Acreto Ecosystem Logs

Introduction to Logging and Integration with SIEM

Logs are the most straightforward and most essential tool for any service. They allow administrators to maintain health, security, and performance. Monitoring, troubleshooting, and threat detection may not be possible without them. Our platform offers robust logging capabilities that allow you to capture detailed event data, analyze it for meaningful insights, and integrate it with robust storage systems like Ceph for scalability and durability.

This section will explain the types of logs we collect and the essential functionality for using logs on the platform.

In this section:

Subsections of Acreto Ecosystem Logs

Acreto VPN Connections Log

Acreto VPN Connections Logs Introduction

In addition to the standard log views detailed in this article, Wedge offers a specialized view dedicated exclusively to VPN connection logs for users and devices (referred to as “things”). This feature provides a comprehensive overview of all active connections established through the Acreto Connect Client, presenting key details about each connection in a user-friendly format.

Logs - VPN Connections Panel Logs - VPN Connections Panel

Logs - VPN Connections Panel Logs - VPN Connections Panel

Features of the VPN Connections Logs View

The VPN Connections Logs view consolidates essential information about users and devices within the Acreto Ecosystem. The following details are available for each connection:

  • Username or Device: Indicates whether the connection is associated with a user profile or a thing.
  • Acreto Ecosystem IP Address: Displays the internal IP address assigned to the user or device within the ecosystem.
  • Profile Group: Identifies the group to which the user or device belongs.
  • Source IP Address: Shows the originating IP address of the connection.
  • Connection Time: Records the timestamp of when the connection was initiated.
  • MFA Status: Indicates whether Multi-Factor Authentication (MFA) is enabled for the connection.

Data Management

The VPN Connections Logs view is designed for flexibility and ease of use, offering the following features:

  • Sorting and Filtering: Users can sort and filter the displayed data by any of the available attributes, making it easy to pinpoint specific connections or trends.
  • Export Options: The data can be exported to CSV for analysis and to PDF for reporting or printing. This ensures compatibility with a variety of workflows and tools.

Use Cases

This perspective is especially beneficial for administrators seeking real-time insights into VPN activity within the Acreto Ecosystem. Typical scenarios include:

  • Observing active user connections for security and operational purposes.
  • Identifying anomalies, such as connections from unexpected locations or users without MFA enabled.
  • Generating reports for compliance audits or internal reviews.

Conclusion

The Acreto VPN Connections Logs view in Wedge provides a powerful and user-friendly interface for monitoring and managing VPN connections. By offering detailed insights and flexible data management options, this feature ensures that administrators have the necessary tools to maintain a secure and efficient ecosystem.

Acreto Wedge Logs

Acreto Wedge Logs Introduction

Acreto Wedge features a comprehensive logs panel that aggregates log data with real-time viewing capabilities, as well as advanced sorting and filtering options. To access the logs, simply log in to Wedge, scroll down the left-hand menu, and click on Logs.

Logs - Logs Panel Logs - Logs Panel

This section is organized into views based on the types of assets that generate the logs:

  • All: This view displays all logs produced by various components of the ecosystem.
  • Traffic: This view presents logs related to network traffic.
  • Gateways: This view gathers logs from all gateways within the ecosystem.
  • Users and Things: This section includes logs pertaining to user and device activity, such as VPN connections, MFA events, and user login issues.
  • VPN Connections: This view provides information on the status of all connected users and their VPN connections.

Search and Filter the Logs

Search and Filter the Logs

All views, except for VPN Connections, provide the option to search and filter logs. The search bar, positioned at the top of the screen, allows for flexible and detailed filtering based on all elements contained in the logs.

To start a search, click on the search field, select your preferred value, choose an operator, and enter the search term. As shown in the example below, you can combine multiple search criteria to refine the results.

Logs - Search and FIlter Logs - Search and FIlter

Once you select a value, the results will update instantly. You can remove any search criteria at any time by clicking the X button next to it.

Live View or Freeze

The logs view also offers the option to freeze the logs for closer inspection or to select an auto-refresh interval to track the real-time data flow. You can adjust this setting at any time by clicking the list and choosing your preferred option.

Logs - Live View or Freez Logs - Live View or Freez

Sumamry

The Acreto Wedge Logs panel provides a robust interface for real-time log monitoring and management. It can be accessed through the left-hand menu after logging into Wedge. The logs panel features various views based on different assets generating the logs, including All, Traffic, Gateways, Users and Things, and VPN Connections.

