Logging
Logging is important - we love logging.
Because of this, we have included an easy to find, follow and parse log output that provides an additional layer of visibility across your Knocknoc users, including Administrative functions.
Importantly, Knocknoc events include a string "KnocKnocEvent" followed by a collection of relevant key/value pairs, which can be parsed out by your favourite log aggregator or SIEM, or easily searched through syslog. For example:
KnocKnocEvent=LoginUser User=demouser ip=1.2.3.4 UserType=local handler=handleLogin request_id=cv041e4nqrrqhd74hk4g uid=0194cebb-506f-7769-bd65-b57b9bc3a4c0
| KnocKnocEvent | Event | Additional data |
|
|
Successful user/admin login Successful user/admin logout |
Username, IP Address, Auth type (eg: SAML, Local) UID/internal user-id, request_ID for tracking linked events |
|
|
Granting of access to users, via Agents Manual (click to grant) interactions Additional IPs discovered as part of port-walking |
Username, IP Address, Auth type (eg: SAML, Local), UID, ACL Name, ACLID, Request_ID Any additional IPs in the case of PortWalkGrant |
AllowlistRetrieved |
API-based AllowLists successfully retrieved by consumers, eg: firewalls polling EDLs | ACL Name, IP Address (of consumer), ACLID, Format (txt/json), Request_ID |
TOTPInvalid TOTPInvalidUserTOTPValidAdmin TOTPValidUser |
Invalid TOTP provided (on valid Password) Valid TOTP provided Note: local users only, does not appear from SAML. |
Username, request_ID |
|
Audit events for logging of system/data change:
|
Create entities Delete entities Update entities Reset TOTP for local users/admins |
Includes related information, including: Entity type (eg: user, agent, ACL, etc) Entity name (eg: Bob User) Performing user (eg: Jane Admin)
IP address, internal IDs, request_ID |