4e30 8972 1f54e2663868', username='admin', host='10 10 10 89', hostname='10 10 10 89', starttime=2020 05 15 13 00 07 896, endtime=null, globalusername='root', clientip='10 10 10 42', instancename='singleconnect', accessprotocol='sftp' , idleduration='null'} tacacslog this log file contains the tacacs accounting logs you can reach the same log records on tacacs accounting logs page on webgui