Requirements
Requirement: FAU_GEN.1.1
FAU_GEN.1.1 - Start-up and shut-down of the audit functions
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| Services Host | STARTUP | [STARTUP] Started | [2015-02-13 14:55:40,929] [INFO] [9] ServicesHost.Program - [STARTUP] Started | Start the 'LogRhythm Services Host' via the Windows Services Manager. | C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\ LogRhythm.Web.Services. ServicesHost.log |
| Services Host | SHUTDOWN | [SHUTDOWN] Shutdown complete, exiting. | [2015-02-13 15:02:17,217] [INFO] [29] ServicesHost.Program - [SHUTDOWN] Shutdown complete, exiting. | Stop the 'LogRhythm Services Host' via the Windows Services Manager. | C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\ LogRhythm.Web.Services. ServicesHost.log |
| node.js | STARTUP | [STARTUP] Started | [2015-02-13 15:16:12.939] [INFO] cake - [STARTUP] Started | Start the 'LogRhythm Services Host' via the Windows Services Manager. | C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LRWebConsole.log |
| node.js | SHUTDOWN | [SHUTDOWN] Shutdown complete, exiting. | [2015-02-13 15:18:46.158] [INFO] cake - [SHUTDOWN] Shutdown complete, exiting. | Stop the 'LogRhythm Services Host' via the Windows Services Manager. | C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LRWebConsole.log |
| Indexer | STARTUP | [STARTUP] Started | [2015-02-13 15:28:09,887] [INFO] IndexService:[main] - [STARTUP] Started | Start the 'LogRhythm Services Host' via the Windows Services Manager. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\indexer.log |
| Indexer | SHUTDOWN | [SHUTDOWN] Shutdown complete, exiting. | [2015-02-13 15:28:20,058] [INFO] IndexService:[Thread-0] - [SHUTDOWN] Shutdown complete, exiting. | Stop the 'LogRhythm Services Host' via the Windows Services Manager. | C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\indexer.log |
Requirement: FCS_TLS_EXT.1
FCS_TLS_EXT.1 - Establishment of a TLS session.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| Services Host | CONNECTION | [CONNECTION] ...SqlService opened a pooled database connection | [2015-02-17 01:23:54,819] [INFO] [9] Sql.SqlRepo - [CONNECTION] ...SqlService opened a pooled database connection | Start the 'LogRhythm Services Host' via the Windows Services Manager. Note that non-TOE (web) clients do not establish connections to the database. | :\Program Files\LogRhythm\ LogRhythm Web Console\logs\LogRhythm.Web.Services .ServicesHost.log |
| Services Host | CONNECTION | [CONNECTION] SqlService closed a pooled database connection | [2015-02-17 01:30:00,541] [INFO] [SqlService Request Dispatcher] Sql.SqlRepo - [CONNECTION] SqlService closed a pooled database connection | Stop the 'LogRhythm Services Host' via the Windows Services Manager. Note that non-TOE (web) clients do not establish connections to the database. | C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LogRhythm.Web.Services .ServicesHost.log |
FCS_TLS_EXT.1 - Termination of a TLS session
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| Services Host | CONNECTION | [CONNECTION] SqlService closed a pooled database connection | [2015-02-17 01:30:00,541] [INFO] [SqlService Request Dispatcher] Sql.SqlRepo - [CONNECTION] SqlService closed a pooled database connection | Stop the 'LogRhythm Services Host' via the Windows Services Manager. Note that non-TOE (web) clients do not establish connections to the database. | C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LogRhythm.Web.Services .ServicesHost.log |
FCS_TLS_EXT.1 - Failure to establish a TLS Session.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| Services Host | CONNECTION | [CONNECTION] SqlService failed to open a pooled databse connection: (error: reason/details) | [2015-02-17 01:38:04,354] [ERROR] [7] Sql.SqlRepo - [CONNECTION] SqlService failed to open a pooled databse connection: (error: System.Data.SqlClient.SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) | Replace all occurances of the SQL Server hostname with "fakehost" in C:\Program Files \LogRhythm\LogRhythm Web Console\ Sevice\LgRhythm. Web.Services. ServicesHost .exe.config and then start the 'LogRhythm Services Host' via the Windows Services Manager. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LogRhythm. Web.Services.ServicesHost.log |
