Find out login time of SAML users into WSS
search cancel

Find out login time of SAML users into WSS

book

Article ID: 176512

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

  • Symantec Web Security Service (WSS) does not have a pre-canned report indicating which users logged in at what time.
  • There is a lot of user-specific searches you could do, but nothing that will give you this time.
  • There are other approaches to get the same information from the available raw HTTP logs.
     

Environment

  • WSS with IPSEC, SEP or explicit Access methods
  • SAML Authentication enabled on WSS

Resolution

Assuming that one can download and expand the raw logs to get the GZ formatted files, one can run the following script against the logs to display the date and time of login, the IP address and the username. The assumption is that

  1. an enviroment exists against which the scripts can be run - on Windows, this would require CYGWIN installation, or it can be done on any MacOS or Linux platform by default
  2. the system the scripts are running against have access to the raw GZ files downloaded
  3. you have access to the SAML Endpoint URL from the SAML configuration

In the example below, we downloaded the raw logs for customerID 66666 from 7-8am UTC and expanded the logs to get cloud_66666_20191209070000.log.gz. The SAML configuration showed the following endoint URL (ADFS IDP server) terminating in /adfs/ls/

 

 

 

Equiped with this information, run the following command to get the time the user logged in via SAML, along with the IP address:

[email protected] /cygdrive/d/Downloads/66666/091219
$ zgrep authentication_redirect_from_virtual_host cloud_66666_20191209070000.log.gz|grep \/adfs\/ls\/ |awk '{print $2 "     " $3  "     "  $6 "     "   $7}'|more

2019-12-09     07:00:02     11.132.49.18     nc1584
2019-12-09     07:00:11     11.133.42.14     nc0929
2019-12-09     07:00:12     11.133.32.10     nc0113
2019-12-09     07:00:13     11.149.69.51     nc2549
2019-12-09     07:00:18     11.149.41.11     nc5075
2019-12-09     07:00:24     11.133.38.28     nc5290
2019-12-09     07:00:29     11.149.40.19     nc4316
2019-12-09     07:00:28     11.127.51.15     nc0630
2019-12-09     07:00:31     11.133.41.38     nc4029
2019-12-09     07:00:40     11.149.44.52     nc0019
2019-12-09     07:00:42     11.135.81.27     nc5935

Attachments

Powered by Wolken Software