UCX Suite Audit Trails Management
Introduction
Imagicle UCX Suite can generate both a CSV file including major Audit events and it can send Audit events to an external SIEM (Security Information and Event Management) by leveraging Syslog protocol.
Both above audit methods are accessible by Users with Complete User Management role, by clicking on Administration → Audit Trail web menu.
Enable and configure CSV-based Audit Trail
Auditing is disabled by default. It can be enabled accessing the Audit Trail menu and flagging the relevant checkbox, then saving.
Once Auditing has been enabled, is it not possible to disable it, for security reasons. Please contact Imagicle Support for more details.
Data retention period in days is configurable. If left to 0, the retention is unlimited and it might impact DB storage.
Data purge (audit events and login/logout events) is automatically performed every 24 hours, at 01:30 am (not configurable).
Login/logout Audit Events
Auditing is tracking all accesses to Imagicle web portal, Imagicle gadgets and UCX Console, including the following authentication type: SSO, AD/LDAP, CUCM, Windows Integrated, Local user
The login / login failed / logout auditing records the following info:
Audit event | Application | Action | Username | Client IP | Authentication type | Long session |
Login from Suite Web portal or gadgets | Suite | User login | the username | client’s IP address | the authentication type | true if a long session has been started, false otherwise |
Login from UCX Console | UCX Agent/Attendant Console | User login | the username | Workstation IP address | the authentication type | false |
Login failed from Suite Web portal or gadgets | Suite | User login failure | the username entered for the login attempt | client’s IP address | the authentication type | |
Login failed from UCX Console | UCX Agent/Attendant Console | User login failure | the username entered for the login attempt | Workstation IP address | the authentication type | |
Logout from Suite Web portal or gadgets | Suite | User logout | the username | client’s IP address | ||
Logout from UCX Console | UCX Agent/Attendant Console | User logout | the username | Workstation IP address |
Notes
There is no distinction between login events on the web portal and on the gadgets.
Only actual logins are traced: no new events are audited if a user accesses the portal/gadget again within the session timeout (i.e. after the first time he doesn’t need to log in again)
Currently no login events are traced for Imagicle One Desktop or Print To Fax.
Login failure events only track failed attempts for incorrect password, not for invalid user name
Internal service-to-service authentications are not expected to be present in audit log
Download
In case audit is enabled, a new “Download audit logs” section appears in its configuration page, as per below.
from this page you can download a CSV file including all recorded audit events, optionally filtered by:
time
tenant (only in case of multi-tenant installations)
applications
CSV file format as follows:
Application Id: UCX application ID for the event
Timestamp (Server Time Zone): time when the event occurred
Username: Username of the event user
First name: Name of the event user
Last name: Surname of the event user
Tenant: Tenant of the event user
Action: Type of action (i.e. Play recording)
Client IP: workstation IP where the action causing the audit event was made
UCX Suite Node: node where the action causing the audit event was made
Details: Details of the particular event. "Details" column format changes according to the specific event (i.e. for an "Un-preserve recording" event the format is as follows:
Recording Id {c333d58a-7ba6-4d69-91e4-175816aa5d0b}, Recording PBX Call Id {28787197}, Recording duration {00:00:01.9674372}, Recording Ref. Number {2019000000003}, Recording start time (Server Time Zone) {2019-01-07T11:18:16.1670000+01:00}, Recording owner username {u205}, Recording owner first name {Utente}, Recording owner last name {Duecentocinque}, Recording group {Group1}
In case of scheduled reports, audit is generated only if UCX Suite outbound email notifications are enabled and an actual email is sent.
Enable and configure Syslog-based Audit Trail
Syslog Auditing is disabled by default. It can be enabled by accessing the Audit Trail menu and flagging the relevant checkbox, then saving.
The following parameters must be added, before enabling the feature:
Enable: Toggle on the Syslog events sending
Host: SIEM Server’s IPv4 or IPv6 or FQDN
Protocol: you can choose among UDP, TCP or TCP-TLS
Port: Transport port used by the SIEM appliance
Message format: Choose between JSON or CEF, depending on SIEM support.
Once Syslog Audit has been enabled, is it not possible to disable it, for security reasons. Please contact Imagicle Support for more details.
A Send test message button is available, to immediately check SIEM server reachability. This button works for TCP and TCP-TLS transport protocols only. Test message is not formatted as CEF or JSON: it just includes a test string.
Successful test result
Unsuccessful test result
Before enabling Syslog Audit leveraging TCP-TLS transport, please make sure SIEM server includes a trusted Digital Certificate. If not, then please contact Imagicle Support to enable Self-Signed certificates acceptance.
SIEM Efficiency caveats
If the SIEM does not promptly “digest” Audit events sent by Imagicle UCX Suite, it might happen that some events are lost. If this is happening, it is possible to tweak the events' queue size and the retry interval. Please contact Imagicle Support for more details.