Requirement: FTP_TRP.1
FTP_TRP.1 - Termination of the trusted channel. Failures of the trusted channel.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| ABG 2/16/2014 - This requirement is unclear / does not seem applicable to the Web Console. | N/A | N/A | N/A | N/A | N/A |
Requirement: FCS_HTTPS_EXT.1
FCS_HTTPS_EXT.1 - Termination of a HTTPS session. Required: NonÂTOE endpoint of connection (IP address) for both successes and failures.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| nginx | HTTPS | $remote_addr - [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" | 127.0.0.1 - - [16/Feb/2015: 21:30:55 -0700] "GET /logout HTTP/1.1" 302 58 "https://localhost:8443/dashboard" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36" | Click the Logout button. | C:\Program Files\LogRhythm\LogRhythm Web Console\nginx\ logs\access.log |
FCS_HTTPS_EXT.1 - Failure to establish a HTTPS Session. Required: Reason for failure.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| nginx | HTTPS | ABG 2/16/2015 - It's not clear how to force an https error to occur. | ABG 2/16/2015 - It's not clear how to force an https error to occur. | ABG 2/16/2015 - It's not clear how to force an https error to occur. | C:\Program Files\LogRhythm\LogRhythm Web Console\nginx\logs\error.log |
Requirements: FIA_UIA_EXT.1 and FIA_UAU_EXT.2
The following table covers the node.js process for these requirements:
- FIA_UIA_EXT.1 - All use of the identification and authentication mechanism
- FIA_UAU_EXT.2 - All use of the authentication mechanism.
Event type: AUTHENTICATION
| Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|
| [AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username username from host ip_addr | [2015-02-17 02:07:20.546] [INFO] app - [AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username firstname.lastname from host 127.0.0.1 | Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials. | |
| [AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username username from host ip_addr via SQL, trying AD/LDAP authentication next | [2015-02-17 02:07:18.812] [INFO] app - [AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username firstname.lastname from host 127.0.0.1 via SQL, trying AD/LDAP authentication next | Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [2015-02-17 02:07:20.538] [INFO] app - [AUTHENTICATION] username username from host ip_addr successfully authenticated via web service, verifying authorization... | [2015-02-17 02:07:20.538] [INFO] app - [AUTHENTICATION] username firstname.lastname from host 127.0.0.1 successfully authenticated via web service, verifying authorization... | Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username invalid_username from host 127.0.0.1 via SQL, trying AD/LDAP authentication next | [2015-02-17 02:14:22.424] [INFO] app - [AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username invalid_username from host 127.0.0.1 via SQL, trying AD/LDAP authentication next | Attempt to login to the Web Console with invalid LogRhythm user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] AUTHENTICATION FAILED - Failed to authenticate username invalid_username from host 127.0.0.1 via web service (error: cannot GET /api/v1/credentials (403)) | [2015-02-17 02:14:22.573] [ERROR] app - [AUTHENTICATION] AUTHENTICATION FAILED - Failed to authenticate username invalid_username from host 127.0.0.1 via web service (error: cannot GET /api/v1/credentials (403)) | Attempt to login to the Web Console with invalid LogRhythm user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] attempting to authenticate username invalid_username from host 127.0.0.1 via SQL Server | [2015-02-17 02:14:22.267] [INFO] app - [AUTHENTICATION] attempting to authenticate username invalid_username from host 127.0.0.1 via SQL Server | Attempt to login to the Web Console with invalid LogRhythm user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] username