bmfmancini
commented
1 month ago Hey!all of those requirements are avaliable in the audit plugin
Install the audit plugin and in settings there is a option to log to file which can be ingested via splunk or others
On Wed, May 29, 2024, 23:19 shifteynz @.***> wrote:
We're looking to send our Cacti logs to our SIEM. I'm currently assessing the authentication based logs. We have DEBUG mode enabled.
I've noticed that:
-
For successful logins, there is no IP address associated with the user authenticating. Example: "AUTH LOGIN: User 'username' Authenticated via Authentication Cookie" or "AUTH LOGIN: User 'Username' authenticated"
For failed logins, the username and IP address are contained within the same event: "AUTH LOGIN FAILED: Local Login Failed for user 'username' from IP Address '1.2.3.4'"
Feature Request:
- Can successful login events contain the same information as a failed login event? (Username and IP Address of user)
- Can the logging format for failed and successful logins be consistent, with the field and values in the same order for both event types?
— Reply to this email directly, view it on GitHub https://github.com/Cacti/cacti/issues/5761, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGEXTFSJNJ6VKZKGGZ667TZE2LERAVCNFSM6AAAAABIQCUKBGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGMZDINRRGA3DONQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
shifteynz
We're looking to send our Cacti logs to our SIEM. I'm currently assessing the authentication based logs. We have DEBUG mode enabled.
I've noticed that:
For successful logins, there is no IP address associated with the user authenticating. Example: "AUTH LOGIN: User 'username' Authenticated via Authentication Cookie" or "AUTH LOGIN: User 'Username' authenticated"
For failed logins, the username and IP address are contained within the same event: "AUTH LOGIN FAILED: Local Login Failed for user 'username' from IP Address '1.2.3.4'"
Feature Request: 1) Can successful login events contain the same information as a failed login event? (Username and IP Address of user) 2) Can the logging format for failed and successful logins be consistent, with the field and values in the same order for both event types?