Authentication logging request
shifteynz opened this issue · comments
We're looking to send our Cacti logs to our SIEM. I'm currently assessing the authentication based logs.
We have DEBUG mode enabled.
I've noticed that:
-
For successful logins, there is no IP address associated with the user authenticating. Example:
"AUTH LOGIN: User 'username' Authenticated via Authentication Cookie"
or
"AUTH LOGIN: User 'Username' authenticated" -
For failed logins, the username and IP address are contained within the same event:
"AUTH LOGIN FAILED: Local Login Failed for user 'username' from IP Address '1.2.3.4'"
Feature Request:
- Can successful login events contain the same information as a failed login event? (Username and IP Address of user)
- Can the logging format for failed and successful logins be consistent, with the field and values in the same order for both event types?
Hey!all of those requirements are avaliable in the audit plugin
Install the audit plugin and in settings there is a option to log to file which can be
ingested via splunk or others
…On Wed, May 29, 2024, 23:19 shifteynz ***@***.***> wrote:
We're looking to send our Cacti logs to our SIEM. I'm currently assessing
the authentication based logs.
We have DEBUG mode enabled.
I've noticed that:
-
For successful logins, there is no IP address associated with the user
authenticating. Example:
"AUTH LOGIN: User 'username' Authenticated via Authentication Cookie"
or
"AUTH LOGIN: User 'Username' authenticated"
-
For failed logins, the username and IP address are contained within
the same event:
"AUTH LOGIN FAILED: Local Login Failed for user 'username' from IP
Address '1.2.3.4'"
Feature Request:
1. Can successful login events contain the same information as a
failed login event? (Username and IP Address of user)
2. Can the logging format for failed and successful logins be
consistent, with the field and values in the same order for both event
types?
—
Reply to this email directly, view it on GitHub
<#5761>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADGEXTFSJNJ6VKZKGGZ667TZE2LERAVCNFSM6AAAAABIQCUKBGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGMZDINRRGA3DONQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
Thank you! I'll close the issue/feature request.