invalid_username from host 127.0.0.1 was NOT authenticated via SQL Server | [2015-02-17 02:14:22.424] [INFO] app - [AUTHENTICATION] username invalid_username from host 127.0.0.1 was NOT authenticated via SQL Server | Attempt to login to the Web Console with invalid LogRhythm user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] username usernae from host ip_addr: successfully invoked credentials proc | [2015-02-17 02:00:06.627] [INFO] app - [AUTHENTICATION] username logrhythmadmin from host 127.0.0.1: successfully invoked credentials proc | Login to the Web Console with valid LogRhythm 'SQL' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] username username from host ip_addr successfully authenticated via SQL Server, verifying authorization... | [2015-02-17 02:00:06.627] [INFO] app - [AUTHENTICATION] username logrhythmadmin from host 127.0.0.1 successfully authenticated via SQL Server, verifying authorization... | Login to the Web Console with valid LogRhythm 'SQL' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] attempting to authenticate username username from host ip_addr via SQL Server | [2015-02-17 02:00:06.578] [INFO] app - [AUTHENTICATION] attempting to authenticate username logrhythmadmin from host 127.0.0.1 via SQL Server | Login to the Web Console with valid 'SQL' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] username username from host ip_addr WAS authenticated via SQL Server, retrieving user credentials... | [2015-02-17 02:00:06.601] [INFO] app - [AUTHENTICATION] username logrhythmadmin from host 127.0.0.1 WAS authenticated via SQL Server, retrieving user credentials... | Login to the Web Console with valid LogRhythm 'SQL' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username username from host ip_addr | [2015-02-17 02:00:07.123] [INFO] app - [AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username logrhythmadmin from host 127.0.0.1 | Login to the Web Console with valid LogRhythm 'SQL' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] attempting to authenticate username username from host 127.0.0.1 via SQL Server | [2015-02-17 02:07:18.486] [INFO] app - [AUTHENTICATION] attempting to authenticate username firstname.lastname from host 127.0.0.1 via SQL Server | Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [AUTHENTICATION] username username from host ip_addr was NOT authenticated via SQL Server | [2015-02-17 02:07:18.812] [INFO] app - [AUTHENTICATION] username firstname.lastname from host 127.0.0.1 was NOT authenticated via SQL Server | Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
Event type: SESSION
| Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|
| [SESSION] SESSION STARTED - adding username username from host ip_addr to sessions: details | [2015-02-17 02:40:55.900] [INFO] app - [SESSION] SESSION STARTED - adding username DOMAIN\firstname.lastname from host 127.0.0.1 to sessions: {"qualifiedUsername":"DOMAIN\\firstname.lastname", "id":12,"personId": 13,"isEnabled":true, "isGlobalAdmin":false, "isGlobalAnalyst":false,"isRestrictedAdmin": false,"isRestrictedAnalyst":true, "isGlobalUser":false,"isRestrictedUser":true, "msgSourceACLs":[],"allowedLogManagers": [{"id":1,"name":"192.168.253.10"}], "defaultLogManagers":[],"loginDate":"2015-02-17T09:40:55.895Z","defaultEntityId":1,"username" :"firstname.lastname","person":{"personId":13,"firstName":"Andrew","middleName" :null,"lastName":"Again","fullName": "Again, Andrew","abbreviation":null,"dateUpdated": "2014-06-23T21:32:50.807","recordStatus":1,"personType":1, "shortDesc":null,"longDesc":null,"adGroup":null}, "clientAddr":"127.0.0.1"} | Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [SESSION] socket.io authorized username username from client addr ip_addr | [2015-02-17 02:40:56.361] [INFO] app - [SESSION] socket.io authorized username firstname.lastname from client addr 127.0.0.1 | Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [SESSION] SESSION STARTED - adding username username from host ip_addr to sessions: details | [2015-02-17 02:27:38.240] [INFO] app - [SESSION] SESSION STARTED - adding username