Secure Mobile Access 12.4 Administration Guide

Technical Documentation>  Appendix>  Log File Output Formats>  System Message Log>  Access Policy Decisions
Table of Contents

Access Policy Decisions

One of the main uses for the system message log is to audit access policy decisions. Each time a user request matches a policy rule, the appliance writes an entry to the message text field (the last field in the message log) explaining the action taken.

A sample message for an access policy decision looks like this:

[09/Nov/2016:02:45:32.282637 +0000] E-Class SMASSLVPN 002421 ps 100004b3 Info EWACL User '(192.168.136.70 (Dominique Daba)@(Students)' connecting from '192.168.136.70:37975' matched rule 'accessRule(AV1091719670706:preauth access rule)', access to '127.0.0.1:455' is permitted.

For each connection request that matches a rule, a log message is generated at the Info level. Requests that don’t match a rule are logged at the Verbose level, and when no rule match is found the request is logged at the Warning level.

For policy decisions, the logging message text field (everything after Info in the previous example) includes the information shown in the Logging message text fields table.

Logging message text fields
Field Description

EWACL

Log type

 

The access policy being evaluated. The log types are:

  • CSACL—client/server access policy

  • EWACL—Web access policy

  • WPACL—WorkPlace access policy

  • NEACL—file system access policy (file shares accessed from the Network

    Explorer page in WorkPlace)
User '(192.168.136.70 (Dominique Daba)@(Students)'
User name The user making the request. If the appliance is configured to use multiple realms, the username will appear in the format (user)@(realm).
connecting from '192.168.136.70:37975'
Source of request The address of the user making the request.
matched rule 'accessRule(AV1091719670706:preauth access rule)'
Match status Rule match status (either Matched or No Match) and the ID for the rule.
access to '127.0.0.1:455' is permitted
Rule outcome

Details

If the rule matched, this field will be empty. If the rule did not match, one of the following messages will appear:

  • Source Network is <network>

  • Date/time specification <time>

  • User <username> not in User/Group List

  • Destination network is <dest>

  • Virtual Host is <vhost>

  • Destination services dest is <dest>

  • Command is <command>

  • UDPEncrypt is <true or false>

  • Key Length <length from the policy rule> requires a stronger cipher

If no rule matched, an Info-level message is generated indicating that no matching rule was found.

Examples

Example 1: Success at Info Level

[09/Nov/2016:02:45:32.712860 +0000] E-Class SMASSLVPN 002421 ps 10000531 Info Session Authentication for user '(192.168.136.70 (Guest))@(Students)' SUCCESS for realm 'Visitors'

Example 2: Failure at Info Level

[09/Nov/2016:04:27:40.965127 +0000] E-Class SMASSLVPN 002873 ps 00000003 Info WPACL User '(kevin figment)@(Students)' connecting from '192.168.136.70:0' found no matching access rule, access to 'www.seattletimes.com:80' is denied.