New User Login Surveillance Opportunities in ZLD4.65 ?

USG_User
USG_User Posts: 374  Master Member
5 Answers First Comment Friend Collector Sixth Anniversary
edited July 2021 in Security
We would like to keep all user logins at our USG110 under surveillance since we are not able to completely disable SSLVPN. And if I remember correctly the log settings for user logons have been improved recently by Zyxel.
We've tried different settings but USG is not sending alert logs immediately by email in case anybody is logging-in. The sending of emails, like daily log or other alert logs, is working and user log-ons/offs are being listed in USG log correctly.
Login attempts will only be sent by mail after different minutes, showing a collection of all user logins for last hour (or another time span which we presently don't know exactly). But is it possible to send single login attempt immediately and not only a collection of login attempts after a time.

Here our current settings:


«1

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited July 2021
    Gateway will send mail immediately when the event priority is alert level. It will not send alert mail immediately if the event priority is "Notice". 
    We would suggest setup syslog server to monitor user login event. When the keyword "has logged in SSLVPN" match, syslog server send alert mail to notify administrator.

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited July 2021
    Why there's not a "USER" category for the log and (eventually, Sysadmin choice) email?
    Sending messages for every notice can create only a massive list of unnecessary/unrelated/unwanted messages.

    A user has logon/a user as logoff/a user has been created/a user got password change are notices that are relevant for security assessment, time tracking, user management, reporting.
    And these should be among the plate of the options.

    "Logon" and "logoff" are related to SSLVPN, https interface access, L2TP access, VPN Client Access.
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Gateway will send mail immediately when the event priority is alert level. It will not send alert mail immediately if the event priority is "Notice". 
    We would suggest setup syslog server to monitor user login event. When the keyword "has logged in SSLVPN" match, syslog server send alert mail to notify administrator.


    Hi Cooldia,
    Thanks for your reply. But is it adjustable which log entry should be handled as notice, info or alert? It would be very helpful to adjust this to our needs.

    Stanley wrote that with ZLD 4.65 only Admin account changes will be immediately treated as "alert" now. But we would prefer to get the opportunity to handle EACH login attempt as alert.

    Regarding ZLD 4.65 Stan wrote:

    Enhances admin-type user change logs to alert level




    BTW: As a small company we are not able to purchase and maintain servers for all possible tasks, like e.g. syslog server. Please take into considerations that the small USG series, like our USG110 is, because of its throughput and number of physical ports, intended for small business only without a big IT department or big IT budget. That's why simple notification opportunities, like email to administrators, are prefered.

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    BTW, when activating the log settings as described obove, the USG is also regularly sending (at least once per day) the following single emails:

    Mac SecuExtender version 1.1.3 is latest
    and
    Win SecuExtender version 4.0.2.0 is latest

    This is annoying when this comes every day again and again.

  • kyssling
    kyssling Posts: 107  Ally Member
    First Comment First Answer Friend Collector Sixth Anniversary
    USG_User :  latest version SecuExtender is 4.0.4
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Thanks for this hint. Has the 4.0.4.0 been announced by Zyxel in June?

    Nevertheless, we are presently using SE 4.0.3.0. Why the USG is regularly sending a log mail with statement "Win SecuExtender version 4.0.2.0 is latest". And what does it mean? In fact v4.0.2.0 is not the latest in case this should be a hint to the latest release and to update.

  • lalaland
    lalaland Posts: 90  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary
    USG_User said:
    Gateway will send mail immediately when the event priority is alert level. It will not send alert mail immediately if the event priority is "Notice". 
    We would suggest setup syslog server to monitor user login event. When the keyword "has logged in SSLVPN" match, syslog server send alert mail to notify administrator.


    Hi Cooldia,
    Thanks for your reply. But is it adjustable which log entry should be handled as notice, info or alert? It would be very helpful to adjust this to our needs.

    Stanley wrote that with ZLD 4.65 only Admin account changes will be immediately treated as "alert" now. But we would prefer to get the opportunity to handle EACH login attempt as alert.

    Regarding ZLD 4.65 Stan wrote:

    Enhances admin-type user change logs to alert level




    BTW: As a small company we are not able to purchase and maintain servers for all possible tasks, like e.g. syslog server. Please take into considerations that the small USG series, like our USG110 is, because of its throughput and number of physical ports, intended for small business only without a big IT department or big IT budget. That's why simple notification opportunities, like email to administrators, are prefered.

    There will be bulk message if it send  mail every time, Maybe you can set up hourly email notification.

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Relating to the recent security threat we would prefer to be immediately informed by email about any login attempt. And since we got max. 10 SSLVPN users, this would not be mail bulk in case the USG would send an email on each logon/off. Hourly transmissions of collected login attempts could be too late in case of illegal logins as reported in the community recently.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @USG_User,

    Thanks for your valuable feedback.  :)

    We will take that into consideration and discuss internally for future improvement

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    The user creation and login notification via email would alert so much sooner the admins of USG and ATP

Security Highlight