add the ability to audit login failures/successes for logging in to the web interface

Avatar
  • updated
  • Completed

add the ability to audit login failures/successes for logging in to the web interface

Duplicates 4
Notification on failed and successful logins

Partner stated that he would like a email notification when there is a successful or failed login

Log site logins with notification capabilities

From CW#7590390:

Would like to be able to audit when users login to ScreenConnect instance, including failures. Would also like to be able to receive email notifications when failed login attempts occur on site.

Audit logs of when someone logs on (successfully or failure) into the web interface?

Hello

When someone logs on to the web interface, Id like to log it and send it to a syslog ( more specifically Elastic Stack ) to not only keep logs but to meet certain compliance requirements.

We have ScreenConnect ( or ConnectWise ) installed on Windows on prem.

Where are these audit logs located?

Thank you

log user login history

Please add this feature that can log user login history for audit and investigation.

Avatar
0
Scott H.

Yeah, the failed login logs aren't particularly helpful when all you see is your own proxy IP. 

Avatar
0
jeffshead

What about logging the real, source IP? CC only logs the reverse proxy's IP address even though my reverse proxies (I tested a couple of different ones) are sending the source IP in the headers (i.e. x-forward-for, real-ip, etc). Not very effective if you can't audit the source IP. Many customers put CC behind a WAF or rproxy.

Avatar
0
CFBDAVE
Quote from Karl Brown

Event.EventType = 'LoginAttempt' AND Event.OperationResult = 'PasswordInvalid'

Source: ConnectWise Control 2021.15 Release notes

Thanks I did find a video on this later in the evening.  Is there some way to allow this to report back even if the username is not valid?  Anyone trying to get in brute force is more than likely NOT going to know our username.

I tried to use this event but it does not work  Event.EventType = 'PasswordInvalid'

Avatar
0
Karl Brown
Quote from CFBDAVE

Can this audit FAILED logins only?  I see LOGIN attempt but I need to sift through them all to find if any failed.  If this is possible, is there a way to create a trigger to email us on failed login attempts?

Event.EventType = 'LoginAttempt' AND Event.OperationResult = 'PasswordInvalid'

Source: ConnectWise Control 2021.15 Release notes

Avatar
0
CFBDAVE

Can this audit FAILED logins only?  I see LOGIN attempt but I need to sift through them all to find if any failed.  If this is possible, is there a way to create a trigger to email us on failed login attempts?

Avatar
0
Rishikesh Gajul
Quote from LukeF

Will login attempts be sent to SYSLOG? I'm sure that is what everyone is waiting for

Hi Luke,

Once security events are triggerable, we'll be able to update the Syslog Ext.

Avatar
1
LukeF
Quote from Sean White

Hey there! Cody is correct, the next plan for the security events are to make them reportable (will be available soon). We will then work on adding security events to our Triggers, which is slated for later in Q3.

Will login attempts be sent to SYSLOG? I'm sure that is what everyone is waiting for

Avatar
2
Sean White Team Member

Hey there! Cody is correct, the next plan for the security events are to make them reportable (will be available soon). We will then work on adding security events to our Triggers, which is slated for later in Q3.

Avatar
1
Cody Arnold
Quote from Steve Schatteman

Trying to figure a method to be able to query login events directly for quick and dirty reporting, rather than through a 3rd party (a la Syslog as you laid out).

You might be able to do it via API but that's nothing I've any experience with personally.

Next steps with this from Control's end developmentally would likely be add into the reporting the ability to show authentication failures/successes, as well as via the dashboard visualize on successful/failed logon attempts (with the ability for it to just from the dashboard click and tell ya what you need/want)

Good luck!

Avatar
0
Steve Schatteman

Trying to figure a method to be able to query login events directly for quick and dirty reporting, rather than through a 3rd party (a la Syslog as you laid out).



Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar