Security Log Reference
Coginiti provides comprehensive security logging to help organizations meet compliance requirements and monitor security-related events. The Security Log feature creates detailed audit trails for authentication, authorization, data access, and administrative activities.
Overview
The security log captures all security-related events in a structured format, providing organizations with:
- Compliance support for regulatory requirements (SOX, GDPR, HIPAA, etc.)
- Security monitoring for threat detection and investigation
- Audit trails for data access and administrative actions
- Forensic analysis capabilities for incident response
Log File Location
Security events are written to a dedicated log file:
- File name:
security.log - Location: Same directory as other Coginiti log files
- Format: Common Event Format (CEF)
- Rotation: Automatic log rotation based on size and retention policies
Log Entry Format
All security events use the Common Event Format (CEF) standard:
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|Extension
CEF Header Components
| Component | Value | Description |
|---|---|---|
| Version | 0 | CEF format version |
| Device Vendor | Coginiti | Product vendor |
| Device Product | Coginiti Team/Enterprise | Product name |
| Device Version | 1.12.12 | Application version |
| Device Event Class ID | 0-10 | Event identifier |
| Name | Event Name | Human-readable event name |
| Severity | 0-4 | Event severity level |
Severity Levels
| Level | Name | Description |
|---|---|---|
| 0 | LOW | Informational events, normal operations |
| 4 | MEDIUM | Events requiring attention or monitoring |
Security Events Reference
Login Events
UserLoginSuccess (Event ID: 0)
Successful user authentication to the system.
Severity: LOW
Category: Login
Key Fields:
address: Client IP addressoutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|0|0|UserLoginSuccess|timestamp=2025-02-25 18:08:03 user=admin address=192.168.1.100 outcome=SUCCESS
UserLoginFailure (Event ID: 1)
Failed user authentication attempt.
Severity: MEDIUM
Category: Login
Key Fields:
address: Client IP addressfailureReason: Reason for authentication failureoutcome: FAILURE
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|1|4|UserLoginFailure|timestamp=2025-02-25 18:08:03 user=admin failureReason=Invalid Credentials address=192.168.1.100 outcome=FAILURE
AuthorizationTokenExpired (Event ID: 2)
User authorization token has expired.
Severity: LOW
Category: Login
Key Fields:
tokenId: Unique identifier for the expired tokenreason: Reason for token expiration
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|2|0|AuthorizationTokenExpired|timestamp=2025-02-25 18:08:03 user=admin tokenId=abc123-def456-ghi789 reason=Token lifetime exceeded
UserLogout (Event ID: 3)
User logout from the system.
Severity: LOW
Category: Login
Key Fields:
sessionId: Unique session identifieroutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|3|0|UserLogout|timestamp=2025-02-25 18:08:03 user=admin sessionId=sess_abc123def456 outcome=SUCCESS
Query Execution Events
DataQueryExecuted (Event ID: 4)
Successful execution of a data query.
Severity: LOW
Category: Execution
Key Fields:
sourceQuery: The SQL query that was executedoutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|4|0|DataQueryExecuted|timestamp=2025-02-25 18:08:03 user=admin sourceQuery=SELECT * FROM users WHERE active = true outcome=SUCCESS
DataQueryAttemptFailure (Event ID: 5)
Failed attempt to execute a data query.
Severity: MEDIUM
Category: Execution
Key Fields:
sourceQuery: The SQL query that failedfailureReason: Reason for query failureoutcome: FAILURE
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|5|4|DataQueryAttemptFailure|timestamp=2025-02-25 18:08:03 user=admin sourceQuery=SELECT * FROM sensitive_data failureReason=Access denied to table outcome=FAILURE
DataExport (Event ID: 6)
Data export operation performed by user.
Severity: LOW
Category: Execution
Key Fields:
exportFormat: Format of exported data (CSV, Excel, etc.)exportLocation: File path or location of exportoutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|6|4|DataExport|timestamp=2025-02-25 18:08:03 user=admin exportFormat=CSV exportLocation=/exports/data_2025_02_25.csv outcome=SUCCESS
Access Control Events
UserRoleGranted (Event ID: 7)
Administrative action granting a role to a user.
Severity: MEDIUM
Category: Access
Key Fields:
targetUserName: User receiving the roleassignedRole: Role being grantedoutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|7|4|UserRoleGranted|timestamp=2025-02-25 18:08:03 user=admin targetUserName=john.doe assignedRole=ANALYST outcome=SUCCESS
UserRoleRevoked (Event ID: 8)
Administrative action revoking a role from a user.
Severity: MEDIUM
Category: Access
Key Fields:
targetUserName: User losing the rolerevokedRole: Role being revokedoutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|8|4|UserRoleRevoked|timestamp=2025-02-25 18:08:03 user=admin targetUserName=john.doe revokedRole=ANALYST outcome=SUCCESS
GroupMembershipAdded (Event ID: 9)
User added to a group.
