bmfmancini
commented
3 days ago Check out the audit plugin most of this is addressed by that plugin with a specific export function for siem apps
Open shifteynz opened 3 days ago
bmfmancini
commented
3 days ago Check out the audit plugin most of this is addressed by that plugin with a specific export function for siem apps
shifteynz
commented
3 days ago Check out the audit plugin most of this is addressed by that plugin with a specific export function for siem apps
Thanks for that. The audit plugin doesnt change the user login/auth behaviour, but only the activities done once the user is already logged in. Cacti has a great view of logins at the "View User Log" page, would be great if this was replicated into the AUTH logs
bmfmancini
commented
3 days ago It should show a login event with details If not that would be a good feature please. Open a feature request I'll take a look
shifteynz
commented
3 days ago I was told this is where to log feature request. If not, where should a FR be logged?
xmacan
commented
3 days ago We did it for 1.2.x and for 1.3. We add IP address to success auth log message: 2024/06/26 12:08:37 - AUTH LOGIN: User 'user@example.com' authenticated from IP address A.B.C.D https://github.com/Cacti/cacti/pull/5772 https://github.com/Cacti/cacti/pull/5775
shifteynz
commented
2 days ago Hi there,
We are running version 1.2.27 and that doesnt seem to be the case. The username and IP are spread across events.
Please refer to the attached screenshots.
xmacan
commented
2 days ago Download the auth_login.php and include/auth.php files from branch 1.2.x and replace them in version 1.2.27.
Cacti contains AUTH logs of users logging in to Cacti. Unfortunately 1 login event is spread across multiple logs.
Examples: (User and IP info changed to generic for the example): Event 1: 2024/06/26 12:08:37 - AUTH LOGIN: User 'user@example.com' authenticated Event 2: 2024/06/26 12:08:37 - AUTH DEBUG: Using remote client IP Address found in header (REMOTE_ADDR): 192.168.1.2 (192.168.1.2)
We are sending the Cacti AUTH logs to our SIEM, however it is difficult to capture the username and users IP address as this is spread across multiple events.
In the CACTI GUI at Console > Utilities > System Utilities > View User Log, the user login info is displayed clearly as a single line, i.e User / Full Name / Authentication Realm / Date / Result / IP Address
Feature Request: Can the AUTH logs be updated so that 1 AUTH log contains the same information as displayed in "View User Log".
Additionally, I did investigate the Audit plugin, however this only applies to user behaviour within the portal, and not the login/auth attempts to Cacti.
Thanks.