BloxOne security logs track security events generated by supported application sources. Monitoring security events can help you better understand the security and safety of your network infrastructure.
To view the security logs, do the following:
From the Cloud Services Portal, click Administration > Logs > Security Logs.
On the Security Logs page, click Display Recent to display the most recent 100 security events.
or
Click to activate the filtering feature, and then click to configure your filter. From the Basic Columns menu, choose the filtering criterion you want to add. For example, if you choose Timestamp, select an applicable timeline within which you want to filter the results, using the calendar provided. To add more filtering criteria, click again to add another criterion. When you are done, click to filter the events.
You can also click to remove the filter you just created. If you want to use the same criteria for future filtering, you can save the filter by clicking and entering a name for the filter. You can then click to find the saved filter in the future without setting the filtering criteria again.The Cloud Services Portal displays the following information for each event:
Timestamp: The UTC timestamp when the security event was logged.
User: The user account that triggered the security event.
App: The BloxOne application source that generated the security event. The following are the supported sources:
identity: Identity and Access Management Service.
ngnix: The NGNIX or Apache web server.
Security Event Type: The type of security event. See the following table for possible values and their respective descriptions.
Security Event Type | App Source | Description |
---|---|---|
nginx.access | nginx | The equivalent of an HTTP access log from NGNIX or Apache. This includes user that is authenticated and claims in the request. |
nginx.data_export | nginx | A request for exporting data. |
nginx.legal_reason | nginx | A request from a prohibited country according to the US trade rules (HTTP 451). |
nginx.unauthorized | nginx | A request made using an API key that resulted in an unauthorized response (HTTP 403). |
iam.login_succeeded | identity | Successful login. |
iam.login_failed | identity | Failed login. When a user/user account can be identified, the information is added to the event. |
iam.logout_succeeded | identity | Successful logout. |
iam.logout_failed | identity | Failed logout. When a user/user account can be identified, the information is added to the event. |
iam.apikey_disabled | identity | A request using a disabled API key. |
iam.apikey_expired | identity | A request using an expired API key. |
iam.denied_groups_claim | identity | When the signed-in-user has a restricted JSON web token group claim. |
iam.empty_groups_claim | identity | When the signed-in-user has an empty JSON web token group claim. |
To view more information for a specific event, click View Metadata to expand the panel to view the following:
Domain: The domain name from which the security event was generated.
Message: Displays the nature of the event. For example, successful login is displayed for a successful login via an identity or sso-identify app source. For a nignix app source, detailed information such as source IP, API request type, and the HTTP status for the event is displayed.
Exporting Security Logs in CSV Format
To download or export a security log in CSV format, do the following:
On the Security Logs page, click Download. The download file is in this format: security-log-the timestamp in UTC format.csv, such as
security-log-10-10-2022, 10-30-59 PM UTC.csv
.
You can also do the following on the Security Logs page:
Click the Sort by menu to choose the column by which you want to sort the events, and then use the up/down arrows to sort the events in ascending or descending order.
Enter the value that you want to search in the Search text box. The Cloud Services Portal displays the list of security events that match the keyword in the text box.