Re: [asterisk-users] Security log format / content
Why does the failed authentication place the number dialed, instead of the username used, in the account field? Any way to distinguish a failed dial attempt from a failed register attempt using just the security log? (I couldn't see how looking at the log) From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of Michael L. Young myo...@acsacc.com Sent: Thursday, March 27, 2014 2:42 PM To: Asterisk Users List Subject: Re: [asterisk-users] Security log format / content - Original Message - From: Michelle Dupuis mdup...@ocg.ca To: Asterisk Users List asterisk-users@lists.digium.com Sent: Thursday, March 27, 2014 12:55:21 AM Subject: [asterisk-users] Security log format / content I've noticed that the Asterisk (v11) security log captures attempts do dial without first authenticating, and places the number dialed into the accountid field. I'm trying to distinguish between failed attempts to register and attempts to dial without registering, but the security log treats them identically (using the accountid field for either the username or number dialed). I have noticed that the eventversion field is set to 2 for failed dial attempts, and 1 otherwise. Is this coincidence? Or can I rely on the eventversion=2 in the future to distinguish these two event types? (I've looked here: https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format but it doesn't really help) The eventversion field is just a way to distinguish different versions of the same event. Between Asterisk 10 and 11, that particular event's logging output changed requiring a bump up in the version. It should not be used to distinguish different events. What do you mean by eventversion field is set to 2 for failed dial attempts, and 1 otherwise? What is the event? I have a feeling those are two different events. You are correct about the events looking identical whether it is a failed registration or a failed dial attempt. From the standpoint of Asterisk, an attempt was made to either register or place a call but the credentials failed. Therefore, an InvalidPassword event is logged. When an authorized device successfully places a call, you will only have a ChallengeSent entry in your log. If an attempt to place a call is made and it does not respond back with the right credentials to the challenge sent to Asterisk, then you will have a ChallengeSent entry with a subsequent InvalidPassword. You should be able to connect the two events based on the fields in those events. If a successful attempt to register is made, you will have a ChallengeSent with a subsequent SuccessfulAuth. If it is not successful, then you will have a ChallengeSent with a subsequent InvalidPassword. Again, there should be enough information present with the other fields to help connect the events together. The security events in Asterisk are designed to present the events. It does not determine anything else for you. You have to create a consumer of those events that can attempt to connect the dots for you. Hopefully we are providing enough information for the consumer to do whatever you would like the consumer to do with the information. I hope that helps. Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Security log format / content
- Original Message - From: Michelle Dupuis mdup...@ocg.ca To: Asterisk Users List asterisk-users@lists.digium.com Sent: Thursday, March 27, 2014 12:55:21 AM Subject: [asterisk-users] Security log format / content I've noticed that the Asterisk (v11) security log captures attempts do dial without first authenticating, and places the number dialed into the accountid field. I'm trying to distinguish between failed attempts to register and attempts to dial without registering, but the security log treats them identically (using the accountid field for either the username or number dialed). I have noticed that the eventversion field is set to 2 for failed dial attempts, and 1 otherwise. Is this coincidence? Or can I rely on the eventversion=2 in the future to distinguish these two event types? (I've looked here: https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format but it doesn't really help) The eventversion field is just a way to distinguish different versions of the same event. Between Asterisk 10 and 11, that particular event's logging output changed requiring a bump up in the version. It should not be used to distinguish different events. What do you mean by eventversion field is set to 2 for failed dial attempts, and 1 otherwise? What is the event? I have a feeling those are two different events. You are correct about the events looking identical whether it is a failed registration or a failed dial attempt. From the standpoint of Asterisk, an attempt was made to either register or place a call but the credentials failed. Therefore, an InvalidPassword event is logged. When an authorized device successfully places a call, you will only have a ChallengeSent entry in your log. If an attempt to place a call is made and it does not respond back with the right credentials to the challenge sent to Asterisk, then you will have a ChallengeSent entry with a subsequent InvalidPassword. You should be able to connect the two events based on the fields in those events. If a successful attempt to register is made, you will have a ChallengeSent with a subsequent SuccessfulAuth. If it is not successful, then you will have a ChallengeSent with a subsequent InvalidPassword. Again, there should be enough information present with the other fields to help connect the events together. The security events in Asterisk are designed to present the events. It does not determine anything else for you. You have to create a consumer of those events that can attempt to connect the dots for you. Hopefully we are providing enough information for the consumer to do whatever you would like the consumer to do with the information. I hope that helps. Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Security log format / content
I've noticed that the Asterisk (v11) security log captures attempts do dial without first authenticating, and places the number dialed into the accountid field. I'm trying to distinguish between failed attempts to register and attempts to dial without registering, but the security log treats them identically (using the accountid field for either the username or number dialed). I have noticed that the eventversion field is set to 2 for failed dial attempts, and 1 otherwise. Is this coincidence? Or can I rely on the eventversion=2 in the future to distinguish these two event types? (I've looked here: https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format? but it doesn't really help) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users