Skip to main content

Elastic Logging

Secfense Broker uses Elastic Logging to present the information on production events. Logs are collated and saved in /secfense/app/logs folder. Logs in this format will also be sent to external log collector (f.ex. SIEM systems) when configured during deployment.

ECS loging follows the below events in relation to particular containers.

internalauth

event: \{kind: "event", module: app_name, action: "use_blocked_bypass", type: ["user", denied"]},
event: \{kind: "event", module: app_name, action: "bypass_failure", type: ["user", "error"]},
event: \{kind: "event", module: app_name, action: "bypass_blocked", type: ["user", "denied"]},
event: \{kind: "event", module: app_name, action: "bypass", type: ["user", "allowed"]},
event: \{kind: "event", module: app_name, action: "authenticate", type: ["user", "allowed"]},
event: \{kind: "event", module: app_name, action: "three_failed_login_attempts", type: ["user", "denied"]},
event: \{kind: "event", module: app_name, action: "authenticate", type: ["user", "allowed"]},
event: \{kind: "event", module: app_name, action: "remove mobile object", type: ["user", "deletion"]},
event: \{kind: "event", module: app_name, action: "authenticate", type: ["user", "allowed"]},
event: \{kind: "event", module: app_name, action: "three_failed_login_attempts", type: ["user", "denied"]},
event: \{kind: "event", module: app_name, action: "authenticate", type: ["user", "allowed"]},
event: \{kind: "event", module: app_name, action: "three_failed_login_attempts", type: ["user", "denied"]},
event: \{kind: "event", module: app_name, action: "authenticate", type: ["user", "allowed"]},
event: \{kind: "event", module: app_name, action: "create_fprint", type: ["user", "creation"]},
event: \{kind: "event", module: app_name, action: "remove_fprint", type: ["user", "deletion"]},
event: \{kind: "event", module: app_name, action: "microauthorization", type: ["user", "allowed"]},
event: \{kind: "event", module: app_name, action: "register", type: ["user", "creation"]},

admin

event: \{kind: "event", module: nil, action: "access_tokens_create", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "access_tokens_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "access_tokens_regenerate", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "create role", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "delete role", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "update role", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "force_change_password", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "create admin user", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "delete role", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_model[:name], action: "applied_pattern_delete", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "pattern_apply", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "bypass_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "bypass_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "update_password", type: ["admin", "change"]},
event: \{kind: "event", module: app_model[:name], action: "client_app_email_whitelist_add", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "create_app", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "delete_app", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_model[:name], action: "client_app_email_whitelist_del", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_model[:name], action: "generate_cert", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "upload_cert", type: ["admin", "change"]},
event: \{kind: "event", module: app_model[:name], action: "client_app_update", type: ["admin", "change"]},
event: \{kind: "event", module: app_model[:name], action: "upload_keytab", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "config_azure_create", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "delete azure config", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "config_azure_update", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "delete_email", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "register_email", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "found_patterns_delete_all", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_model[:name], action: "found_pattern_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_model[:name], action: "found_pattern_edit", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "delete_fprint", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "delete_custom_image", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "generating_mobileex_token", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "update_idp_key", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "delete_mobileex_theme", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "set_mobileex_theme", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "upload_admin_panel_cert", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "global_config_update", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "upload_oidc_cert", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "upload_custom_image", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "delete_custom_js_inject", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "upload_custom_jsinject", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "delete_key", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "login_failure", type: ["admin", "error"]},
event: \{kind: "event", module: nil, action: "successful_login", type: ["admin", "access"]},
event: \{kind: "event", module: nil, action: "successful_logout", type: ["admin", "info"]},
event: \{kind: "event", module: app_name, action: "logout_patterns_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "logout_pattern_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "logout_pattern_update", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "microauths_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "microauth_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "microauth_update", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "delete_mobile", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "nginx_custom_option", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "delete_nginx_custom_option", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_oidc", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "optin_users_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "optin_user_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "found_patterns_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "patterns_exceptions_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "patterns_exception_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "patterns_exception_update", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "delete_radiusid", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user_email", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user_keys", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user_mobile", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user_oidc", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user_radiusids", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user_seeds", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_user_sms", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_seed", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "delete_sms", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "register_sms", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "subdomain_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "subdomain_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "supervisors_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "supervisor_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "support_pack_init", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "assign_trust_group", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "trust_group_create", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "trust_group_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "unassign_trust_group", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "trust_group_update", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "allow_release", type: ["admin", "change"]},
event: \{kind: "event", module: nil, action: "upload_update", type: ["admin", "change"]},
event: \{kind: "event", module: app_name, action: "user_auths_create", type: ["admin", "creation"]},
event: \{kind: "event", module: app_model[:name], action: "user_auth_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_model[:name], action: "user_delete", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "successful_login", type: ["admin", "access"]},
event: \{kind: "event", module: nil, action: "delete_webauthn", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "register_webauthn", type: ["admin", "creation"]},

