Requirements | LogRhythm Documentation

Requirement: FAU_GEN.1.1

FAU_GEN.1.1 - Start-up and shut-down of the audit functions

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
Services Host	STARTUP	[STARTUP] Started	[2015-02-13 14:55:40,929] [INFO] [9] ServicesHost.Program - [STARTUP] Started	Start the 'LogRhythm Services Host' via the Windows Services Manager.	C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\ LogRhythm.Web.Services. ServicesHost.log
Services Host	SHUTDOWN	[SHUTDOWN] Shutdown complete, exiting.	[2015-02-13 15:02:17,217] [INFO] [29] ServicesHost.Program - [SHUTDOWN] Shutdown complete, exiting.	Stop the 'LogRhythm Services Host' via the Windows Services Manager.	C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\ LogRhythm.Web.Services. ServicesHost.log
node.js	STARTUP	[STARTUP] Started	[2015-02-13 15:16:12.939] [INFO] cake - [STARTUP] Started	Start the 'LogRhythm Services Host' via the Windows Services Manager.	C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LRWebConsole.log
node.js	SHUTDOWN	[SHUTDOWN] Shutdown complete, exiting.	[2015-02-13 15:18:46.158] [INFO] cake - [SHUTDOWN] Shutdown complete, exiting.	Stop the 'LogRhythm Services Host' via the Windows Services Manager.	C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LRWebConsole.log
Indexer	STARTUP	[STARTUP] Started	[2015-02-13 15:28:09,887] [INFO] IndexService:[main] - [STARTUP] Started	Start the 'LogRhythm Services Host' via the Windows Services Manager.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\indexer.log
Indexer	SHUTDOWN	[SHUTDOWN] Shutdown complete, exiting.	[2015-02-13 15:28:20,058] [INFO] IndexService:[Thread-0] - [SHUTDOWN] Shutdown complete, exiting.	Stop the 'LogRhythm Services Host' via the Windows Services Manager.	C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\indexer.log

Requirement: FCS_TLS_EXT.1

FCS_TLS_EXT.1 - Establishment of a TLS session.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
Services Host	CONNECTION	[CONNECTION] ...SqlService opened a pooled database connection	[2015-02-17 01:23:54,819] [INFO] [9] Sql.SqlRepo - [CONNECTION] ...SqlService opened a pooled database connection	Start the 'LogRhythm Services Host' via the Windows Services Manager. Note that non-TOE (web) clients do not establish connections to the database.	:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LogRhythm.Web.Services .ServicesHost.log
Services Host	CONNECTION	[CONNECTION] SqlService closed a pooled database connection	[2015-02-17 01:30:00,541] [INFO] [SqlService Request Dispatcher] Sql.SqlRepo - [CONNECTION] SqlService closed a pooled database connection	Stop the 'LogRhythm Services Host' via the Windows Services Manager. Note that non-TOE (web) clients do not establish connections to the database.	C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LogRhythm.Web.Services .ServicesHost.log

FCS_TLS_EXT.1 - Termination of a TLS session

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
Services Host	CONNECTION	[CONNECTION] SqlService closed a pooled database connection	[2015-02-17 01:30:00,541] [INFO] [SqlService Request Dispatcher] Sql.SqlRepo - [CONNECTION] SqlService closed a pooled database connection	Stop the 'LogRhythm Services Host' via the Windows Services Manager. Note that non-TOE (web) clients do not establish connections to the database.	C:\Program Files\LogRhythm\ LogRhythm Web Console\logs\LogRhythm.Web.Services .ServicesHost.log

FCS_TLS_EXT.1 - Failure to establish a TLS Session.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
Services Host	CONNECTION	[CONNECTION] SqlService failed to open a pooled databse connection: (error: reason/details)	[2015-02-17 01:38:04,354] [ERROR] [7] Sql.SqlRepo - [CONNECTION] SqlService failed to open a pooled databse connection: (error: System.Data.SqlClient.SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)	Replace all occurances of the SQL Server hostname with "fakehost" in C:\Program Files \LogRhythm\LogRhythm Web Console\ Sevice\LgRhythm. Web.Services. ServicesHost .exe.config and then start the 'LogRhythm Services Host' via the Windows Services Manager.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LogRhythm. Web.Services.ServicesHost.log

Requirement: FTP_TRP.1

FTP_TRP.1 - Termination of the trusted channel. Failures of the trusted channel.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
ABG 2/16/2014 - This requirement is unclear / does not seem applicable to the Web Console.	N/A	N/A	N/A	N/A	N/A

Requirement: FCS_HTTPS_EXT.1

FCS_HTTPS_EXT.1 - Termination of a HTTPS session. Required: NonTOE endpoint of connection (IP address) for both successes and failures.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
nginx	HTTPS	$remote_addr - [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"	127.0.0.1 - - [16/Feb/2015: 21:30:55 -0700] "GET /logout HTTP/1.1" 302 58 "https://localhost:8443/dashboard" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"	Click the Logout button.	C:\Program Files\LogRhythm\LogRhythm Web Console\nginx\ logs\access.log

FCS_HTTPS_EXT.1 - Failure to establish a HTTPS Session. Required: Reason for failure.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
nginx	HTTPS	ABG 2/16/2015 - It's not clear how to force an https error to occur.	ABG 2/16/2015 - It's not clear how to force an https error to occur.	ABG 2/16/2015 - It's not clear how to force an https error to occur.	C:\Program Files\LogRhythm\LogRhythm Web Console\nginx\logs\error.log

Requirements: FIA_UIA_EXT.1 and FIA_UAU_EXT.2

The following table covers the node.js process for these requirements:

FIA_UIA_EXT.1 - All use of the identification and authentication mechanism
FIA_UAU_EXT.2 - All use of the authentication mechanism.

Event type: AUTHENTICATION

Log Format	Sample Log	To Reproduce	Default Log Location
[AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username username from host ip_addr	[2015-02-17 02:07:20.546] [INFO] app - [AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username firstname.lastname from host 127.0.0.1	Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials.
[AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username username from host ip_addr via SQL, trying AD/LDAP authentication next	[2015-02-17 02:07:18.812] [INFO] app - [AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username firstname.lastname from host 127.0.0.1 via SQL, trying AD/LDAP authentication next	Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[2015-02-17 02:07:20.538] [INFO] app - [AUTHENTICATION] username username from host ip_addr successfully authenticated via web service, verifying authorization...	[2015-02-17 02:07:20.538] [INFO] app - [AUTHENTICATION] username firstname.lastname from host 127.0.0.1 successfully authenticated via web service, verifying authorization...	Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username invalid_username from host 127.0.0.1 via SQL, trying AD/LDAP authentication next	[2015-02-17 02:14:22.424] [INFO] app - [AUTHENTICATION] SqlAuthenticationRepo was unable to authenticate username invalid_username from host 127.0.0.1 via SQL, trying AD/LDAP authentication next	Attempt to login to the Web Console with invalid LogRhythm user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] AUTHENTICATION FAILED - Failed to authenticate username invalid_username from host 127.0.0.1 via web service (error: cannot GET /api/v1/credentials (403))	[2015-02-17 02:14:22.573] [ERROR] app - [AUTHENTICATION] AUTHENTICATION FAILED - Failed to authenticate username invalid_username from host 127.0.0.1 via web service (error: cannot GET /api/v1/credentials (403))	Attempt to login to the Web Console with invalid LogRhythm user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] attempting to authenticate username invalid_username from host 127.0.0.1 via SQL Server	[2015-02-17 02:14:22.267] [INFO] app - [AUTHENTICATION] attempting to authenticate username invalid_username from host 127.0.0.1 via SQL Server	Attempt to login to the Web Console with invalid LogRhythm user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] username invalid_username from host 127.0.0.1 was NOT authenticated via SQL Server	[2015-02-17 02:14:22.424] [INFO] app - [AUTHENTICATION] username invalid_username from host 127.0.0.1 was NOT authenticated via SQL Server	Attempt to login to the Web Console with invalid LogRhythm user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] username usernae from host ip_addr: successfully invoked credentials proc	[2015-02-17 02:00:06.627] [INFO] app - [AUTHENTICATION] username logrhythmadmin from host 127.0.0.1: successfully invoked credentials proc	Login to the Web Console with valid LogRhythm 'SQL' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] username username from host ip_addr successfully authenticated via SQL Server, verifying authorization...	[2015-02-17 02:00:06.627] [INFO] app - [AUTHENTICATION] username logrhythmadmin from host 127.0.0.1 successfully authenticated via SQL Server, verifying authorization...	Login to the Web Console with valid LogRhythm 'SQL' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] attempting to authenticate username username from host ip_addr via SQL Server	[2015-02-17 02:00:06.578] [INFO] app - [AUTHENTICATION] attempting to authenticate username logrhythmadmin from host 127.0.0.1 via SQL Server	Login to the Web Console with valid 'SQL' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] username username from host ip_addr WAS authenticated via SQL Server, retrieving user credentials...	[2015-02-17 02:00:06.601] [INFO] app - [AUTHENTICATION] username logrhythmadmin from host 127.0.0.1 WAS authenticated via SQL Server, retrieving user credentials...	Login to the Web Console with valid LogRhythm 'SQL' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username username from host ip_addr	[2015-02-17 02:00:07.123] [INFO] app - [AUTHENTICATION] AUTHENTICATION SUCCEEDED - ...authorization verified for username logrhythmadmin from host 127.0.0.1	Login to the Web Console with valid LogRhythm 'SQL' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] attempting to authenticate username username from host 127.0.0.1 via SQL Server	[2015-02-17 02:07:18.486] [INFO] app - [AUTHENTICATION] attempting to authenticate username firstname.lastname from host 127.0.0.1 via SQL Server	Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[AUTHENTICATION] username username from host ip_addr was NOT authenticated via SQL Server	[2015-02-17 02:07:18.812] [INFO] app - [AUTHENTICATION] username firstname.lastname from host 127.0.0.1 was NOT authenticated via SQL Server	Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log

