- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Meaning of unauthuser and unauthusersource
Hi, Can anyone tell me the meaning of unauthuser and unauthusersource in the logs? Oct 30 11:14:50 192.168.1.4 date=2013-10-30 time=11:14:50 devname=FG100D3 devid=FG100D3 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=" root" policyid=30 identidx=0 sessionid=21843402 srcname=" MacBook-MacBook-Pro-de-B.local" osname=" Mac OS X" osversion=" 10.8.5" [style="background-color: #ffff99;"]unauthuser=" bj" unauthusersource=" forticlient"[/style] srcip=192.168.32.8 srcport=60038 srcintf=" internal2" dstip=107.20.232.119 dstport=80 dstintf=" ISP-Colt" service=" http" hostname=" nagios.foo.net" profiletype=" Webfilter_Profile" profile=" default" status=" passthrough" reqtype=" referral" url=" /nagios3/images/comment.gif" sentbyte=633 rcvdbyte=187 msg=" URL has been visited" method=domain class="0" cat=255 In other logs appear dstunauthusersource and dstunauthuser, what is the meaning? Thanks so much
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also intrested in this. I can see logs with "unauthusersource="kerberos" and I can see users in the logs as unauthuser that contains username that is disabled and not belongs to any user group.
Where this unauthuser value comes from?
AtiT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The log entries are addressing the user login and login source from the device detection/identification feature (enabled at the interface).
- The logs of uthusersource="kerberos" is collected from traffic kerberos on the authentication process between a PC and AD.
- When FG has enabled Device detection on interfaces, the FG will inspect the PC authentication process against the AD (Kerberos traffic) and will record the username.
- Topology in LAB,
PC (192.168.79.1) -> Foritgate -> AD (192.168.78.1)
1: date=2022-01-04 time=10:45:13 eventtime=1641321913730103681 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.79.1 srcname="DESKTOP-OLGFQ84" srcport=51102 srcintf="vlan279" srcintfrole="lan" dstip=192.168.78.1 dstport=53 dstintf="vlan278" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=11460 proto=17 action="accept" policyid=2 policytype="policy" poluuid="c82d7686-6d84-51ec-255f-889aa12ee3b0" policyname="Vlan279To278" service="DNS" trandisp="noop" duration=192 sentbyte=310 rcvdbyte=62 sentpkt=5 rcvdpkt=1 appcat="unscanned" osname="Windows" unauthuser="user1" unauthusersource="kerberos" mastersrcmac="00:53:6d:6f:37:02" srcmac="00:53:6d:6f:37:02" srcserver=0 dstosname="Windows" dstswversion="8/8.1/10" masterdstmac="00:53:6d:6f:36:02" dstmac="00:53:6d:6f:36:02" dstserver=0
FGVM020000110916 # diagnose user device list
hosts
vd root/0 00:53:6d:6f:37:02 gen 9 req OA/24
created 4066s gen 3 seen 0s vlan279 gen 2
ip 192.168.79.1 src mac
os 'Windows' src dhcp id 848 weight 128
host 'DESKTOP-OLGFQ84' src dhcp
user 'user1' src kerberos
