How to log when a user or machine is trying to connect using a disabled/locked account
search cancel

How to log when a user or machine is trying to connect using a disabled/locked account

book

Article ID: 269550

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

Event logs on the BCAAA server are filling up with disabled/locked account alerts.  You want to be able to report on these on the proxy.  This document describes how to create a custom event log entry to capture this data.

Resolution

In order to generate a custom event log message it is necessary to create a combined action object in the auth layer which contains an authentication object and a permit authentication error object. 

 

Step 1

Open the Visual Policy Manager by going to Configuration -> Policy -> Visual Policy Manager

Create a Web Authentication Layer by going to Policy -> Add Web Authentication Layer in the VPM (Configuration -> Policy -> Visual Policy Manager)

Then create a Combined Action Object by right clicking the field under the action heading and selecting Set -> New -> Combined Action Object.

In the screen that opens select New -> Authenticate and select your Authentication Realm (eg. IWA), click OK and add that to the right hand field.  Then select New -> Permit Authentication Error and expand the sections until you can select the error you're interested in (in this case it is account_disabled).

Click OK and then add that to the selected action objects.

This should look like the below:

 

Step 2

Create a new web access layer by going to Policy -> Add Web Access Layer and create the entries as below:

 

The user Authentication error object should look like the screenshot  (right click in the field under the Source heading and select Set -> New -> User Authentication Error and drill down as shown here)

 

Right click in the field under the Action heading and select Set -> New -> Return Exception and then select one of the built in exceptions to block user access and click OK.  This looks like:

 

Right click under the Track heading and select Set -> New -> Event Log and create a new event log entry using the following format (this can be edited to show whatever you want but in this instance we want to see the IP address of the client machine trying to access with a disabled account):

Client $(c-ip) is trying to access web with a disabled/locked account.  User agent is $(cs(User-Agent)).

and looks like:

 

Once the policy is installed,the event log entry will look like this:

2013-02-19 15:43:14-00:00UTC  "Client 10.x.x.x is trying to access web with a disabled/locked account.  User agent is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"  175159 3B0002:8C   pe_policy_action_log_message.cpp:44

We can also set it to send an SNMP trap instead of adding an event log entry by changing the tracking type.

 

Powered by Wolken Software