Solved: Re: QEM Audit Failed Login - Qlik Community

MichaelMockus · ‎2022-02-22

We have a rogue process or broken app calling the QEM endpoint and providing bad credentials. A valid AD username but invalid password.
The request is accurately getting rejected, but this is rapidly becoming a Denial-of-Service situation, as the AD username is used by a valid request, and the unsuccessful login attempt locks the AD account.

For this reason but also we should be auditing this for security purposes. What loggers need to be turned on and to what level in QEM to get the basic information

Login Failed

Username

Calling IP

We have tried various guesses a the QEM logger and level, but to no avail.

This also would be basic information required for audit compliance for areas like SOX.

Steve_Nguyen · ‎2022-03-03

QEM is using ActiveDirectory for authorizatoin

ANS: so the user / group is set in QEM user permission.

we cannot find a setting that tell us that there has been a login attempt, but it failed.
We are looking for an error message like

ANS: if you enable trace for Authorization, then QEM log show more information about user login.

it just show user login fail, it does not know where user source ip would be. we do not have a way to trace this.

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

View solution in original post

Steve_Nguyen · ‎2022-03-01

@MichaelMockus

1. check the QEM for Replicate server credential .

2. check the QEM repository connection credential .

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

MichaelMockus · ‎2022-03-01

@Steve_Nguyen can you be more specific.
We are not using any QEM repository.
The user has permissions in QEM, it is the logging for failed attempts we are looking for.

Steve_Nguyen · ‎2022-03-02

for : The user has permissions in QEM, it is the logging for failed attempts we are looking for.

1. check your Replicate server logging from QEM , it could be that someone use the credential.

2. check your QEM user permission to see if the user is in the list.

3. any API call using old credential ?

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

MichaelMockus · ‎2022-03-02

There is an API that uses the credentials
We check the Replicate server logging from QEM and there are no log entries for failed login, either with the UI or API.

Steve_Nguyen · ‎2022-03-02

i am still confuse on what credential is having the issue .

if the credential is from the Replicate server connection from QEM, then change it.

if the credential is from the API , then change it.

not sure what credential at this point .

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

MichaelMockus · ‎2022-03-02

@Steve_Nguyen

Let me attempt to describe it better

QEM is using ActiveDirectory for authorizatoin

There is a user using a valid USERNAME but invalid PASSWORD to attempt to connect to QEM, via the UI or the API (we are concerned with the API)

This user could be a malicious actor trying to penetrate QEM or simply a valid user who has the wrong credentials.

On a successful login, QEM will log this into the QEM server logs
But on this failed login, we cannot find a setting that tell us that there has been a login attempt, but it failed.
We are looking for an error message like

[ERROR] user: AD\SomeUser attempted to log into QEM. SourceIP: 10.1.1.1. Active Directory credentials failed.

This is pretty common functionality in almost any application, expecially anything under SOX or government contract, to have audit information for unsuccessful login attepts.

Does this clarify?

Steve_Nguyen · ‎2022-03-03

QEM is using ActiveDirectory for authorizatoin

ANS: so the user / group is set in QEM user permission.

we cannot find a setting that tell us that there has been a login attempt, but it failed.
We are looking for an error message like

ANS: if you enable trace for Authorization, then QEM log show more information about user login.

it just show user login fail, it does not know where user source ip would be. we do not have a way to trace this.

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

MichaelMockus · ‎2022-03-03

Correct @Steve_Nguyen QEM uses Active Directory, and the user does have Viewer fights to QEM enabled.

We have enabled Authorizatoin to Trace and there are still no error messages.
Can you share an example of what you are seeing in your lab for the same?

You absolutely would know the user source ip, it would be on the connection object stack

https://stackoverflow.com/questions/735350/how-to-get-a-users-client-ip-address-in-asp-net

"HTTP_X_FORWARDED_FOR"

Steve_Nguyen · ‎2022-03-04

in the Authorization, you would see like below :

3 2022-03-04 08:36:13 [Authorization ] [DEBUG] user SNSQL2014A\Administrator role from root acl is ADMIN
3 2022-03-04 08:36:13 [Authorization ] [DEBUG] user SNSQL2014A\Administrator role from root acl is ADMIN

Line 387: 22 2022-03-03 10:40:22 [Authorization ] [DEBUG] user QLIK\STEVE role from root acl is ADMIN
Line 388: 20 2022-03-03 10:40:22 [Authorization ] [DEBUG] user QLIK\STEVE role from root acl is ADMIN

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

QEM Audit Failed Login

Security