Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
696
Views
0
Helpful
1
Replies

Notification for every time an action is committed by an Administrator

TBHernandez
Level 1
Level 1

‎06-08-2016 10:09 AM

Hello All,

Is there a way to create a notification, that would inform us as to when an Administrator "Commits" an action he/she has made on the IronPort appliances? 

Labels:
Preview file
11 KB
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎06-08-2016 05:10 PM

Hello TBHernandez,

While there is no immediate option on the ESA to send a notification on this, you can run some grep commands in the logs (gui_logs / cli_logs) to locate when this occurs for auditing.

However note, these logs are not really human readable formatting, and are very general in terms of showing which user was looking at what pages, but will not outline the specific changes, but you can check when a commit was posted to the ESA.

on the CLI, use this command: grep -i "req.*post.*/commit" gui_logs

You will see outputs like:

Thu Jun 9 08:56:18 2016 Info: req:10.137.76.103 user:admin id:2Sc5L20JYgyaXgS3EM05 303 POST /commit HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Where you will see the IP of the CPU used to login, the account used and when a commit was posted.

You can audit command line logs as well to see commits done at the command line with:

grep "PID.*User.*entered 'commit'" cli_logs

You will see outputs like:

Wed Jun  8 10:26:23 2016 Info: PID 57555: User admin entered 'commit'; prompt was '\nC680.ironport.lab>

Where a commit was used.

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents