- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-29-2018 09:15 AM
How do I stop users who are working on servers from apearing in the logs as matched user-id users?
Rob
08-29-2018 01:03 PM
Best way for me was to only allow server admin via a server admin account. Then add them to the user ignore list.
08-29-2018 01:40 PM
I didn't go quite as far as @Mick_Ball; but I did give everyone a seperate 'server-admin' account so that I could ignore just those users with the user ignore list.
08-31-2018 03:52 AM
Ahh right, had not spotted the ignore list.
Guess it will be good for 99% of what we do.
Rob
08-31-2018 09:39 AM
Hello,
What we did, it was unintentional but would work in this case, was to only look at Exchange logs. Since our admin accounts dont have email accounts and we dont allow outlook on servers, we dont see user-id's on servers since moving away from active-directory lookups.
Just a thought.
09-01-2018 05:10 AM
... or you simply exclude the servernetworks from user-id. This way these users still show up in the logs when they work from a computer in a clientnetwork.
09-01-2018 10:59 AM
Hmmm so what is the other 1%......
09-02-2018 11:15 AM - edited 09-02-2018 11:35 AM
Thats a valid point @ce1028 but we never allow our servers to connect to tinternet.
as soon as a valid user is associated with the server it goes off and does all manner of things..
We could have achieved this via security policy but ignoring users works for us, not everybodys cup of tea...
others may haVe different reasons.
09-03-2018 12:56 AM
We have servers that get DNS (this is required to make the world work)
We have servers that connect to SMTP ( e-mail seems to be a requirement of modern living)
Servers that transfer business related files ( SFTP, FTPS, ETC...)
All these run as service accounts, they don't generate a USER-ID...
As soon as an admin logs in, they become the associated user of this "server" traffic. Anythign they may really be initiatin gets lost. So it's a bit pointless.
09-03-2018 01:32 AM
@RobinClayton wrote:As soon as an admin logs in, they become the associated user of this "server" traffic. Anythign they may really be initiatin gets lost. So it's a bit pointless.
Thats why we exclude the servernetworks completely. All servers have specific firewallrules for exactly what they need without internet access. The logins on the servers are restricted to the users that really need to install/change something on the servers, so it isn't possible that an admin from team A connects to a server of team B. So at least in our case it makes more sense to exclude the networks instead of the users, just in case an admin somehow logs in on a device located in the clientnetwork we will see this also in the firewalllogs.
09-03-2018 02:44 PM
@Remo unrelated to the topic I guess, but are you using virtual firewalls to control that server access?
09-04-2018 09:10 AM
In most cases physical firewalls (with vsys enabled).
Are you asking about the access frol the servers or the access to the servers? The second is also restricted with groups on the servers itself to the people that need access.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!