AuditLog table does not show succesful login attempts
Article ID: 189270
Updated On:
Products
Data Loss Prevention Endpoint Prevent
Issue/Introduction
You are monitoring activity in the DLP database's AUDITLOG table via third party data analysis tools.
You notice that, since upgrading to 15.5.x, you are no longer capturing successful kerberos logins to the console in the AUDITLOG table
You notice that, since upgrading to 15.5.x, you are no longer capturing successful kerberos logins to the console in the AUDITLOG table
Environment
Release : 15.5.x, Kerberos login
Cause
Missing entries in the SpringSecurityContext.xml file
Resolution
Firstly if you are on 15.5 GA, apply 15.5 MP2
Then:
1. Make a backup copy of
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\webapps\ProtectManager\WEB-INF\springSecurityContext.xml
2. Edit springSecurityContext.xml to add these missing items:
Add the two missing authentication handler properties at the end of this
existing line:
<security:form-login authentication-failure-url="/GlobalDialog?type=LOGON_ERROR" default-target-url="/" login-page="/Logon" login-processing-url="/j_security_check" password-parameter="j_password" username-parameter="j_username" authentication-failure-handler-ref="authFailureHandler" authentication-success-handler-ref="authSuccessHandler"/>
Add these lines below the "</security:authentication-manager>" token:
<bean id="authSuccessHandler" class="com.symantec.dlp.login.spring.AuthenticationSuccessResultHandlerImpl"/>
<bean id="authFailureHandler" class="com.symantec.dlp.login.spring.AuthenticationFailureResultHandlerImpl">
<property name="defaultFailureUrl" value="/GlobalDialog?type=LOGON_ERROR"/>
</bean>
Restart the SymantecDLPManager service and correct auditing of successful and unsuccessful form-based login attempts should now be working.
Feedback
Yes
No
Powered by
