Login failure events - SIEM integration
Original Question or Issue:
We integrated FileCloud with Splunk but the login failure events are not forwarded to the SIEM server.
Environment:
- Product - FileCloud Server
- Version - Any
- Platform - Any
Steps to Reproduce:
Integrate FileCloud with SIEM server.
Error or Log Message:
Login failure events are not sent to the SIEM server.
Defect or Enhancement Number:
Cause:
Configuration.
Resolution or Workaround:
Please note that by default login events are not forwarded to the SIEM server.
You can enable it by adding the configuration below to all your FileCloud application nodes:
// User login details
$mappings[] = [
'id' => 'loginguest',
'prefilter' => [],
'map' => [
'eventClass' => 'loginguest',
'eventName' => '$operation',
'severity' => 2,
'extension' => [
'suser' => '$userName',
'requestClientApplication' => '$userAgent',
'src' => '$ip',
'msg' => '$notes'
]
]
];
Notes:
The SIEM configuration file location:
Linux: /var/www/html/app/siem/maps/auditmap.php
Windows: <Drive_Letter>:\xampp\htdocs\app\siem\maps\auditmap.php