Remote Security Logging in IGEL
This article describes the remote security logging feature for the IGEL Universal Management Suite (UMS), the IGEL Cloud Gateway (ICG) and the IGEL Management Interface (IMI). The remote security logging feature logs security relevant events in a separate log files that can be picked up by a configured log collector/SIEM.
Remote security logging is independent from the normal logging and is disabled by default.
Enable Remote Security Logging
You can enable the feature in the UMS Console, through UMS Administration > Global Configuration > Logging > Activate security logging. This will enable logging for all components, including UMS Server, UMS Console, UMS Web App, IMI, and ICG.
Where Are the Log Files Stored?
You can find the UMS Server log file created by remote security logging:
On Windows:
C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\ums-server\ums-server-security.log
On Linux:
/opt/IGEL/RemoteManager/rmguiserver/logs/ums-server/ums-server-security.log
You can find the UMS Administrator log file created by remote security logging:
On Windows:
C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\ums-admin\ums-admin-security.log
On Linux:
/opt/IGEL/RemoteManager/rmguiserver/logs/ums-admin/ums-admin-security.log
You can find the ICG log file created by remote security logging:
On Linux:
/opt/IGEL/icg/usg/logs/icg-security.log
You can find the UMS Web App log file created by remote security logging:
On Windows:
C:\Program Files\IGEL\RemoteManager\rmguiserver\logs\wums-app-security.log
On Linux:
/opt/IGEL/RemoteManager/rmguiserver/logs/wums-app-security.log
Logged Events
In the log file, some logged events are marked with source tags:
UMS Server events contain the source tag:
UMS-Server
.ICG events contain the source tag:
ICG
.IMI events contain the source tag:
IMI
.UMS Web App events contain the source tag:
UMS-Webapp
.
Logged UMS Events
UMS user login and logoff
UMS user successful and failed logons
UMS user password change
All direct and indirect assignment changes to devices ("privileged policy changes")
All config changes to devices
Shut down of UMS or ICG services/processes
UMS Administrator user account creation/deletion
UMS Administrator user password change
Logged UMS Web App Events
Authentication events
Deletion of a search
Update or deletion of a profile or priority profile
Assignment or detachment of the following objects to a folder or a device:
profiles
priority profiles
variables
firmware customizations
Device commands:
reset to factory default
update device settings
Logged ICG Events
User creation and deletion
Successful and failed authentication
File uploads
Logged IMI Events
Authentication events
Add operations
Update operations
Delete operations