cancel
Showing results for 
Search instead for 
Did you mean: 
malware-alerts
Level 10

Best way to write AD group membership in Access.Log

Using a third party reporting tool to massage the WebGateway 7.4.2 logs.

One of the requirement is to write the AD group membership (not all associated groups, but only the group that matches a certain pattern) in the Acces.log for every authenticated user.

The issue I'm facing right now is that the "Authentication.UserGroups" is a "List of String" property and cannot directly be added to "User-Defined.logline" (only standard strings are available in the property choices).

Looking at my options, I thought I could possibly use a String.Replace<...> (or one of the variants) to basically match the group pattern I need to write in the log (say, an AD group name that starts with 'Internet-'), convert this into a single string and add it to the User-Defined.logline in order to include it in the Access.log

Unfortunately, the 'String,Replace' cannot work because it replaces the string we are matching against with something static.

I need to find a way to 'extract' the AD group I'm looking for in order to add it to the Access.log.

Thanks!

0 Kudos
4 Replies
McAfee Employee

Re: Best way to write AD group membership in Access.Log

Hiiiiiiiiii,

I would do the following:

1. Write the "interested" groups to a user-defined property. This can be done by comparing the user's groups against a list, then using the "List.LastMatches" property to determine which items are present in the user's groups.

2. In order to write the *list* of "interested" groups, you must cast it from a list of strings to a string.

2014-09-17_175813.png

Best,

Jon

0 Kudos
McAfee Employee

Re: Re: Best way to write AD group membership in Access.Log

See slight revision.

2014-09-17_180015.png

0 Kudos
malware-alerts
Level 10

Re: Best way to write AD group membership in Access.Log

Thanks Jon,

I'm trying it right now and it doesn't seem to work properly, I've got some fine tuning to do, but this is a good base. I'll post once I get it working.

0 Kudos
McAfee Employee

Re: Re: Best way to write AD group membership in Access.Log

Hi again,

I had a question on this recently and looked back at my old post. It never did work like you mentioned. I found a way to get this working quite nicley.

All that is required is that you populate the "Interested Groups" with your interested groups, and then the users groups will be widdled down to only the groups you care about.

filter groups.jpg

Attached is a revised example of this in case anyone needs it

Best Regards,

Jon