Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
typelist
printablefalse

Starting Sessions

  1. Login to Yarngate

  2. Click +Prepare session(s)

  3. Add the systems that you would like access to and click +Prepare session

  4. Enter the required details for the session including password

  5. Review the sessions created

  6. Session details

  7. Session can then be closed

...

  1. Create offboard task

  2. Search for user and add sessions

  3. Start off-board request

Yarn_gate Cache

yarngate makes use of a local cache of target node details that is updated via a reoccurring schedule, which can be used to speed up reporting and allow a consolidated view of all tagets.

Policies

  • Account Age Policy

    • This policy is used to age out admin accounts that are discovered on the target system from the local cache used for reporting.

    • As yarngate provisions admin accounts on demand, there could be accounts showing as active/inactive depending on each time access is requested.

Age

Value

Purpose/Action

Days last seen to mark account for removal

90

After 90days of being inactive its removed from the cache

Days last seen to mark account as inactive

30

After an account hasn't been seen for 30 days, its marked inactive

  • Audit Config Policy

    • This policy is used with the Node Cache to validate Audit config has been enabled on the nodes. The default values are as follows

CUCM

Value

Purpose/Action

Audit Log Level

6 or 7

Log Level for events to be sent to Syslog server. 6 is recommended

Destination address

comma-separated list of syslog servers

Audit Log can only send to 1 server, this allows to check that at least 1 expected server has been configured

Expressway

Vale

Purpose/Action

Audit Log Level

Informational or Debug

Log Level for events to be sent to Syslog server. Informational is recommended

Destination addresses

comma-separated list of syslog servers

Expressway can have multiple Syslog profiles, but each profile can only have 1 destination

Format

IETFSystemFormat

IETFSystemFormat is recommended

Transport

TCP

TCP i recommended if syslog server supports this

Port

601

Standard TCP Syslog port

Filter

Session Start|Finish,Event="System Configuration Changed",administrator account,Event="pam"

Send only these events to the syslog server and not all Informational events.

Nodes

Value

Purpose/Action

Nodes to ignore

comma-separated list of nodes

Any nodes matched here will be excluded from checking the audit policy against them

  • Node Age Policy

    • This policy is used to age out nodes that are discovered on the target system from the local cache used for reporting. Nodes may go inactive if under maintenance, network connectivity issues or how often the cache is updated.

Age

Value

Purpose/Action

Days last seen to mark node for removal

30

After30 days of being inactive a node is deleted from the cache

Days last seen to mark node as inactive

3

After a Node is unreachable for 3 days, its marked inactive

Caches

  • Admin Users

Field

Value

Purpose/Action

User

userid in the target system

username

Type

applicationuser or enduser

Only for cucm nodes

Node

nodename

Interface

interface name from yarnman

Cluster

cluster name from yarnman

Customers

customer name from yarnman

Last Seen

timestamp last seen

Remove On

remove date

Is Active

is the account active

  • Nodes

Field

Value

Purpose/Action

Node

Node Name

Interface

interface name from yarnman

Cluster

cluster name from yarnman

Customers

customer name from yarnman

Last Seen

timestamp last seen

Remove On

remove date

is Active

Yes/No

If the Node is active

Audit Policy Status

Pass/Fail

If the policy applied to the cache passed/failed

Audit Syslog Activity

counter

syslogs matching nodename from elasticsearch

Description

text on the cucm node field

only from cucm nodes

  • Robot accounts

  • Subnet Group

  • Subnet List

Reporting

Admin users

Create an Admin Users Report
  • Report interface selector(s)

    • Customer

    • Cluster

    • Entitlement group

    • Interface

Audit Log

Create an Audit Log Report
  • Select Elastic Search Interface and Index database

    • this is usually set to _all

  • Report interface selector(s)

    • Customer

    • Cluster

    • Entitlement group

    • Interface

    • manually add node(s)

      • Show all available nodes will provide a list of unique NodeIDs from the database that can be copied in the target node field

Configure Report objectives

  • Enter in username(s) or select an App profile to populate the user prefix.

  • Configuration changes Toggle provides a summary of changes made to the system(s)

  • Access Control Group is used to query enduser or applicationuser that has been manually added to the default cucm admin group via ccmadmin interface

  • Field Names - Depending on the database, subfields may need to be specified to prevent wrong tokenisation field data

Audit Syslog Activity

A simple report that shows number of syslog events for a node for the last 3 days queried from elastic search

New Sessions

Provide a list of all sessions created within yarngate and current status

Robot Accounts

Report that list logins from robot accounts defined and compared to expected subnets for the robot accounts

System Access Snapshot

Create System Access Snapshot
  • Report type

    • Local yarngate, Queries the Yarngate database only

    • