[EDT Support]

[EDT Support]

I am trying to read the logs to gain a complete picture of what is going on. It is not obvious to me what each log is for, so I have to look at ServiceErrors, ServiceRecent, and Audit. As well as look at Monitoring/Auto-Bans. To try to make it easier on myself I import the logs into Splunk. The problem there is that Splunk can import them easy enough, however, there are no recognizable key fields to search on. Splunk provides a little help on this http://dev.splunk.com/view/SP-CAAADP6. Basically make keys like IP_Addr=129.138.111.222 or IN_Addr=129.138.111.222. USERNAME=localuser. And put messages in quotes.
Possibly something like:
2012-06-04 11:31:42,444 INFO AutoBanner [771] IP_address=129.238.111.222 was banned for 2000000s after 9 attempts over a period of 10800000s
2012-06-05 04:59:17,919 INFO SocketListener "Denied connection" on port=22 from IP_ADDR=129.138.111.222 due to rule="Deny 129.138.111.222"
The above should possibly be WARN rather than INFO
2012-06-04 15:32:46,603 WARN HTTPConnection "Authentication failed" for user=fred from IP_ADDR=129.238.111.222 Error="Logon failure: unknown user name or bad password"
2012-06-04 14:54:12,713 INFO WindowsImpersonation "Windows logon succeeded" for user=fred from IP_ADDR=129.238.111.222 - Interactive

If all the important security relevant information was in Audit or a separate security log, that would be helpful.

Also there seems to be a math or unit error in the logs.
IP address 111.222.333.444 was banned for 2000000s after 9 attempts over a period of 10800000s <-- should be 10800.

In the above case what I really want is 8 failures without a success over any time period to result in a permanent ban. Harsh I know, but, the internet is an icky place.

Just some of my thoughts. I hope it helps.

Brian

[EDT Support]

Yes, thank you, that was very helpful.

Regarding the log files, we've changed the names of the logs to errors.log and diagnostics.log. The console and service versions will both use the same files. Also the errors.log file will contain only errors, so that should make it much clearer.

We've fixed the error which showed the wrong times in auto-ban messages.

With respect to banning anyone who fails 9 times, you can just use a really long period - e.g. one year.

I'm not sure about tagging fields, such as the IP address. Do you mean that these tags should appear on every line so that you can, for example, select all the log-lines with a particular IP address?

- Hans (EnterpriseDT)

Yes, I want to be able to search. I should be able to pull out all the messages from one session, even if multiple users are logging in at the same time. Each session should have a unique ID so I know what messages go together. That may be the source IP. Give every important piece of information a name and be consistant. Important information are things like Source IP, Destination IP, username, protocol or port. some sugestions are Src_IP=33.44.55.66, Dest_IP=11.22.33.44, Username=xxxxxx, Port=22, rule="a rule", message="an error message". If you use the tag with the equal sign, and wrap messages in quotes, logging programs like splunk can catalog them eaisly and allow searching and graphing. Also add the source ip to messages like "authentication failed" so I know whether or not the user is comming from the IP I have recorded as valid.
I ultimatly want to know who is knocking on my door, how often, how loud, and whether they come back. I want to know if a user is having problems or not. You do not need to provide those items in your software if the logs are good enough for me to extract the information.

BTW I am enjoying the server. It is working well. Users are getting what they need done. Also I have implemented the whitelist on the firewall, so , I am no longer getting multiple auto-bans per day.

Brian