trust

event: \{kind: "event", module: app_name, action: "creating_new_found_pattern", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "trusting_fingerprint", type: ["admin", "allowed"]},
event: \{kind: "event", module: app_name, action: "trusting_#{type}", type: ["admin", "allowed"]},

user-dashboard

event: \{kind: "event", module: app_name, action: "accept_key", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "delete_key", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "reject_key", type: ["admin", "denied"]},
event: \{kind: "event", module: app_name, action: "report_key", type: ["admin", "denied"]},

bg-proc

event: \{kind: "event", module: app_name, action: action, type: ["admin", "error"]},
event: \{kind: "event", module: app_name, action: "send_email", type: ["admin", "connection"]},
event: \{kind: "event", module: app_name, action: "send_email", type: ["admin", "connection"]},
event: \{kind: "event", module: app_name, action: "ldap_sync_optin_user_add", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "ldap_sync_optin_user_del", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "ldap_sync_supervisor_add", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "ldap_sync_supervisor_del", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "ldap_sync_user_auth_#{method}_add", type: ["admin", "creation"]},
event: \{kind: "event", module: app_name, action: "ldap_sync_user_auth_#{method}_del", type: ["admin", "deletion"]},
event: \{kind: "event", module: nil, action: "ldap_sync_admin_add", type: ["admin", "creation"]},
event: \{kind: "event", module: nil, action: "ldap_sync_admin_del", type: ["admin", "deletion"]},
event: \{kind: "event", module: app_name, action: "send_sms", type: ["admin", "connection"]},

proxy

["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "registration",
["event.type.0"] = "admin",
["event.type.1"] = "creation",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "authentication",
["event.type.0"] = "admin",
["event.type.1"] = "allow",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "trusting_sec_object_success",
["event.type.0"] = "admin",
["event.type.1"] = "allowed",
["event.kind"] = "event",
["event.module"] = nil,
["event.action"] = "authentication_fail",
["event.type.0"] = "admin",
["event.type.1"] = "error",
["event.kind"] = "event",
["event.module"] = nil,
["event.action"] = "microauth_fail",
["event.type.0"] = "admin",
["event.type.1"] = "error",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "2FApass",
["event.type.0"] = "admin",
["event.type.1"] = "allowed",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "microauthorization",
["event.type.0"] = "admin",
["event.type.1"] = "allowed",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "microauthorization",
["event.type.0"] = "admin",
["event.type.1"] = "allowed",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "learning_mode_pattern_found",
["event.type.0"] = "admin",
["event.type.1"] = "info",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "learning_mode_pattern_found",
["event.type.0"] = "admin",
["event.type.1"] = "info",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "learning_mode_pattern_found",
["event.type.0"] = "admin",
["event.type.1"] = "info",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "learning_mode_pattern_found",
["event.type.0"] = "admin",
["event.type.1"] = "info",
["event.kind"] = "event",
["event.module"] = ngx.ctx.config.app_name,
["event.action"] = "logout",
["event.type.0"] = "admin",
["event.type.1"] = "info",