Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Start taking logging seriously

Start taking logging seriously 

A recent experience with OpenVPN Access Server (AS) serves as a good example. OpenVPN AS is a popular commercial VPN gateway with a web-based interface. It can be installed on a variety of Linux operating systems and is available as a virtual appliance and Amazon AMI. OpenVPN AS is commonly used for secure remote access to corporate networks and cloud environments.

By default, OpenVPN AS writes log events to the local file system and to an internal database, making them available via the web-based administration interface. Events include successful and failed authentications, locked out users, assigned IP addresses, and a multitude of other technical information.

While it is good that events are available for manual review, even a small business should forward these logs to a centralized server such as Graylog, and doing so should just require a quick and simple configuration change. As it turns out, the product developer apparently does not deem remote logging functionality important enough to include in the web admin interface. Instead, the administrator first has to ssh to the OpenVPN AS server and manually add a line to the configuration file. This causes logs to be sent to the local syslog daemon. Next, syslog must be manually configured to forward logs to Graylog (or another remote syslog server)

Once the administrator successfully jumps through the manual configuration hoops, log events from the OpenVPN AS appear in Graylog. From a security operations perspective, it is helpful to generate alerts when the number of authentication failures exceed a threshold value. It is also prudent to alert when a user is locked out; it indicates either an impersonation attempt, or that the user requires assistance.

Identifying successful authentication events in the syslog events is straightforward, but despite the unnecessarily complex nested JSON structure, the log message contains neither the IP address from which the client connected, nor the internal IP address assigned. This information is available elsewhere in the logs, but would require custom software to automatically find and correlate.

Detecting authentication failures proves more difficult. These events are logged, but contain only the username. The same keyword, AUTH_FAILED, also appears when a session has expired and re-authentication is required. It possible to determine the IP addresses involved by manually reviewing log events; automatically obtaining this information would require additional custom software.

A VPN server such as OpenVPN AS should, at minimum, log the following events:

  • Successful authentications and VPN connections;
  • VPN session disconnections;
  • Failed authentication attempts; and,
  • Administrative actions such as adding, deleting, and modifying users.

OpenVPN AS makes the first three items easily accessible through the web-based interface, but as noted, they are incomplete and difficult for a centralized log management system to parse and interpret. Administrator logins are recorded, but critical security-relevant actions such as adding or deleting a user, and password resets, are not logged at all.

Each log event should include all relevant information in a machine-parsable format. Graylog’s GELF uses a flat JSON structure for good reason; it requires few resources to parse the event into fields for indexing, searching, and alerting.

OpenVPN AS is certainly not the only product in desperate need of log subsystem improvements, but these findings raise a serious question: OpenVPN AS has existed for years. Is this the first time an administrator attempted to centrally collect, monitor, and alert on security-relevant events?

Many products produce log events that are difficult to parse and are missing critical information. This results in security personnel wasting considerable time trying to identify and extract relevant data. Developers need start taking logging seriously.

Have a security question you’d like answered in a future column, please send me an email. 

Related posts