BloxOne security logs track security events generated by supported applications. Use these logs to monitor security events and gain deeper insight into the security and safety of your network.
To view the security logs, do the following:
In the Cloud Services Portal, click Administration > Logs > Security Logs.
On the Security Logs page, click Display Recent to display the most recent 100 security events. Alternatively, click
to activate the filtering feature, and then click
to configure your filter.
From the Basic Columns menu, choose the filtering criterion you want to add. For example, if you choose Timestamp, use the calendar feature to select an applicable timeline within which you want to filter the results.
To add more filtering criteria, click
again.
When you are done, click
to filter the events.
To remove the filter you have just created, clickTo use the same criteria for other filters, click
to save this filter, and enter a name for it.
To find the saved filter in the future without setting the filtering criteria again, click
.
The Cloud Services Portal displays the following information for each security event:
Timestamp: The UTC timestamp for the time the event was logged.
User: The user account that triggered the event.
App: The BloxOne application source that generated the event. The following sources are supported:
identity: Identity and Access Management Service.
ngnix: The NGNIX or Apache web server.
Security Event Type: The type of the event. The following are supported types and their descriptions:
Security Event Type | App Source | Description |
---|---|---|
nginx.access | nginx | The equivalent of an HTTP access log from NGNIX or Apache. The log includes the user who is authenticated and claims in the request. |
nginx.data_export | nginx | A request for exporting data. |
nginx.legal_reason | nginx | A request from a country prohibited by the US trade rules (HTTP 451). |
nginx.unauthorized | nginx | A request that is made by using an API key and that resulted in an unauthorized response (HTTP 403). |
iam.login_succeeded | identity | Successful login. |
iam.login_failed | identity | Failed login. When a user or a user account can be identified, the information is added to the event. |
iam.logout_succeeded | identity | Successful logout. |
iam.logout_failed | identity | Failed logout. When a user or a user account can be identified, the information is added to the event. |
iam.apikey_disabled | identity | A request made by using a disabled API key. |
iam.apikey_expired | identity | A request made by using an expired API key. |
iam.denied_groups_claim | identity | An indication that the signed-in user has a restricted JSON web token group claim. |
iam.empty_groups_claim | identity | An indication that the signed-in user has an empty JSON web token group claim. |
To view more information for a specific event, click View Metadata to expand the panel that shows the following:
Domain: The name of the domain from which the security event was generated.
Message: The nature of the event. For example, successful login is displayed for a successful login via an identity or sso-identify app source. For a nignix app source, detailed information is displayed, such as the source IP, the API request type, and the HTTP status for the event.
Downloading and Exporting Security Logs in CSV Format
On the Security Logs page, click Download. This will download a file formatted as security-log-the timestamp in UTC format.csv, such as security-log-10-10-2022, 10-30-59 PM UTC.csv
.
You can also do the following on the Security Logs page:
Sort events in ascending or descending order: Click the Sort by menu, choose the column by which you want to sort the events, and then use the up and down arrows.
View the security events that match a specific keyword: In the Search text box, enter a keyword that you want to search on. The Cloud Services Portal will show the events that match the keyword.