Where can we see reports of unsuccessful logon attempts?

Noreen Lynch shared this idea 12 months ago
Idea Logged

We have a requirement from our users to audit any attempt to access Yellowfin, whether successful or unsuccessful. We know that successful attempts are logged in the Event table, and attempts to access the system with a valid logon but incorrect password are logged as well. However, in our testing we have not been able to capture attempts to access the system with an invalid logon, e.g. the nonsense user 'testtest'. How can we achieve this requirement?

Comments (24)

photo
0

Hi David,

Thank you for reaching out to us.

You are correct in your investigation that the Event table will show successful and unsuccessful logins for users who exist within the Yellowfin config DB. I am currently testing this process locally and will be reaching out to the wider team for additional input.

I will send you another update once I have completed my investigation.

Kind regards,

Nathan Goddard

photo
0

Hi David,

I have been looking into this and this information isn't logged within the database.

This behavior can be seen within the logs. If you go to the Yellowfin.log file you can see login attempts as below


YF:2019-10-21 18:52:27: INFO (LogonAction:?) - Logon Action entered
YF:2019-10-21 18:52:27: INFO (LogonAction:?) - Internal Entry Point for Logon
YF:2019-10-21 18:52:38: INFO (LogonAction:?) - Logon Action entered
YF:2019-10-21 18:52:38: INFO (LogonAction:?) - Internal Entry Point for Logon
YF:2019-10-21 18:52:46: INFO (LogonAction:?) - Logon Action entered
YF:2019-10-21 18:52:46: INFO (LogonAction:?) - Internal Entry Point for Logon
YF:2019-10-21 18:52:46: INFO (LogonAction:?) - logon authorised..


The first 4 lines show my login attempts with the username and password test, you can see that it doesnt actually return as a failure but only when a login is authorized does it produce an additional line. Which is shown in lines 5-7.

This also shows for failed LDAP authentication as seen below.

YF:2019-10-21 18:39:40: INFO (LogonAction:?) - Logon Action entered
YF:2019-10-21 18:39:40: INFO (LogonAction:?) - Internal Entry Point for Logon
YF:2019-10-21 18:39:40: INFO (LDAPAuthentication:authenticate) - Entered LDAPAuthentication plugin
YF:2019-10-21 18:39:40:ERROR (LDAPUtilService:connect) - LDAP authentication failed
YF:2019-10-21 18:39:40:ERROR (LDAPUtilService:connect) - LDAP authentication failed
YF:2019-10-21 18:39:40:ERROR (LDAPUtilService:connect) - Exception occured during LDAP authentication failed
YF:2019-10-21 18:39:40: INFO (LDAPAuthentication:authenticate) - Exiting LDAPAuthentication Plugin

This is currently the only method for capturing this activity. Please let me know if you have any questions regarding this.

Kind regards,

Nathan Goddard

photo
0

Hi Nathan – thanks for confirming. This information is crucial for auditing; can we log a request that this information be captured, and that by preference it should be captured in the ‘Event’ table for use by audit tools?

Thanks,

Dave

From: Support Queue <support@Yellowfin.bi>

Sent: Monday, October 21, 2019 2:06 PM

To: David Gallagher <dgallagher@CleverDevices.com>

Subject: Where can we see reports of unsuccessful logon attempts? [#15546]

photo
0

Hi David,

I have raised this as an enhancement on the following Idea;

https://community.yellowfinbi.com/topic/log-unsuccessful-login-attempts-of-non-users

This has been sent to our development team to review, all updates will be shared on the above idea ticket.

I have also made your CSM aware of this requirement.

This ticket will now be marked as completed.

Kind regards,

Nathan Goddard

photo
0

@Nathan, to add to this ticket - we've just done our own testing with a production customer. We are finding that LDAP logon failures are not present either in the Event table or in the logs. This is with the 20190131 build of Yellowfin 7.3, which contained LDAP changes that we had requested. Can you confirm this behavior with that build?

photo
0

Further, if a user uses their email address to logon (e.g. user@domain.org) with a bad password, we get a record in Event. We don't get anything at all, in the Event table or in the logs, if they use just the 'left' side of their credential, i.e. 'user'.

photo
0

Hi David,

Thank you for this additional testing information. I have updated the development ticket to make sure that both Yellowfin and LDAP authentication are logged in failure cases.

