
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
QEM Audit Failed Login
We have a rogue process or broken app calling the QEM endpoint and providing bad credentials. A valid AD username but invalid password.
The request is accurately getting rejected, but this is rapidly becoming a Denial-of-Service situation, as the AD username is used by a valid request, and the unsuccessful login attempt locks the AD account.
For this reason but also we should be auditing this for security purposes. What loggers need to be turned on and to what level in QEM to get the basic information
Login Failed
Username
Calling IP
We have tried various guesses a the QEM logger and level, but to no avail.
This also would be basic information required for audit compliance for areas like SOX.
- « Previous Replies
-
- 1
- 2
- Next Replies »
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
QEM is using ActiveDirectory for authorizatoin
ANS: so the user / group is set in QEM user permission.
we cannot find a setting that tell us that there has been a login attempt, but it failed.
We are looking for an error message like
ANS: if you enable trace for Authorization, then QEM log show more information about user login.
it just show user login fail, it does not know where user source ip would be. we do not have a way to trace this.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. check the QEM for Replicate server credential .
2. check the QEM repository connection credential .

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Steve_Nguyen can you be more specific.
We are not using any QEM repository.
The user has permissions in QEM, it is the logging for failed attempts we are looking for.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for : The user has permissions in QEM, it is the logging for failed attempts we are looking for.
1. check your Replicate server logging from QEM , it could be that someone use the credential.
2. check your QEM user permission to see if the user is in the list.
3. any API call using old credential ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an API that uses the credentials
We check the Replicate server logging from QEM and there are no log entries for failed login, either with the UI or API.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am still confuse on what credential is having the issue .
if the credential is from the Replicate server connection from QEM, then change it.
if the credential is from the API , then change it.
not sure what credential at this point .

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me attempt to describe it better
QEM is using ActiveDirectory for authorizatoin
There is a user using a valid USERNAME but invalid PASSWORD to attempt to connect to QEM, via the UI or the API (we are concerned with the API)
This user could be a malicious actor trying to penetrate QEM or simply a valid user who has the wrong credentials.
On a successful login, QEM will log this into the QEM server logs
But on this failed login, we cannot find a setting that tell us that there has been a login attempt, but it failed.
We are looking for an error message like
[ERROR] user: AD\SomeUser attempted to log into QEM. SourceIP: 10.1.1.1. Active Directory credentials failed.
This is pretty common functionality in almost any application, expecially anything under SOX or government contract, to have audit information for unsuccessful login attepts.
Does this clarify?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
QEM is using ActiveDirectory for authorizatoin
ANS: so the user / group is set in QEM user permission.
we cannot find a setting that tell us that there has been a login attempt, but it failed.
We are looking for an error message like
ANS: if you enable trace for Authorization, then QEM log show more information about user login.
it just show user login fail, it does not know where user source ip would be. we do not have a way to trace this.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct @Steve_Nguyen QEM uses Active Directory, and the user does have Viewer fights to QEM enabled.
We have enabled Authorizatoin to Trace and there are still no error messages.
Can you share an example of what you are seeing in your lab for the same?
You absolutely would know the user source ip, it would be on the connection object stack
https://stackoverflow.com/questions/735350/how-to-get-a-users-client-ip-address-in-asp-net
"HTTP_X_FORWARDED_FOR"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in the Authorization, you would see like below :
3 2022-03-04 08:36:13 [Authorization ] [DEBUG] user SNSQL2014A\Administrator role from root acl is ADMIN
3 2022-03-04 08:36:13 [Authorization ] [DEBUG] user SNSQL2014A\Administrator role from root acl is ADMIN
Line 387: 22 2022-03-03 10:40:22 [Authorization ] [DEBUG] user QLIK\STEVE role from root acl is ADMIN
Line 388: 20 2022-03-03 10:40:22 [Authorization ] [DEBUG] user QLIK\STEVE role from root acl is ADMIN

- « Previous Replies
-
- 1
- 2
- Next Replies »