Severity: LOW
Category: Access
Key Fields:
groupName: Name of the groupaddedMember: User being added to the groupoutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|9|0|GroupMembershipAdded|timestamp=2025-02-25 18:08:03 user=admin groupName=DataAnalysts addedMember=jane.smith outcome=SUCCESS
GroupMembershipRemoved (Event ID: 10)
User removed from a group.
Severity: LOW
Category: Access
Key Fields:
groupName: Name of the groupremovedMember: User being removed from the groupoutcome: SUCCESS
Example:
CEF:0|Coginiti|Coginiti Team|1.12.12|10|0|GroupMembershipRemoved|timestamp=2025-02-25 18:08:03 user=admin groupName=DataAnalysts removedMember=jane.smith outcome=SUCCESS
Common Fields
All security log entries include these standard fields:
| Field | Description | Example |
|---|---|---|
timestamp | Event occurrence time (UTC) | 2025-02-25 18:08:03 |
user | Username performing the action | admin |
outcome | Event result | SUCCESS, FAILURE |
Event Categories
Security events are organized into logical categories:
Login Category
- User authentication events
- Session management
- Token lifecycle events
Execution Category
- Data query operations
- Export activities
- Script executions
Access Category
- Role assignments and revocations
- Group membership changes
- Permission modifications
Integration and Analysis
SIEM Integration
The CEF format enables easy integration with Security Information and Event Management (SIEM) systems:
- Splunk: Native CEF parsing support
- IBM QRadar: Built-in CEF connectors
- ArcSight: Standard CEF ingestion
- Elastic Security: CEF parsing modules
Log Analysis Queries
Failed Login Attempts
# Find failed login attempts in the last 24 hours
grep "UserLoginFailure" security.log | grep "$(date -d '1 day ago' '+%Y-%m-%d')"
Data Access Patterns
# Find all data queries by specific user
grep "DataQueryExecuted" security.log | grep "user=john.doe"
Administrative Actions
# Find all role changes
grep -E "(UserRoleGranted|UserRoleRevoked)" security.log
Export Activities
# Find all data exports
grep "DataExport" security.log
Compliance Reporting
The security log supports various compliance frameworks:
SOX Compliance
- Data access tracking
- Administrative change auditing
- User activity monitoring
GDPR Compliance
- Data processing activities
- Access control changes
- Data export tracking
HIPAA Compliance
- PHI access logging
- User authentication tracking
- Administrative audit trails
Configuration
Log Retention
Configure log retention policies based on compliance requirements:
- Default retention: 90 days
- Compliance retention: 7 years (configurable)
- Archive options: Compressed storage, external systems
Log Rotation
Automatic log rotation prevents disk space issues:
- Size-based rotation: 100MB per file (default)
- Time-based rotation: Daily rotation option
- Retention count: Number of rotated files to keep
Performance Considerations
Security logging is designed for minimal performance impact:
- Asynchronous logging: Non-blocking event capture
- Buffered writes: Optimized I/O operations
- Configurable levels: Adjust logging verbosity
Monitoring and Alerting
Critical Events
Set up monitoring for high-priority security events:
- Multiple failed logins: Potential brute force attacks
- Privilege escalations: Unexpected role assignments
- After-hours access: Unusual activity patterns
- Export anomalies: Large or unusual data exports
Alert Thresholds
Recommended alerting thresholds:
| Event Type | Threshold | Action |
|---|---|---|
| Failed Logins | 5 per user per hour | Alert security team |
| Role Changes | Any administrative change | Log and review |
| Data Exports | Exports > 10MB | Manager notification |
| After-Hours Access | Access outside business hours | Security review |
Best Practices
Security Monitoring
- Regular review: Establish periodic log review processes
- Automated analysis: Use SIEM tools for pattern detection
- Incident response: Integrate logs into incident workflows
- Baseline establishment: Know normal activity patterns
Compliance Management
- Retention policies: Align with regulatory requirements
- Access controls: Protect log files from tampering
- Regular audits: Verify logging completeness
- Documentation: Maintain audit procedures
Performance Optimization
- Log rotation: Prevent large file accumulation
- Archive strategy: Move old logs to cheaper storage
- Monitoring: Track log file growth patterns
- Capacity planning: Plan storage requirements
Troubleshooting
Common Issues
Log File Not Found
Symptom: security.log file doesn't exist
Solution: Check application configuration and file permissions
Missing Events
Symptom: Expected events don't appear in logs
Solution: Verify logging configuration and application version
Performance Impact
Symptom: Application slowdown during high activity
Solution: Check log rotation settings and disk I/O capacity
Parse Errors in SIEM
Symptom: CEF events not parsing correctly
Solution: Verify CEF format compatibility with SIEM version
Log Validation
Verify security logging is working correctly:
- Test authentication: Perform login/logout and verify events
- Execute queries: Run test queries and check execution logs
- Modify permissions: Change user roles and verify access events
- Export data: Perform exports and verify export events
Support
For security logging issues:
- Support: support.coginiti.co
- Community: Ask questions on Stack Overflow
Security logs are essential for maintaining a secure and compliant data environment. Regular monitoring and analysis of these logs helps ensure the integrity and security of your Coginiti deployment.