This article describes the remote security logging feature for the IGEL Universal Management Suite (UMS), the IGEL Cloud Gateway (ICG) and the IGEL Management Interface (IMI). The remote security logging feature logs security relevant events in a separate log files that can be picked up by a configured log collector/SIEM.
Enable Remote Security Logging
You can enable the feature in the UMS Console, through UMS Administration > Global Configuration > Logging > Activate security logging. This will enable logging for all components, including UMS Server, UMS Console, UMS Web App, IMI, and ICG.
The security logging is enabled for the UMS Administrator in the file rmadmin/logback.xml
and for the command line tool of the UMS Administrator in rmadmin/logback-cli.xml
. Both files have the lines:
<!-- Logging of security related actions of users --> <!-- Set to 'INFO' to log the individual calls --> <!-- Set to 'OFF' to ignore the individual calls --> <property name="security.level" value="OFF" />
The default value is OFF
. If the security logging should be enabled, switch to INFO
.
Where Are the Log Files Stored?
You can find the UMS Server log file created by remote security logging:
- On Windows:
C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\ums-server\ums-server-security.log
- On Linux:
/opt/IGEL/RemoteManager/rmguiserver/logs/ums-server/ums-server-security.log
You can find the UMS Administrator log file created by remote security logging:
On Windows:
C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\ums-admin\ums-admin-security.log
On Linux:
/opt/IGEL/RemoteManager/rmguiserver/logs/ums-admin/ums-admin-security.log
You can find the ICG log file created by remote security logging:
On Linux:
/opt/IGEL/icg/usg/logs/icg-security.log
You can find the UMS Web App log file created by remote security logging:
- On Windows:
C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\wums-app-security.log
- On Linux:
/opt/IGEL/RemoteManager/rmguiserver/logs/wums-app-security.log
Logged Events
In the log file, some logged events are marked with source tags:
- UMS Server events contain the source tag:
UMS-Server
. - ICG events contain the source tag:
ICG
. - IMI events contain the source tag:
IMI
. - UMS Web App events contain the source tag:
UMS-Webapp
.
Logged UMS Events
- UMS user login and logoff
- UMS user successful and failed logons
- UMS user password change
- All direct and indirect assignment changes to devices ("privileged policy changes")
- All config changes to devices
- Shut down of UMS or ICG services/processes
- UMS Administrator user account creation/deletion
UMS Administrator user password change
Logged UMS Web App Events
- Authentication events
- Deletion of a search
- Update or deletion of a profile or priority profile
- Assignment or detachment of the following objects to a folder or a device:
profiles
priority profiles
variables
firmware customizations
Device commands:
reset to factory default
update device settings
Logged ICG Events
- User creation and deletion
- Successful and failed authentication
File uploads
Logged IMI Events
- Authentication events
- Add operations
- Update operations
- Delete operations