This chapter describes how to use and configure PrivX auditing features.

Viewing Audit Data

In the PrivX GUI, you can find audit data from the following locations:

  • For connection-specific audit events, go to Monitor→Connections and click one of the connection entries.

  • For global audit events, see Monitor→Events.

  • PrivX microservices generate logs to /var/log/messages. These may be useful in troubleshooting scenarios.

Note

To obtain video playback from connections, enable session recording as described in the section called “Session Recording Setup”.

Using CEF Format for Audit Data

PrivX audit data can alternatively be formatted in the Common Event Format (CEF). Switching the audit logging to CEF may allow easier interoperability with some SIEM systems.

To switch the audit data format to CEF, edit the /opt/privx/etc/shared-config.toml file, setting the audit_event_format parameter to the following:

audit_event_format = "cef"

Restart PrivX to apply the changes:

# systemctl restart privx

Logging CEF Audit Messages to External SIEM

To send CEF log messages to an external SIEM, edit the /etc/rsyslog.conf file, and add the following:

# Send messages using rsyslog "forwarding output module".
# On network error, try to reconnect 100 times to avoid lost messages.
# Queue the messages.
local6.* action(type="omfwd" target="example.siem.net" port="1234" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")

# Drop the local6 messages from default messages.
local6.none   /var/log/messages

Restart syslog:

# systemctl restart rsyslog

For more information on configuring rsyslog, see https://www.rsyslog.com/guides/

Logging CEF Audit Messages Internally

If you want to use the internal syslog service, add the following to the /etc/rsyslog.conf file:

# Create a template for CEF messages.
template(name="SSH_CefFormat" type="string"
string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n")

# Use the template for local6 (PrivX CEF logger uses that facility)
local6.*                                /var/log/ceflog;SSH_CefFormat

# Drop the local6 messages from default messages.
*.info;mail,authpriv,cron,local6.none   /var/log/messages

Restart syslog:

# systemctl restart rsyslog

Session Recording Setup

This section describes the procedures for setting up session recording.

When session recording is enabled, connection-specific audit events also provide:

  • Video playback. With SSH sessions you can search for keyword occurences.

  • Transferred files.

  • Clipboard (RDP only).

  • Channel logs (SSH only).

To enable session recording for connections to a host:

  1. On the Settings→Hosts page, Edit the host.

  2. Under Options, enable the setting Session Recording. Click Save to apply your changes.

    Subsequent sessions to the host are recorded. You can view the playback and transferred files from the connection-specific audit events, available from Monitor→Connections.

Session recordings should not be stored on PrivX servers as they may consume lots of disk space; you should configure PrivX to store session recordings on an external share instead (such as NFS). To set up external storage share for PrivX session recordings:

  1. On your external storage server, create a share for storing PrivX session recordings. The share must be a directory that satisifies the following:

    • The share must be mountable by all PrivX servers.

    • The share must be readable and writable by the privx system user of every PrivX server.

  2. On each PrivX server, install any extensions required for mounting the external-storage share. For example, to mount NFS shares you will likely need to install nfs-utils; for SMB shares you will likely need cifs-utils. These extension packages are available from the RHEL/CentOS public repositories.

  3. On each PrivX server, mount the external share to a local directory. To enable mounting the share on system startup, we recommend adding the mount directive to /etc/fstab.

    To allow the GUI to display other connection logs when the NFS server is unavailable, mount the share with options like the following:

    soft
    timeo=10
    retry=1
  4. On each PrivX server, configure PrivX to store session recordings to the mounted share. To do this, edit the data_folder setting in /opt/privx/etc/shared-config.toml (replace /path/to/privx-trails with the local directory to which the external share is mounted):

    data_folder="/path/to/privx-trails"

    Save your changes, then restart PrivX services to apply the changes:

    # systemctl restart privx

By default PrivX retains session recordings indefinitely. You may configure PrivX to automatically delete old recordings, using the following settings:

  • trail_expiry in /opt/privx/etc/shared-config.toml - Delete recordings older than the specified number of days. Set to -1 to disable automatic deletion.

  • housekeeping_interval_for_trails in /opt/privx/etc/connectionmanager.toml - The interval at which PrivX checks for and deletes expired recordings. Specified in hours.

To apply new configurations, restart the PrivX services:

# systemctl restart privx

Note

PrivX generates keyframe data when opening RDP session recordings for the first time. Note that this may take up to several minutes for large RDP and web-connection trails.

PrivX indexes session recordings when they are searched for the first time. Depending on the duration of the recording, the first search may take some time. SSH transcripts require roughly ten times the storage space compared to the original video recording.

Log-Collector Setup

You can configure PrivX to forward audit events to external log collectors. The required configurations are provided separately per supported log collector.

AWS CloudWatch

  1. Create an AWS user with permissions for pushing logs to CloudWatch. The user's permissions should be similar to the following (Sid is arbitrary):

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "examplesid",
    "Effect": "Allow",
    "Action": "events:PutEvents",
    "Resource": "*"
    }
    ]
    }

    Obtain the Access key ID and the Secret access key of this AWS user, required later for configuring PrivX.

