Why does the failed authentication place the number dialed, instead of the
username used, in the account field?
Any way to distinguish a failed dial attempt from a failed register attempt
using just the security log? (I couldn't see how looking at the log)
From: asterisk-users-boun...@lists.digium.com
asterisk-users-boun...@lists.digium.com on behalf of Michael L. Young
myo...@acsacc.com
Sent: Thursday, March 27, 2014 2:42 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Security log format / content
- Original Message -
From: Michelle Dupuis mdup...@ocg.ca
To: Asterisk Users List asterisk-users@lists.digium.com
Sent: Thursday, March 27, 2014 12:55:21 AM
Subject: [asterisk-users] Security log format / content
I've noticed that the Asterisk (v11) security log captures attempts
do dial without first authenticating, and places the number dialed
into the accountid field.
I'm trying to distinguish between failed attempts to register and
attempts to dial without registering, but the security log treats
them identically (using the accountid field for either the username
or number dialed). I have noticed that the eventversion field is set
to 2 for failed dial attempts, and 1 otherwise.
Is this coincidence? Or can I rely on the eventversion=2 in the
future to distinguish these two event types? (I've looked here:
https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format
but it doesn't really help)
The eventversion field is just a way to distinguish different versions of the
same event. Between Asterisk 10 and 11, that particular event's logging output
changed requiring a bump up in the version. It should not be used to
distinguish different events.
What do you mean by eventversion field is set to 2 for failed dial attempts,
and 1 otherwise? What is the event? I have a feeling those are two different
events.
You are correct about the events looking identical whether it is a failed
registration or a failed dial attempt. From the standpoint of Asterisk, an
attempt was made to either register or place a call but the credentials failed.
Therefore, an InvalidPassword event is logged.
When an authorized device successfully places a call, you will only have a
ChallengeSent entry in your log.
If an attempt to place a call is made and it does not respond back with the
right credentials to the challenge sent to Asterisk, then you will have a
ChallengeSent entry with a subsequent InvalidPassword. You should be able
to connect the two events based on the fields in those events.
If a successful attempt to register is made, you will have a ChallengeSent
with a subsequent SuccessfulAuth. If it is not successful, then you will
have a ChallengeSent with a subsequent InvalidPassword. Again, there
should be enough information present with the other fields to help connect the
events together.
The security events in Asterisk are designed to present the events. It does
not determine anything else for you. You have to create a consumer of those
events that can attempt to connect the dots for you. Hopefully we are
providing enough information for the consumer to do whatever you would like the
consumer to do with the information.
I hope that helps.
Michael
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
