Table of Contents | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Starting Sessions
Login to Yarngate
Click +Prepare session(s)
Add the systems that you would like access to and click +Prepare session
Enter the required details for the session including password
Review the sessions created
Session details
Session can then be closed
...
Create offboard task
Search for user and add sessions
Start off-board request
Yarn_gate Cache
yarngate makes use of a local cache of target node details that is updated via a reoccurring schedule, which can be used to speed up reporting and allow a consolidated view of all tagets.
Policies
Account Age Policy
This policy is used to age out admin accounts that are discovered on the target system from the local cache used for reporting.
As yarngate provisions admin accounts on demand, there could be accounts showing as active/inactive depending on each time access is requested.
Age | Value | Purpose/Action |
---|---|---|
Days last seen to mark account for removal | 90 | After 90days of being inactive its removed from the cache |
Days last seen to mark account as inactive | 30 | After an account hasn't been seen for 30 days, its marked inactive |
Audit Config Policy
This policy is used with the Node Cache to validate Audit config has been enabled on the nodes. The default values are as follows
CUCM | Value | Purpose/Action |
---|---|---|
Audit Log Level | 6 or 7 | Log Level for events to be sent to Syslog server. 6 is recommended |
Destination address | comma-separated list of syslog servers | Audit Log can only send to 1 server, this allows to check that at least 1 expected server has been configured |
Expressway | Vale | Purpose/Action |
---|---|---|
Audit Log Level | Informational or Debug | Log Level for events to be sent to Syslog server. Informational is recommended |
Destination addresses | comma-separated list of syslog servers | Expressway can have multiple Syslog profiles, but each profile can only have 1 destination |
Format | IETFSystemFormat | IETFSystemFormat is recommended |
Transport | TCP | TCP i recommended if syslog server supports this |
Port | 601 | Standard TCP Syslog port |
Filter | Session Start|Finish,Event="System Configuration Changed",administrator account,Event="pam" | Send only these events to the syslog server and not all Informational events. |
Nodes | Value | Purpose/Action |
---|---|---|
Nodes to ignore | comma-separated list of nodes | Any nodes matched here will be excluded from checking the audit policy against them |
Node Age Policy
This policy is used to age out nodes that are discovered on the target system from the local cache used for reporting. Nodes may go inactive if under maintenance, network connectivity issues or how often the cache is updated.
Age | Value | Purpose/Action |
---|---|---|
Days last seen to mark node for removal | 30 | After30 days of being inactive a node is deleted from the cache |
Days last seen to mark node as inactive | 3 | After a Node is unreachable for 3 days, its marked inactive |
Caches
Admin Users
Field | Value | Purpose/Action |
---|---|---|
User | userid in the target system | username |
Type | applicationuser or enduser | Only for cucm nodes |
Node | nodename | |
Interface | interface name from yarnman | |
Cluster | cluster name from yarnman | |
Customers | customer name from yarnman | |
Last Seen | timestamp last seen | |
Remove On | remove date | |
Is Active | is the account active |
Nodes
Field | Value | Purpose/Action |
---|---|---|
Node | Node Name | |
Interface | interface name from yarnman | |
Cluster | cluster name from yarnman | |
Customers | customer name from yarnman | |
Last Seen | timestamp last seen | |
Remove On | remove date | |
is Active | Yes/No | If the Node is active |
Audit Policy Status | Pass/Fail | If the policy applied to the cache passed/failed |
Audit Syslog Activity | counter | syslogs matching nodename from elasticsearch |
Description | text on the cucm node field | only from cucm nodes |
Robot accounts
Subnet Group
Subnet List
Reporting
Admin users
Create an Admin Users Report
Report interface selector(s)
Customer
Cluster
Entitlement group
Interface
Audit Log
Create an Audit Log Report
Select Elastic Search Interface and Index database
this is usually set to _all
Report interface selector(s)
Customer
Cluster
Entitlement group
Interface
manually add node(s)
Show all available nodes will provide a list of unique NodeIDs from the database that can be copied in the target node field
Configure Report objectives
Enter in username(s) or select an App profile to populate the user prefix.
Configuration changes Toggle provides a summary of changes made to the system(s)
Access Control Group is used to query enduser or applicationuser that has been manually added to the default cucm admin group via ccmadmin interface
Field Names - Depending on the database, subfields may need to be specified to prevent wrong tokenisation field data
Audit Syslog Activity
A simple report that shows number of syslog events for a node for the last 3 days queried from elastic search
New Sessions
Provide a list of all sessions created within yarngate and current status
Robot Accounts
Report that list logins from robot accounts defined and compared to expected subnets for the robot accounts
System Access Snapshot
Create System Access Snapshot
Report type
Local yarngate, Queries the Yarngate database only
Local Yarngate+remote System, Queries the remote system for current configured information (WIP)
Filters
Username
App Profile
Customer
Cluster
Interfaces
Time Range
Info |
---|
Limited to 30 results |
System Audit Check
Provides a report to verify Audit settings have been enabled on Target Systems where supported.
Supported Nodes will have a Pass/Fail if the Audit policy has been applied and/or there is syslog activity detected for the last 3 days.
The audit Policies can be configured for syslog destination(s), Syslog Level, and correct filter(s)