  2. Create a rule in CloudWatch for collecting PrivX logs. The rule must have the following Event pattern:

    {
    "source": [
    "com.ssh.privx"
    ]
    }

    To associate actions to collected logs, also create Targets for the rule.

  3. Add your log collector to PrivX.

    In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Amazon CloudWatch Events, and provide the other required settings as well. Click Save to apply your settings.

    PrivX logs are now sent to your AWS CloudWatch and processed according to all the applicable rule targets.

Azure Event Hubs

  1. In Azure Active Directory, register PrivX as an application.

  2. In Azure Event Hubs, create an event hub for PrivX. Your Access Control must allow the previously-registered PrivX application to access this hub.

  3. To process incoming events, you may create consumers for the hub.

  4. Add your log collector to PrivX.

    In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Azure Event Hubs, and provide the other required settings as well. Click Save to apply your settings.

    PrivX logs are now sent to the hub and processed according to all the applicable rules.

Matching Certificate-Based-Login Messages

PrivX users logging in with certificate-based authentication generate log messages both on the PrivX server and on the target host. These messages can be matched by the certificate serial.

For example, an SSH connection to a Unix host may generate the following messages:

  • On the PrivX server (in /var/log/messages):

    Dec 5 15:57:27 privx.example.com SSH-PRIVX-AUDIT[6825]:
    [event="Authorization-certificate-granted" eventID="401"
    keyID="alice@127.0.0.1:45910-serial-2571351803943628705"
    message="certificate-created" target="127.0.0.1:45910"
    username="alice"]
  • And on the target host (typically in /var/log/secure or /var/log/auth.log)

    Dec  5 15:57:28 ld-jizhouya sshd[22799]: Accepted publickey for alice
    from 192.0.2.102 port 38126 ssh2: RSA-CERT ID alice@127.0.0.1:45910
    serial 2571351803943628705 (serial 2571351803943628705)
    CA RSA SHA256:aVOPjQAB2b+y64OJ8UozVe5EKegsrCClE9UQN/MEq4c

As another example, an RDP connection to a Windows host may generate:

  • On the PrivX server (in /var/log/messages):

    Dec 5 08:24:41 dhcp-10-1-54-160.hel.fi.ssh.com SSH-PRIVX-AUDIT[14189]:
    [event="Authorization-certificate-granted" eventID="401"
    SSH-PrivX-service="AUTHORIZER" message="RDP-certificate-created"
    serial="1A654E1CD607153C"
    sha1-fingerprint="..." sha256-fingerprint="..."
    target="127.0.0.1:47390" upn="alice@example.com" username="alice"]
  • And on the target host (in Windows Event Viewer→Windows Logs→Security→Event details):

    Audit Success 5.12.2018 15.25.09 Microsoft-Windows-Security-Auditing
    4768 Kerberos Authentication Service "A Kerberos authentication
    ticket (TGT) was requested.
    
    Account Information:
    Account Name: alice
    Supplied Realm Name: EXAMPLE.COM
    User ID: EXAMPLE\alice
    
    Service Information:
    Service Name: krbtgt
    Service ID: EXAMPLE\krbtgt
    
    Network Information:
    Client Address: ::1
    Client Port: 0
    
    Additional Information:
    Ticket Options: 0x40810010
    Result Code: 0x0
    Ticket Encryption Type: 0x12
    Pre-Authentication Type: 15
    
    Certificate Information:
    Certificate Issuer Name: 10.1.54.160
    Certificate Serial Number: 1A654E1CD607153C
    Certificate Thumbprint: 1580AB1E1428B94B5DCF2EB13145B524B864D65F

Audit Events in PrivX

This section lists the audit events raised by the PrivX system. Note that some of the listed audit-event types are not used by the current PrivX version.

PrivX uses syslog facilities to write audit events. Audit events are stored to the system's default syslog location. On RHEL/CentOS 7 the default location is /var/log/messages.

The debug logs for each microservice are in the following locations:

  • /var/log/privx/auth.log - Logs for the OAuth2 microservice.

  • /var/log/privx/authorizer.log - Logs for the authorizer microservice.

  • /var/log/privx/connectionmanager.log - Logs for the connection manager microservice.

  • /var/log/privx/hoststore.log - Logs for the hoststore microservice.

  • /var/log/privx/keyvault.log - Logs for the keyvault microservice.

  • /var/log/privx/monitorservice.log - Logs for the monitor microservice.

  • /var/log/privx/rdpmitm.log - Logs for the RDP-Bastion microservice.

  • /var/log/privx/rdpproxy.log - Logs for the RDP-proxy microservice.

  • /var/log/privx/redemption.log - Logs for the RDP-trail-encoder microservice.

  • /var/log/privx/rolestore.log - Logs for the role-store microservice.

  • /var/log/privx/sshmitm.log - Logs for theSSH-Bastion microservice.

  • /var/log/privx/sshproxy.log - Logs for the SSH-proxy microservice.

  • /var/log/privx/trail-index.log - Logs for the trail-indexer microservice.

  • /var/log/privx/userstore.log - Logs for the user-store microservice.

  • /var/log/privx/watchdog.log - Logs for the watchdog microservice.