In regard to you second point of test with the users email and a bad password, would you be able to confirm your test case for me by answering the following questions;

1. Does a user with the email address user@domain.org exist within the YF system/LDAP? As in my testing this only recording in the event table if the user exists.

2. When you are referencing the 'left' side of their user credential have you setup within the login configuration to use the username rather than the email? In my testing if you set this to a username e.g. admin then success and failures will be recorded in the events table assuming that this is a valid username.

3. When you are testing the LDAP logins are you testing with valid and invalid users? Currently as with the Yellowfin authentication failures with addresses that do not exist are not currently stored but those are valid are shown in the events table. (Tested in 7.4.11, I am currently in the process of testing this in your specific build.)

Kind regards,

Nathan Goddard

photo
0

Hi David,

I hope you are well.

I have marked this ticket as completed and made sure that the enhancement ticket is up to date with your latest feedback.

Kind regards,

Nathan Goddard

photo
0

Hi Nathan,

I'm sorry I lost track of this ticket. I don't see how this isn't a bug, and why it is not scheduled for a future release. All failed logons should be logged, regardless of whether LDAP is used, or what username is being used to login

photo
0

I am reopening for this to be considered as a bug.

photo
0

Hi nlynch,

I hope all is well and apologies for the delay in responding, unfortunately Nathan is no longer working within the support team, hence me responding.

Going forward with this David I can see that Nathan raised this as an Enhancement. This still stands as this is a new feature required within the Yellowfin product;

Within the Yellowfin.log file you can see login attempts:

cf91c2f4275b2e2cb3b7bd7fe8cc8a26

I can place some notes with our development team to push this further if you require?

Regards,

Mark

photo
0

Hi Mark,

Our audit requirements do require us to have this information. We are currently using the Events table, parsing the logs I do not think would be acceptable for reporting purposes.

photo
0

Mark, is there a way to make me the owner of this ticket? Dave is no longer on our Reports team, and I'd like to add some more people to the discussion from my side.

photo
0

Hi Noreen,

I hope all is well,

I have gone ahead and made you author of this ticket, with this I have also put through some notes within this Enhancement ticket to try and get this looked at from our development team.

Going forward please check this idea ticket for future updates.

Regards,

Mark

photo
0

Hi Mark,

I believe some of the details in this ticket have gotten lost. I don't see all the issues mentioned in the enhancement ticket. The enhancement is only speaking about non-existent users. However, we are seeing big differences between LDAP and Yellowfin users.

I have tried using both email and user name as the logon method, with the appropriate LDAP configuration. Neither are logging failed logon attempts to the Event table.

I still don't see this as an enhancement. The behavior is very inconsistent depending on the type of user.

photo
0

Hi Noreen,

I hope all is well and apologies for the delay in responding... Going forward with this and using our enhancement ticket here, we could add additional information with that, to which would relate to LDAP Users i.e. type of user.

Would that help? Let me know.

Regards,

Mark

photo
0

Hi Mark,

I don't understand your last comment. What we are looking for is all failed logon attempts being written to the Event table. This includes non-existent users, LDAP users, regardless of whether Yellowfin is configured for email address logon or username logon.


Thanks!

photo
0

Hi Noreen,

Would a remote session be better so we can clear this up? Can I ask your availability for tomorrow? I am UK based.

Regards,

Mark

photo
0

Mark, would Friday morning work? I am available starting at 7:30 New York time.

photo
0

Hi Noreen,

Shall we do 08:00 New York time on Friday? That would be 13:00 UK Time.

Let me know.

Regards,

Mark

photo
0

Mark, that sounds fine.

photo
0

Hi Noreen,

Thank you for confirming, please see below for details;

Remote Session | Friday 25th September | 08:00 NY; 13:00 UK | Meeting Link here.

Regards,

Mark

photo
0

Hi Noreen,

Thank you for our call today, this allowed me to get a better understanding of your needs and requirements along with how important it is for you to have this feature for your clients.

Within this call we discussed my (YF) actions going forward to which I will be informing your CSM; Morgan a call today to discuss this further. We also discussed the need for this to be in our next release of version 8.

I (we) will update you asap with further developments.

Regards,

Mark

photo
0

Hi Noreen,

Further to our call last week... I reached out to the wider team within the USA to which Morgan (CSM) will be looking at what options we have and what we can do to get the ball rolling. She has made me aware she will be discussing this today. I (we) will continue to update you with news.

Regards,

Mark