Jump to content

EPA scan logging


Geoff Degen

Recommended Posts

Is there a log file that will tell me why a client is denied during the EPA scan? It would be very handy to be able to tell the user exactly why they got denied instead of going through all the steps and checking each little piece we check for.

AGEE 9.1 build 97.3

Thanks
Geoff

Edited by: Geoff Degen on Sep 23, 2009 4:25 PM

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

You may find the nsepa.txt file in the user profile of some value, but ultimately it comes down to security and how much information you want to provide to the end user on how to pass the scan.

You could take a header trace from the client browser during a scan and there you should be able to see the results of each scan as they are passed back to the gateway appliance in the HTTP headers.

Thanks,

Jacob Maynard
Sr. Escalation Engineer
Netscaler Product Group

Link to comment
Share on other sites

Finally,

In 9.1 there is a graphical log viewer for syslog messages when highlighting the Auditing folder in the left navigation pane.

Once highlighted select syslog viewer. Once the dialog comes up, you will select the module 'sslvpn' and then 'clisec_' event types will show you the post auth scan results.

Thanks,

Jacob Maynard
Sr Escalation Engineer
Netscaler Product Group

  • Like 1
Link to comment
Share on other sites

I get a blank output when i select those options. Is there something that I have to configure first? I have not taken a formal training on this and am doing the learn as I go thing right now. Any help is appreciated. I assume I'd have to create an Audit policy for this to work, right?

Link to comment
Share on other sites

The only SSLVPN events types I see are: TCPCONNSTAT, HTTPREQUEST, ICASTART, ICAEND_CONNSTAT, LOGIN, and LOGOUT.

Is there some other piece I'm missing in my config to log these events? Also, i am up to 98.5.cl now, but I imagine the same functions are there for this piece.

My event type options under the SSLVPN module are "CLISEC_CHECK" and "CLISEC_EXP_EVAL" and I see neither of these being logged.

Edited by: Geoff Degen on Nov 24, 2009 12:33 PM

Link to comment
Share on other sites

Can you send the configuration you are using? We won't log pre-authentication scans at the AGEE appliance, so if you are scanning the client before they are entering their credentials, then the only place to see these are in the nsepa.txt file, and the header trace from the client.

Thanks,

Jacob Maynard
Sr. Escalation Engineer

  • Like 1
Link to comment
Share on other sites

You can do one of two things:

1) Use a client security check in your session policy expression
2) Create a client security check in the session or global profile under the client security option.

Either way, the scan will occur after the user is authenticated, and then we can map the result to an actual user and log it in our audit log "/var/log/ns.log"

Thanks,

Jacob Maynard
Sr. Escalation Engineer
Netscaler Product Group

Link to comment
Share on other sites

I have created a client security check in my session policy and it seems to work. In my event type field, I only see logging for the "CLISEC_EXP_EVAL". I don't see anything for "CLISEC_CHECK", however, what I do see, seems to be helpful in determining what the problem is if the user is denied.

Jacob, I appreciate the help. I'm going to play around with this today and will post back here if I have any additional questions. Thanks!!

Link to comment
Share on other sites

  • 7 months later...

FYI,

My latest post details how to grab EPA logs from AGEE and pipe them into a SQL Server and present them in SQL Server Reporting Services.

Basically, I am hoping my finished product will include a popup when a user fails their scan to a URL to the SSRS Site where they can enter the userID and see what failed. Also, I want to put hyperlinks on each failure so that the user can click on it an see what they need to do (update virus scan, turn on firewall, etc).

We had Clear2View for the AAC product but I tend to like this format a lot better due to the ease of integration with SSRS.

Please read.

http://xen-trifuge.com/2010/06/26/project-poindexter-endpoint-analysis-log-harvesting/

Let me know if you have any questions

John

Link to comment
Share on other sites

  • 1 year later...
  • 8 years later...
On 6/27/2010 at 5:39 PM, John Smith1709151621 said:

FYI,

My latest post details how to grab EPA logs from AGEE and pipe them into a SQL Server and present them in SQL Server Reporting Services.

Basically, I am hoping my finished product will include a popup when a user fails their scan to a URL to the SSRS Site where they can enter the userID and see what failed. Also, I want to put hyperlinks on each failure so that the user can click on it an see what they need to do (update virus scan, turn on firewall, etc).

We had Clear2View for the AAC product but I tend to like this format a lot better due to the ease of integration with SSRS.

Please read.

http://xen-trifuge.com/2010/06/26/project-poindexter-endpoint-analysis-log-harvesting/

Let me know if you have any questions

John

 Looks like John's blog may be offline these days, but for folks who stumbled on this ~10 yr old discussion and are interested in his detailed guide, there's a snapshot on waybackmachine. https://web.archive.org/web/20160118022155/http://xen-trifuge.com/2010/06/26/project-poindexter-endpoint-analysis-log-harvesting/

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...