Users can utilize advanced search and filtering options to quickly narrow down log results by selecting specific values, operators, and search terms. The results update instantly and can be adjusted as needed. The platform also includes a Live View feature, enabling users to freeze logs for detailed inspection or set an auto-refresh interval to monitor real-time data flow. These features offer flexibility and ease of use for administrators seeking to manage and analyze log data efficiently.

SIEM and CEF integration

Introduction

In today’s cybersecurity and IT management landscape, log forwarding is essential for maintaining system integrity, detecting threats, and ensuring compliance with regulatory standards. Many organizations are increasingly adopting Security Information and Event Management (SIEM) systems to aggregate and analyze logs from various sources, providing better insights into potential threats. One of the most commonly used formats for managing event logs is the Common Event Format (CEF). This article will explore how to enhance log forwarding practices by integrating SIEM with the CEF format, while also optimizing performance, scalability, and security.

Before We Start - Four Things You Need to Know

  1. Importance of Logging

    Logging records information about events in IT systems, such as errors, user activities, and security incidents. It aids in troubleshooting, security monitoring, and regulatory compliance. Effectively managing and analyzing logs is challenging yet essential.

  2. What is SIEM?

    A Security Information and Event Management (SIEM) system centralizes log collection, analysis, and correlation. It allows for real-time monitoring, threat detection, and compliance reporting, providing a comprehensive view of your network’s security.

  3. Common Event Format (CEF)

    CEF standardizes log data, offering structured and consistent information for easier aggregation and analysis. Its real-time processing and extensive metadata make it perfect for SIEM systems.

Case Study - Export Acreto Logs to Splunk SIEM

Solawrind Papertrail is one of the most popular free SIEM solutions available on the web. What’s important for us is that this tool allows us to import logs in CEF, which makes it perfect for our example. This is just an example configuration—no matter what SIEM tool you use, the Acreto configuration part will be the same.

  1. Create a free account at Papertrail.
  2. Log in to your account at Papertrail Console.
  3. Click the “Add your first system” button. Logs - Add your first system button Logs - Add your first system button
  4. On the next screen, you will see a command to install the system daemon for Papertrail. All we need from this page is the URL address and port displayed at the top—remember/copy them, but don’t close this page! Logs - Add your first system button Logs - Add your first system button
  5. Log in to your Ecosystem on Wedge.
  6. In the side menu, choose Logs > Settings (1).
  7. Then, in the main part of the screen, click the +Add New (2) button to add a new destination for logs. Logs - Add logs destination Logs - Add logs destination
  8. Fill out the form with information from the Papertrail panel:
    1. Name - a name for the destination of the log
    2. Description - additional information about the log’s destination
    3. Protocol - for Papertrail, choose *Syslog (tcp+tls)
    4. Host - the host URL that you can find in the Papertrail panel
    5. Port - a port number available in the Papertrail panel. Logs - Add logs destination Logs - Add logs destination
  9. Click the Save button.
  10. Coming changes to the Ecosystem.
  11. Generate traffic at this Ecosystem to create new event logs - use a VPN connection or redirect traffic to the gateway.
  12. Return to the Papertrail panel - you should now see it has started receiving logs. Logs - Logs confirmation Logs - Logs confirmation
  13. Now, at the Papertrail panel, you can see all the logs in CEF format. Logs - Acreto logs in CEF format Logs - Acreto logs in CEF format

Conclusion

Acreto provides a seamless and efficient solution for integrating logs into SIEM tools using the Common Event Format (CEF). Acreto enhances security monitoring, threat detection, and compliance reporting by centralizing logs. Its ability to export logs in CEF format ensures compatibility with leading SIEM systems, allowing for real-time analysis and correlation of security events.

Key Benefits of Using Acreto with SIEM and CEF

  1. Standardized Log Format: Acreto’s support for CEF ensures structured and consistent event logging, making it easier to aggregate and analyze data across various platforms.
  2. Seamless SIEM Integration: Whether using Splunk, Papertrail, or any other SIEM solution, Acreto simplifies log export, requiring minimal configuration while maintaining high data integrity..
  3. Enhanced Security and Compliance: Acreto’s logging capabilities enable organizations to maintain security best practices and adhere to regulatory standards by providing real-time visibility into system events.

By leveraging Acreto’s powerful logging and SIEM integration features, organizations can improve their cybersecurity posture, enhance incident response capabilities, and gain deeper insights into their network activity.