HySecure Gateway Logs - A Comprehensive Guide

Introduction

HySecure Gateway by Accops is a secure remote access solution that provides users with safe access to enterprise applications and data. Effective monitoring and analysis of logs are essential for maintaining security, troubleshooting issues, and ensuring optimal performance.

This guide provides a comprehensive overview of the various logs generated by the HySecure Gateway and HyID systems, helping administrators effectively monitor, troubleshoot, and secure their environment.

Prerequisites

HySecure Gateway (latest version recommended)
Administrative credentials for the HySecure Gateway
Windows Workspace client (latest version) for gateway access
Basic understanding of network security concepts and log analysis

Accessing Logs

Most logs can be accessed through the HySecure Management Console:

Log in to the HySecure Management Console with admin credentials.
Navigate to the Reports & Logs section.
Select the specific log type you wish to view.
Use filtering options to narrow down results by date, severity, or other parameters.

Some system-level logs require SSH access to the appliance and appropriate permissions.

HySecure Logs Overview

Endpoint Security Logs

Description: Records details of endpoint security events and compliance checks.

Information Captured: - Username and user details - IP and MAC addresses - Security status and scan results - Error codes related to security checks - Timestamps of events

Common Uses:

Verifying endpoint compliance with security policies
Tracking security check failures
Identifying devices with outdated security software

Turbo Logs

Description: Captures information about Turbo Tunnel access control and peer management.

Information Captured:

Access control list
User peer additions and removals
Connection establishment details
Tunnel creation and termination events

Common Uses: - Troubleshooting connection issues - Monitoring peer management - Verifying proper tunnel establishment

Max Concurrent Users Logs

Description: Provides information about peak user concurrency during specified intervals.

Information Captured: - Maximum number of concurrent users - Timestamp of peak usage

Common Uses:

Capacity planning
Usage pattern analysis

Tomcat Logs

Description: Records server activities related to the Management Console and HyLite Portal.

Information Captured:

Server startup and shutdown events
Runtime errors and exceptions
Request processing information

Common Uses: - Troubleshooting console access issues - Diagnosing portal functionality problems

Messaging Logs

Description: Tracks details of system-generated communications via SMTP Server and SMS Gateway.

Information Captured: - SMS and email sending attempts - Gateway information used for delivery - Delivery status and timestamps - Error messages - Provider responses

Common Uses: - Verifying notification delivery - Troubleshooting communication failures - Auditing system-initiated communications

HyID Logs Overview

Fes Reboot Logs

Description: Records system state transitions and monitoring events.

Information Captured:

HySecure server state changes
Error occurrences and their details
Monitoring thread restarts

Common Uses: - Tracking system stability - Investigating unexpected restarts

SAML Logs

Description: Captures SAML protocol exchanges between systems.

Information Captured: - SAML requests and responses - Identity provider interactions - Authentication events - Error details for failed SAML operations

Common Uses: - Troubleshooting SSO integration issues - Verifying identity provider communication - Tracking authentication flows

LIS Logs

Description: Records authentication events for third-party applications integrated with the HySecure Gateway for Authentication along with MFA.

Information Captured: - Timestamps and process IDs - User authentication details - Service name information - Failure reasons (if applicable) - MFA-related events

Common Uses: - Monitoring third-party application authentication - Troubleshooting MFA issues - Tracking authentication failures

HyID Logs

Description: Comprehensive logs of user authentication activities.

Information Captured: - Login attempts (successful and failed) - MFA method details - QR code-based login events - Device and location information - Excessive OTP request flags

Common Uses: - Monitoring authentication security - Investigating suspicious login attempts - Troubleshooting authentication issues - Tracking MFA usage patterns

Common Logs Overview

Admin Logs

Description: Records all administrative actions taken in the system.

Information Captured: - Configuration changes - System settings modifications - Administrator actions and identity - Timestamp of administrative events

Common Uses: - Auditing administrative activities - Tracking configuration changes - Establishing accountability for system changes

User Logs

Description: Detailed records of user activities and resource access.

Information Captured: - Login and logout events - Resource access attempts - Self-service portal interactions - Application and device access details

Common Uses: - Monitoring user behavior - Tracking resource access - Investigating unauthorized access attempts

Alert Logs

Description: Captures events exceeding predefined thresholds.

Information Captured: - Resource utilization alerts (CPU, Memory, Disk) - License threshold warnings - Service availability notifications - Sync failure alerts

Common Uses: - Proactive issue identification - Resource utilization monitoring - Service availability tracking

Error Logs

Description: Records system errors and issues affecting functionality.

Information Captured: - Feature failures - Login errors - Application access issues - Error codes and descriptions - Contextual information for troubleshooting

Common Uses: - Troubleshooting system issues - Identifying recurring problems - Root cause analysis

Audit Logs

Description: Tracks remediation actions for user synchronization.

Information Captured: - Policy removal events - Stale User profile management - Automated remediation actions

Common Uses: - Verifying auto policy removal for a non-existent AD user - Verifying auto profile removal for a non-existent AD user

Appliance Logs Overview

System Resources Usage Logs

Description: Monitors system resource consumption.