Event type: SESSION

Log Format	Sample Log	To Reproduce	Default Log Location
[SESSION] SESSION STARTED - adding username username from host ip_addr to sessions: details	[2015-02-17 02:40:55.900] [INFO] app - [SESSION] SESSION STARTED - adding username DOMAIN\firstname.lastname from host 127.0.0.1 to sessions: {"qualifiedUsername":"DOMAIN\\firstname.lastname", "id":12,"personId": 13,"isEnabled":true, "isGlobalAdmin":false, "isGlobalAnalyst":false,"isRestrictedAdmin": false,"isRestrictedAnalyst":true, "isGlobalUser":false,"isRestrictedUser":true, "msgSourceACLs":[],"allowedLogManagers": [{"id":1,"name":"192.168.253.10"}], "defaultLogManagers":[],"loginDate":"2015-02-17T09:40:55.895Z","defaultEntityId":1,"username" :"firstname.lastname","person":{"personId":13,"firstName":"Andrew","middleName" :null,"lastName":"Again","fullName": "Again, Andrew","abbreviation":null,"dateUpdated": "2014-06-23T21:32:50.807","recordStatus":1,"personType":1, "shortDesc":null,"longDesc":null,"adGroup":null}, "clientAddr":"127.0.0.1"}	Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[SESSION] socket.io authorized username username from client addr ip_addr	[2015-02-17 02:40:56.361] [INFO] app - [SESSION] socket.io authorized username firstname.lastname from client addr 127.0.0.1	Login to the Web Console with valid LogRhythm 'Windows Domain' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[SESSION] SESSION STARTED - adding username username from host ip_addr to sessions: details	[2015-02-17 02:27:38.240] [INFO] app - [SESSION] SESSION STARTED - adding username LogRhythmAdmin from host 127.0.0.1 to sessions: {"qualifiedUsername": "LogRhythmAdmin","id":-100,"personId":-100,"isEnabled": true, "isGlobalAdmin":true, "isGlobalAnalyst":false,"isRestrictedAdmin": false, "isRestrictedAnalyst":false,"isGlobalUser" :true,"isRestrictedUser":false,"msgSourceACLs": [],"allowedLogManagers":[{"id":1,"name":"192.168.253.10"},{"id":2,"name": "SD_DMZ_FTP1"}],"defaultLogManagers" :[],"loginDate":"2015-02-17T09:27:38.237Z","defaultEntityId":1,"username":" LogRhythmAdmin","person":{"personId":-100,"firstName":"LogRhythm","middleName":null,"lastName" :"Administrator","fullName":"LogRhythm Administrator", "abbreviation":null,"dateUpdated":"2013-12-24T17:28:38.59","recordStatus":1,"personType" :2, "shortDesc":null,"longDesc":null,"adGroup" :null} ,"clientAddr":"127.0.0.1"}	Login to the Web Console with valid LogRhythm 'SQL' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
[SESSION] socket.io authorized username username from client addr ip_addr	[2015-02-17 02:27:38.691] [INFO] app - [SESSION] socket.io authorized username LogRhythmAdmin from client addr 127.0.0.1	Login to the Web Console with valid LogRhythm 'SQL' user credentials.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log

