Jump to content

Azkabahn

Members
  • Content Count

    147
  • Joined

  • Last visited

  • Days Won

    2

Reputation Activity

  1. Like
    Azkabahn got a reaction from Buckit in ELK and PasswordState   
    Hi,
     
    i would like to start this thread to get some insights if any of the other customers are using external syslog server to ship the logs from PasswordState. I am using ELK stack.  Currently i am trying to create custom filters in Kibana to filter out the logs from PasswordState. I have the question, does the PasswordState always include "Passwordstate" value in the logs that are being sent to syslog server?
    host:X.X.X.X @timestamp:September 12th 2017, 17:17:29.728 @version:1 message:<110>2017-09-12 16:15:52 X.X.X.X Passwordstate: Failed 'Forms Based' login attempt for UserID 'n.lastname' from the IP Address 'X.X.X.X'. Client IP Address = X.X.X.X _id:AV_aAXYurEipAt82YaPZ _type:logs _index:%{type}-2017.11.20 _score: -  
    Feature Request - it would be great to have support for TCP ports
  2. Like
    Azkabahn got a reaction from Buckit in Feature request: database content protection   
    I will jump ahead and drop this one 
    I have been looking around into this topic for some time already. In our organization, we use ELK stack to a quite a significant extent. I do have a free version of Splunk, but I haven't tried to point the logs there. The problem of using syslog protocol is that the data is not structured therefore difficult to write filters for it. Best option, for now, is to use something like that https://qbox.io/blog/migrating-mysql-data-into-elasticsearch-using-logstash
     
     
     
     
     
     
  3. Like
    Azkabahn got a reaction from Buckit in More verbose access log   
    What Buckit is saying is very true as well in some cases. This kind of logging would make life a bit easier for security admins to do an investigation. In some cases, the users complain that something is wrong after quite some time and it's really difficult to trace back and figure it out what has been changed. The only option is to restore the backup to test instance and do the comparison :)
  4. Like
    Azkabahn got a reaction from Buckit in More verbose access log   
    Hi,
     
    we have faced with some troubles trying to understand what exact changes were made in the password list properties. Would it be possible to get a bit verbose output of what has changed in the properties of password list? As an example:
    if users updates IP whitelisting it would be great that this would be indicated If the user has renamed the list the line could include something like "password list X renamed to Y". If user enabled/disabled some of the options in the password list properties that would be good to know as well.  
    All of this info can be retrieved from the user, but it takes time to question the user and sometimes they don't even remember what changes they have done
×