Sometimes it is necessary to have logs who tried to logon to TufinOS or TOS. Also, not successful tries need to be recognized and logged. This often is a requirement, esp. if compliance regulations need to be fulfilled. Logging can be done by extracting information from Tufin in a tool like e.g. Splunk. The information is stored in some files described below.

 

TufinOS

Logon to the CLI of TufinOS is recorded automatically since it's based on CentOS. The file in which this information can be found is
     /var/log/secure

Please find an example for an unsuccessful (user123) and successful login (root).

Mar 16 19:38:57 localhost sshd[24880]: Invalid user user123 from 10.0.0.23
Mar 16 19:38:57 localhost sshd[24881]: input_userauth_request: invalid user user123
Mar 16 19:39:01 localhost sshd[24880]: pam_unix(sshd:auth): check pass; user unknown
Mar 16 19:39:01 localhost sshd[24880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.23
Mar 16 19:39:01 localhost sshd[24880]: pam_succeed_if(sshd:auth): error retrieving information about user user123
Mar 16 19:39:03 localhost sshd[24880]: Failed password for invalid user user123 from 10.0.0.23 port 50025 ssh2
Mar 16 19:39:11 localhost sshd[24881]: Connection closed by 10.0.0.23

Mar 16 19:39:38 localhost sshd[24888]: Accepted password for root from 10.0.0.23 port 50026 ssh2
Mar 16 19:39:38 localhost sshd[24888]: pam_unix(sshd:session): session opened for user root by (uid=0)

 

Tufin SecureTrack

A successful login to the WebUI of SecureTrack is recorded in the database. This information can be checked in the WebUI also. To do so, go to Menu > Settings > Administration > Audit Trail. As shown below, a successful login and logout can be monitored here.

 

 Sometimes this information isn't sufficient since also not successful login attempts need to be documented. This can be done by checking the file
      /var/log/keycloak/server.log

When using local authentication, a non-successful login of a user (user2) looks like this in the file

WARN 2021-03-16 20:41:28,511 [default task-2::o.k.events.onEvent] [user:] type=LOGIN_ERROR, realmId=f93f5360-fa5c-4777-aa14-c91c4730e49a, clientId=st_httpd_10.0.0.20, userId=null, ipAddress=10.0.0.23, error=identity_provider_error, auth_method=openid-connect, auth_type=code, redirect_uri=https://10.0.0.20/protected/redirect_uri, code_id=dcca1e78-7a0f-43f3-a017-772ac8c291fe, username=user2#ovzwk43sge======, authSessionParentId=dcca1e78-7a0f-43f3-a017-772ac8c291fe, authSessionTabId=BXN4R0pwtHU

When LDAP is used for authentication at SecureTrack, some more basic information is delivered (user1).

ERROR 2021-03-16 21:14:53,338 [default task-1::c.t.c.k.a.c.h.d.LoginHandlersDispatcher.handleLogin] [user:] LDAP authentication failed for user:{user1}: java.lang.RuntimeException: LDAP authentication failed for user:{user1}
...
WARN 2021-03-16 21:14:53,340 [default task-1::o.k.events.onEvent] [user:] type=LOGIN_ERROR, realmId=f93f5360-fa5c-4777-aa14-c91c4730e49a, clientId=st_httpd_10.0.0.20, userId=d733890d-f5be-449d-8e8e-efab9972fef1, ipAddress=10.0.0.24, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://10.0.0.20/protected/redirect_uri, code_id=1d8576e7-69d5-4549-85a6-e014f2a7c14d, username=user1#ovzwk4rr, authSessionParentId=1d8576e7-69d5-4549-85a6-e014f2a7c14d, authSessionTabId=bFfur4XdKlI

As shown above, a successful authentication can be monitored in "Audit Trail". If necessary, information can also be gathered directly by asking the database.

 

Tufin SecureChange

When trying to log authentication at SecureChange, only a log file at the CLI can be evaluated:
     /var/log/tomcat/securechange.log

A successful login is recorded here, e.g. for a local user (hcarr)

INFO 2021-03-16 21:21:22,066 [catalina-exec-19::c.t.s.s.AdminAuthenticatorHelper.performAuthentication] [user:system] authenticating hcarr
INFO 2021-03-16 21:21:22,072 [catalina-exec-19::c.t.s.s.UsernamePasswordAuthenticator.authenticate] [user:system] User ID: 4, User name: Henry Carr logged in.
...

A successful login is recorded here, e.g. for a user authenticated using an LDAP server (user1)

INFO 2021-03-16 21:24:36,345 [catalina-exec-15::c.t.s.s.AdminAuthenticatorHelper.performAuthentication] [user:system] authenticating user1
INFO 2021-03-16 21:24:36,351 [catalina-exec-15::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] Start authentication of user [user1].
INFO 2021-03-16 21:24:36,362 [catalina-exec-15::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] Successful authentication of user [user1]. The authenticated userName is [user1].
INFO 2021-03-16 21:24:36,369 [catalina-exec-15::c.t.s.s.LdapUserResolver.getLoggedInUserFromDb] [user:system] User user1 found in DB by LDAP ID kBxZxiVaE0uwfM5vdPy5pw==. DB id is 43
INFO 2021-03-16 21:24:36,372 [catalina-exec-15::c.t.s.s.UsernamePasswordAuthenticator.authenticate] [user:system] User ID: 43, User name: user1 logged in.
...

Trying wrong credentials (mleu) delivers

INFO 2021-03-16 21:23:52,088 [catalina-exec-18::c.t.s.s.AdminAuthenticatorHelper.performAuthentication] [user:system] authenticating mleu
INFO 2021-03-16 21:23:52,093 [catalina-exec-18::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] Start authentication of user [mleu].
WARN 2021-03-16 21:23:52,099 [catalina-exec-18::c.t.s.s.LdapUserResolver.authenticateUserByLdap] [user:system] The authentication of the user [mleu] is failed. User [mleu] does not exist when using filter [(&(sAMAccountType=805306368)(|(sAMAccountName=mleu)(userPrincipalName=mleu)))] and baseDN [cn=users,dc=aerasec,dc=labor].
INFO 2021-03-16 21:23:52,105 [catalina-exec-18::c.t.s.c.l.SCLdapServiceImpl.getLdapUser] [user:system] Searching for LDAP user mleu
INFO 2021-03-16 21:23:52,106 [catalina-exec-18::c.t.s.c.l.SCLdapServiceImpl.getLdapUser] [user:system] Searching for LDAP user mleu in LdapConfiguration Lab_AD
INFO 2021-03-16 21:23:52,114 [catalina-exec-18::c.t.s.c.l.SCLdapServiceImpl.findUserInLdap] [user:system] User not found in LDAP by name [mleu].

In any case, these data need to be forwarded to a central reporting tool.
Forwarding the content of these files can be done e.g., by syslog, using a Splunk Forwarder, or any other method.