Requirement: FPT_STM.1

FPT_STM.1 - Changes to the time including NTP sync.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
N/A: The Web Console does not change time / NTP sync.	N/A	N/A	N/A	N/A	N/A

Requirement: FPT_TUD_EXT.1

FPT_TUD_EXT.1 - Initiation of update.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
Please refer to the "common" InstallShield logs / events generated during an upgrade.	N/A	N/A	N/A	N/A	N/A

Requirement: FTA_SSL_EXT.1

FTA_SSL_EXT.1 - Any attempts at unlocking of an interactive session.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
N/A: Web Console sessions can only be terminated (there is not "locked" state to unlock).	N/A	N/A	N/A	N/A	N/A

Requirement: FTA_SSL.3

FTA_SSL.3 - The termination of a remote session by the session locking mechanism.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
node.js	SESSION	[SESSION] SESSION TERMINATED socket.io disconnected client addr ip_addr	[2015-02-17 02:26:59.825] [INFO] app - [SESSION] SESSION TERMINATED socket.io disconnected client addr 127.0.0.1	Click the Logout button.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
node.js	SESSION	[SESSION] SESSION TERMINATED - username username from host ip_addr has logged out	[2015-02-17 02:26:59.809] [INFO] app - [SESSION] SESSION TERMINATED - username LogRhythmAdmin from host 127.0.0.1 has logged out	Click the Logout button.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log

Requirement: FTA_SSL.4

FTA_SSL.4 - The termination of an interactive session.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
node.js	SESSION	[SESSION] SESSION TERMINATED - username username from host ip_addr has logged out	[2015-02-17 02:26:59.809] [INFO] app - [SESSION] SESSION TERMINATED - username LogRhythmAdmin from host 127.0.0.1 has logged out	Click the Logout button.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log
node.js	SESSION	[SESSION] SESSION TERMINATED socket.io disconnected client addr ip_addr	[2015-02-17 02:26:59.825] [INFO] app - [SESSION] SESSION TERMINATED socket.io disconnected client addr 127.0.0.1	Click the Logout button.	C:\Program Files\LogRhythm\LogRhythm Web Console\logs\LRWebConsole.log

Requirement FTP_ITC.1

FTP_ITC.1 - Termination of the trusted channel. Failure of the trusted channel functions. Initiation of the trusted channel.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
ABG 2/16/2014 - This requirement is unclear / does not seem applicable to the Web Console.	N/A	N/A	N/A	N/A	N/A

Requirement: FTP_TRP.1

FTP_TRP.1 - Termination of the trusted channel. Failures of the trusted channel.

Process	Event Type	Log Format	Sample Log	To Reproduce	Default Log Location
ABG 2/16/2014 - This requirement is unclear / does not seem applicable to the Web Console.	N/A	N/A	N/A	N/A	N/A