How do I display groups in my access logs?
search cancel

How do I display groups in my access logs?

book

Article ID: 166075

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

Using a Web Access Layer in my policy I automatically see usernames in my access logs, but  why don’t I see group names?

Do I need a special realm, or group rule, to see group names in my access log?

A user is a member of two groups in Active Directory and after the ProxySG appliance has group logging, what determines which group will be logged in an access log when he accesses the Web?

 

Resolution

Group information works for much more than just LDAP. It works for all authentication realms, but some realms that compute the username dynamically (such as the one that bases it on workstation name) require you to set up a separate Authorization realm, which is used to lookup the username.  This Authorization realm figures out to what groups that user is a member. In such cases, it is common to use an LDAP realm as the authorization realm. If you have usernames in the correct format, you can use an IWA realm, a local realm, or even an XML realm for that.

The challenge with getting the system to log group names is that it only logs groups of interest, which corresponds to group names that are explicitly matched against in policy. If there is no policy trigger referring to a particular group name in policy, the ProxySG appliance does not attempt to figure out if the user is a member of that group, and thus cannot log if the user is a member of that group. It is mandatory to have a group added to the "Group log order" to see "cs-auth-group" log field populated.

NOTE1: With Active Directory (AD), this group must be of the type called Global Security group for it to be logged. 

NOTE2: If a user is a member of two or more groups that have been explicitly named in policy, you also need to set the group log order through the VPM on the ProxySG appliance.

The following screenshot provides an example of a working group rule. In this case, we track in the access logs those users who authenticate and are members of the AD group “enterprise admins”.

 

 NOTE3: To make sure you are not already logging group information, go into your Reporter profile and create a filter on groups. If no drop down list displays, then you are not logging group information.