LogRhythmAdmin from host 127.0.0.1 to sessions: {"qualifiedUsername": "LogRhythmAdmin","id":-100,"personId":-100,"isEnabled": true, "isGlobalAdmin":true, "isGlobalAnalyst":false,"isRestrictedAdmin": false, "isRestrictedAnalyst":false,"isGlobalUser" :true,"isRestrictedUser":false,"msgSourceACLs": [],"allowedLogManagers":[{"id":1,"name":"192.168.253.10"},{"id":2,"name": "SD_DMZ_FTP1"}],"defaultLogManagers" :[],"loginDate":"2015-02-17T09:27:38.237Z","defaultEntityId":1,"username":" LogRhythmAdmin","person":{"personId":-100,"firstName":"LogRhythm","middleName":null,"lastName" :"Administrator","fullName":"LogRhythm Administrator", "abbreviation":null,"dateUpdated":"2013-12-24T17:28:38.59","recordStatus":1,"personType" :2, "shortDesc":null,"longDesc":null,"adGroup" :null} ,"clientAddr":"127.0.0.1"} | Login to the Web Console with valid LogRhythm 'SQL' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| [SESSION] socket.io authorized username username from client addr ip_addr | [2015-02-17 02:27:38.691] [INFO] app - [SESSION] socket.io authorized username LogRhythmAdmin from client addr 127.0.0.1 | Login to the Web Console with valid LogRhythm 'SQL' user credentials. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
Requirement: FPT_STM.1
FPT_STM.1 - Changes to the time including NTP sync.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| N/A: The Web Console does not change time / NTP sync. | N/A | N/A | N/A | N/A | N/A |
Requirement: FPT_TUD_EXT.1
FPT_TUD_EXT.1 - Initiation of update.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| Please refer to the "common" InstallShield logs / events generated during an upgrade. | N/A | N/A | N/A | N/A | N/A |
Requirement: FTA_SSL_EXT.1
FTA_SSL_EXT.1 - Any attempts at unlocking of an interactive session.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| N/A: Web Console sessions can only be terminated (there is not "locked" state to unlock). | N/A | N/A | N/A | N/A | N/A |
Requirement: FTA_SSL.3
FTA_SSL.3 - The termination of a remote session by the session locking mechanism.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| node.js | SESSION | [SESSION] SESSION TERMINATED socket.io disconnected client addr ip_addr | [2015-02-17 02:26:59.825] [INFO] app - [SESSION] SESSION TERMINATED socket.io disconnected client addr 127.0.0.1 | Click the Logout button. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| node.js | SESSION | [SESSION] SESSION TERMINATED - username username from host ip_addr has logged out | [2015-02-17 02:26:59.809] [INFO] app - [SESSION] SESSION TERMINATED - username LogRhythmAdmin from host 127.0.0.1 has logged out | Click the Logout button. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
Requirement: FTA_SSL.4
FTA_SSL.4 - The termination of an interactive session.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| node.js | SESSION | [SESSION] SESSION TERMINATED - username username from host ip_addr has logged out | [2015-02-17 02:26:59.809] [INFO] app - [SESSION] SESSION TERMINATED - username LogRhythmAdmin from host 127.0.0.1 has logged out | Click the Logout button. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
| node.js | SESSION | [SESSION] SESSION TERMINATED socket.io disconnected client addr ip_addr | [2015-02-17 02:26:59.825] [INFO] app - [SESSION] SESSION TERMINATED socket.io disconnected client addr 127.0.0.1 | Click the Logout button. | C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log |
Requirement FTP_ITC.1
FTP_ITC.1 - Termination of the trusted channel. Failure of the trusted channel functions. Initiation of the trusted channel.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| ABG 2/16/2014 - This requirement is unclear / does not seem applicable to the Web Console. | N/A | N/A | N/A | N/A | N/A |
Requirement: FTP_TRP.1
FTP_TRP.1 - Termination of the trusted channel. Failures of the trusted channel.
| Process | Event Type | Log Format | Sample Log | To Reproduce | Default Log Location |
|---|---|---|---|---|---|
| ABG 2/16/2014 - This requirement is unclear / does not seem applicable to the Web Console. | N/A | N/A | N/A | N/A | N/A |