LoadMaster Extended Log Files

Scope:

 

This article provides an insight of the Extended Log Files you can find and review on your LoadMaster.

  

Extended Logs

A. Connection Logs

B. Security Logs

C. User Logs

 

A. Connection Logs

The Connection Logs are used to determine when a connection has been established to a specific Edge Security Pack (ESP) service and from what origin (client and port) the connection came from.

Ext.logs.connection.PNG

B.Security Logs

The Security Logs show some attacks, usage of a not allowed Host name or Directory.

In the example below, the Allowed Virtual Hosts have been set to mail.foxworld.loc (so anything other than the set host name is blocked) but the client used the Virtual Service IP address instead of a host name and got blocked as expected. This resulted in an access denied response.

 

Ext.logs.security.PNG

In the example below, the Allowed Virtual Directories has not been set at all or set to a different directory, so the client received an access denied error.

Ext.logs.security2.PNG

On firmware versions below 7.2.42.0, logs like the ones below were recorded when special characters were set in the SSO Greeting Message for the ESP Image Set.

Sep 8 10:45:46 KEMP01 l7log: Attempted XSS attack on 192.168.16.23:443 from 87.152.177.67:49321 (dtcode 7) 
Sep 8 10:47:02 KEMP01 l7log: Attempted XSS attack on 192.168.16.23:443 from 63.240.164.10:48413 (dtcode 7) 

 

C. User Logs

The User Logs, reveal the source IP address, the username, and where this user went after logon. 

You can only see a username here if the LoadMaster has been actively involved in the authentication, either with Forms Based or Basic Authentication.

The below example shows the user administrator@foxworld.loc has successfully authenticated to their Exchange mailbox. The last highlighted line is the log for a successful logout.

Ext.logs.user.PNG

This sample shows the log message for the user mmaxwell, that was denied access. There may be multiple reasons for this. The credentials (username and password) could have been incorrect. Or, if permitted groups are set, this user might not be part of the permitted groups.

Note: If you use a LoadMaster firmware version below 7.2.37, this log message also appears for expired passwords.

Ext.logs.wrong.cred.or.group.PNG

 

The example below shows that the user mmaxwell has an expired password and must reset it.

The two lines below reveal that the user did request the password reset and would then be able to logon properly again.

Ext.logs.pwreset.PNG

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments