Document toolboxDocument toolbox

(12.04.120) Remote Security Logging in IGEL

This article describes the remote security logging feature for the IGEL Universal Management Suite (UMS), the IGEL Cloud Gateway (ICG) and the IGEL Management Interface (IMI). The remote security logging feature logs security relevant events in a separate log files that can be picked up by a configured log collector/SIEM.

Remote security logging is independent from the normal logging and is disabled by default.


Enable Remote Security Logging

You can enable the feature in the UMS Console, through UMS Administration > Global Configuration > Logging > Activate security logging. This will enable logging for all components, including UMS Server, UMS Console, UMS Web App, IMI, and ICG.

Where Are the Log Files Stored?

You can find the UMS Server log file created by remote security logging:

  • On Windows:
    C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\ums-server\ums-server-security.log

  • On Linux:
    /opt/IGEL/RemoteManager/rmguiserver/logs/ums-server/ums-server-security.log

You can find the UMS Administrator log file created by remote security logging:

  • On Windows:
    C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\ums-admin\ums-admin-security.log

  • On Linux:
    /opt/IGEL/RemoteManager/rmguiserver/logs/ums-admin/ums-admin-security.log

You can find the ICG log file created by remote security logging:

  • On Linux:
    /opt/IGEL/icg/usg/logs/icg-security.log

You can find the UMS Web App log file created by remote security logging:

  • On Windows:
    C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\wums-app-security.log

  • On Linux:
    /opt/IGEL/RemoteManager/rmguiserver/logs/wums-app-security.log

Logged Events

In the log file, some logged events are marked with source tags:

  • UMS Server events contain the source tag: UMS-Server.

  • ICG events contain the source tag: ICG.

  • IMI events contain the source tag: IMI.

  • UMS Web App events contain the source tag: UMS-Webapp.

Logged UMS Events

  • UMS user login and logoff

  • UMS user successful and failed logons

  • UMS user password change

  • All direct and indirect assignment changes to devices ("privileged policy changes")

  • All config changes to devices

  • Shut down of UMS or ICG services/processes

  • UMS Administrator user account creation/deletion

  • UMS Administrator user password change

Logged UMS Web App Events

  • Authentication events

  • Deletion of a search

  • Update or deletion of a profile or priority profile

  • Assignment or detachment of the following objects to a folder or a device:

    • profiles

    • priority profiles

    • variables

    • firmware customizations

  • Device commands:

    • reset to factory default 

    • update device settings

Logged ICG Events

  • User creation and deletion

  • Successful and failed authentication

  • File uploads

Logged IMI Events

  • Authentication events

  • Add operations

  • Update operations

  • Delete operations