Closed Bug 715184 Opened 13 years ago Closed 12 years ago

Sync CEF Logging Bug

Categories

(Cloud Services Graveyard :: Server: Sync, defect)

Product:
Cloud Services Graveyard
Component:
Server: Sync
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: eparker, Unassigned)

References

Details

(Whiteboard: [qa?])

Attachments

(3 files)

sync login failures
7.32 KB, text/plain
Details
General login's without user
3.28 KB, text/plain
Details
patch fixing cef log messages in whoauth module
2.64 KB, patch
telliott
: review-
Details | Diff | Splinter Review
Attached file sync login failures 
Hi
It seems that the Sync CEF logging has changed sometime in the recent past.  Looking through the logs and comparing them to previous ArcSight rules that were written I found discrepancies on what is expected.  For example the when there is a authentication failure I am currently receiving the CEF event but the Device Event Class ID (deviceClassID) = "Authentication Failed for Backend service kizyjwbazb4hg23q33qgsbkdm52tmafv"

According to the rule (written by nmiller) the rule is expecting deviceClassID =  "AuthFail"

I have also noticed that the user name field is not completed for events.  This should be in the CEF field "suser".  It would helpful to us to receive the Username and not the User ID.  

Attached are two examples of the syslog events being sent.  First file shows the CEF authentication failures and the second is the "Daily  metric call".  These are the actual CEF syslog events.  

In short, we need to have the Authentication Failures corrected to specify the correct user name in the "suser" CEF field, either by Captcha or user interaction and have the other events specified in the logging requirements.  The sync requirements document can be found here, https://mana.mozilla.org/wiki/display/INFRASEC/Sync+CEF+Messages

    
    

    
  
This looks like it should have been fixed by http://hg.mozilla.org/services/server-core/rev/ecbe9a975867.  Perhaps just not rolled out yet?

The new repoze.who authentication routines are using the old, incorrect messages, but I don't think that code has been enabled yet.  I'll update to the correct format in any case.

    
    

    
  
Yeah, this is one of the bugs that is blocked by lack of ops resources to roll out the fix. I'm hoping these come unstuck within the next week and we can push some forwards.
Depends on: 717073

        Attachment #587226 -
        Flags: review?(tarek) → review-
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
Hi,
Thanks again for taking this on.  Any ETA when this will be rolled out?

Eric

    
    

    
  
Some of these should be rolled out today and tomorrow. The others are not scheduled to happen because we've declared the current Sync nodes to be a dead end and we are working on new sync code to be deployed in 6-8 weeks.
Whiteboard: [qa?]
Status: RESOLVED → VERIFIED

    
  
Product: Cloud Services → Cloud Services Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: