search cancel

AuditLog table does not show succesful login attempts

book

Article ID: 189270

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

You are monitoring activity in the DLP database's AUDITLOG table via third party data analysis tools.
You notice that, since upgrading to 15.5.x, you are no longer capturing successful kerberos logins to the console in the AUDITLOG table

Cause

Missing entries in the SpringSecurityContext.xml file

Environment

Release : 15.5.x, Kerberos login

Resolution

Firstly if you are on 15.5 GA, apply 15.5 MP2

Then:

1. Make a backup copy of your \Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\webapps\ProtectManager\WEB-INF\springSecurityContext.xml file

2. Edit springSecurityContext.xml to add
the missing items below:

Add the two missing authentication handler properties at the end of this 
existing line:

<security:form-login authentication-failure-url="/GlobalDialog?type=LOGON_ERROR" default-target-url="/" login-page="/Logon" login-processing-url="/j_security_check" password-parameter="j_password" username-parameter="j_username" authentication-failure-handler-ref="authFailureHandler" authentication-success-handler-ref="authSuccessHandler"/>

Add these lines below the "</security:authentication-manager>" token:

<bean id="authSuccessHandler" class="com.symantec.dlp.login.spring.AuthenticationSuccessResultHandlerImpl"/>
<bean id="authFailureHandler" class="com.symantec.dlp.login.spring.AuthenticationFailureResultHandlerImpl">
<property name="defaultFailureUrl" value="/GlobalDialog?type=LOGON_ERROR"/>
</bean>

Restart the SymantecDLPManager service and correct auditing of successful and unsuccessful form-based login attempts should now be working