  • /var/log/privx/workflowengine.log - Logs for the workflow-engine microservice.

Table 9.1. List of Audit Events

Event NameCodeDescription
License-error0The system license does not allow operation.
Configuration-error1The system configuration is invalid.
Service-starting10The service is starting.
Service-running11The service is running.
Service-stopped12The service has been stopped.
User-logged-in100User has logged in to the system.
User-login-failed102User login operation failed.
User-MFA-challenge-sent103User tried to log in without MFA pin code.
User-MFA-challenge-accepted104User successfully authenticated with MFA pin code.
User-MFA-challenge-setup-sent105User was MFA setup information.
Access-token-granted106Access token granted
User-access-token-refreshed110User refreshed the access token
User-access-token-refresh-failed111User access token refresh failed.
OAuth-client-authenticated121OAuth client authenticated
OAuth-client-authentication-failed122OAuth client authentication failed
Role-added201New role added to the system.
Role-modified202Role has been modified.
Role-removed203Role has been removed.
Directory-added210New directory added to the system.
Directory-modified211Directory has been modified.
Directory-removed212Directory has been removed.
Directory-authentication-failed213Directory authentication failed.
User-roles-modified220The user's role associations were changed
AWS-token-granted230AWS token was granted to a user
AWS-token-grant-failed231AWS token grant failed
LogConf-collector-created232LogConf collector created
LogConf-collector-modified233LogConf collector modified
LogConf-collector-removed234LogConf collector removed
LogConf-collector-failed235LogConf collector failed
Connection-requested300Connection was requested.
Connection-authenticated301Connection was authenticated.
Connection-rejected302Connection was rejected.
Connection-closed303Connection was closed.
Connection-failed304Connection closed with an error.
Session-added310A session was added to a connection.
Session-removed311A session was removed from a connection.
File-upload320File upload performed.
File-download321File download performed.
Host-key-matched324Host key matched
Host-key-denied325Host key denied
Host-key-accepted326Host key accepted
Host-key-saved327Host key saved
Extender-connected328Extender connected
Extender-disconnected329Extender disconnected
File-removed330File removed.
Folder-removed331Folder removed.
File-moved332File moved.
Folder-created333Folder created.
Connection-audit-started334Connection audit started
Connection-audit-failed335Connection audit failed
Authorization-requested400A client requested an authorization.
Authorization-certificate-granted401An authorization certificate granted.
Authorization-role-key-granted402An authorization role key granted.
Authorization-role-key-sign-operation-rejected403An authorization role key sign operation was rejected.
Authorization-role-key-sign-operation-accepted404An authorization role key sign operation was accepted.
Authorization-rejected405An authorization was rejected.
Authorization-certificate-warning406Authorization certificate creation generated warnings.
Authorization-Passphrase-returned407Authorization passphrase was returned
Principal-added410A principal was added.
Principal-removed411A principal was removed.
Trusted-client-added420A trusted client was added.
Trusted-client-modified421A trusted client was modified.
Trusted-client-removed423A trusted client was removed.
License-updated430The service license was updated.
CA-Certificate-Created440CA certificate was created.
CA-Certificate-Deleted441CA certificate was deleted.
EE-Certificate-Enrolled442End entity certificate was enrolled
EE-Certificate-Revoked443End entity certificate was revoked
CA-Certificate-Enrolled444CA certificate was enrolled
CA-Certificate-Revoked445CA certificate was revoked
User-added500New user added to the system.
User-modified501User has been modified.
User-removed502User has been removed.
User-password-modified510User password has been modified.
User-authenticated520User has been authenticated.
User-authentication-failed521User authentication has failed.
Workflow-added600A workflow was added.
Workflow-modified601A workflow was modified.
Workflow-removed602A workflow was removed.
Request-added610A request was added.
Request-removed612A request was removed.
Decision-made620A decision has been made on a request.
Email-sent630A email notification has been sent.
Email-configuration-Modified631Email configuration has been modified.
Log-downloaded700Log files have been downloaded.
Log-level-modified710The log level was modified.
Host-added801A host was added.
Host-modified802A host was modified.
Host-removed803A host was removed.
Connection-terminated900Connection terminated.
Connection-terminated-for-host901Connection terminated for host.
Connection-terminated-for-user902Connection terminated for user.
Licensed-connection-count-exceeded903Licensed connection count exceeded.
Trail-opened1000Trail opened.
Trail-open-failed1001Failed to open trail.
Trail-file-open-failed1002Failed to open trail file.
Trail-file-read-failed1003Failed to read trail file.
Trail-removed1004Trail removed.
Trail-remove-failed1005Failed to remove trail.
Trail-file-integrity-failed1006Trail file integrity check failed.
Config-checksum-added1100A config file checksum was added.
Config-checksum-changed1101A config file checksum has changed.
Transcript-status-scheduled1201Transcript status
Transcript-status-indexing1202Transcript status
Transcript-status-indexed1203Transcript status
Transcript-status-error1204Transcript status
Transcript-status-not-indexed1205Transcript status
Transcript-trail-removed1206Transcript trail removed.
Transcript-opened1207Transcript opened.