Information Captured: - Memory allocation and usage - Disk utilization metrics - CPU usage patterns

Common Uses: - Performance monitoring - Capacity planning - Resource optimization

Security Logs

Description: Tracks security events and potential threats.

Information Captured: - Resource exhaustion incidents - Excessive request patterns - Service disruption events - Potential security breaches

Common Uses: - Security monitoring - DDoS detection - Service availability tracking

HA Logs

Multiple log files related to High Availability functionality:

Ha.log

Description: Records events related to HA services.

Information Captured: - File synchronization events - Pulse service status - HA service state changes - Node communication events

CommandDaemon.log

Description: Tracks service management commands.

Information Captured: - Service start/stop events - Command execution results - Service status changes - Management console interactions

Filesync.log

Description: Monitors file synchronization across nodes.

Information Captured: - Synchronized file details - Synchronization timestamps - Success/failure status

Haservicesrestart.log

Description: Tracks critical HA service restarts.

Information Captured: - Service restart events - Start/stop status - Execution timestamps

Infoagent.log

Description: Records dashboard data collection events.

Information Captured:

Resource usage metrics
User concurrency data
Service status information
Dashboard update events

Pulse.log

Description: Monitors health and system status tracking.

Information Captured: - Node health checks - System status updates

sync_bin.log

Description: Tracks dashboard management and file sync services.

Information Captured: - Service start/stop events - Synchronization status - Error conditions - Execution timestamps

Common Uses (for all HA logs): - Troubleshooting HA issues - Monitoring node synchronization - Verifying proper HA functionality - Investigating service failures

Site Logs

Description: Records multi-site synchronization events.

Information Captured: - Data preparation events - Server synchronization timestamps - Success/failure status - Data restoration details

Common Uses: - Monitoring multi-site deployments - Troubleshooting synchronization issues - Verifying data consistency across sites

Messages Logs

Description: General system logs for various events.

Information Captured: - System startup/shutdown events - Hardware-related messages - Kernel activity - Service status changes

Common Uses: - General system troubleshooting - Monitoring system health - Tracking service status

Secure Logs

Description: Authentication and security-related system events.

Information Captured: - User login attempts - Sudo command execution - SSH access attempts - Authentication failures

Common Uses: - Security monitoring - Detecting unauthorized access attempts - Auditing privileged commands

System Logs Overview

Sys Logs

Description: Records SSL/TLS configuration and events.

Information Captured: - SSL/TLS version controls - Security feature settings - Renegotiation policies - Certificate-related events

Common Uses: - Monitoring SSL/TLS security - Auditing encryption configurations - Troubleshooting certificate issues

Nginx Logs

Description: Web server activity and request handling.

Information Captured: - HyLite portal access logs - Reverse proxy application requests - HTTP status codes - Request processing times

Common Uses: - Monitoring web traffic - Troubleshooting access issues - Tracking user interactions

Guacamole Logs

Description: Records remote access application connection events.

Information Captured: - RDP session details - VNC connection events - SSH access logs - Connection establishment and termination

Common Uses: - Monitoring remote access usage - Troubleshooting connection issues - Tracking application access

Other Logs Overview

Monitor Reverse Proxy Logs

Description: Tracks Nginx configuration modifications.

Information Captured: - Configuration file changes - Server setting modifications - Parameter adjustments - Change timestamps

Common Uses: - Auditing configuration changes - Tracking server setting modifications - Troubleshooting configuration issues

Local Messages Logs

Description: Records system messages generated by local processes.

Information Captured: - Custom application events - Application-specific messages

Common Uses:

Application-specific troubleshooting
Monitoring custom applications

Debug Logs

Description: Detailed logs are enabled manually for specific troubleshooting.

Information Captured: - Verbose process information - Detailed error tracing - Component-specific debug data

Common Uses: - Advanced troubleshooting - Detailed issue investigation - Working with Accops support

Best Practices for Log Management

Regular Review: Establish a schedule for reviewing critical logs
Retention Policy: Define appropriate retention periods for different log types
Backup Important Logs: Create backups of logs containing critical audit information
Log Correlation: Use tools to correlate events across different log types
Alerting: Configure alerts for critical events requiring immediate attention
Documentation: Maintain documentation of unusual events and their resolutions

Troubleshooting Common Issues Using Logs

Issue	Primary Log Source	Secondary Log Source	What to Look For
Authentication Failures	User Logs	HyID Logs, Error Logs	Failed login attempts
Application Access Issues	User Logs	Error Logs	Access denied messages, application errors
High Availability Problems	Ha.log	Pulse.log	Synchronization failures, node communication errors
Performance Degradation	System Resources Usage Logs	Tomcat Logs	Resource exhaustion, slow response times
Security Incidents	Security Logs	Secure Logs	Unusual access patterns, multiple failed attempts

Conclusion

Effective log monitoring and analysis are critical to managing the HySecure Gateway environment. By understanding the various log types and their purposes, administrators can quickly identify and resolve issues, maintain security, and ensure optimal performance.

For assistance with complex log analysis or troubleshooting, contact Accops Support through the official support portal.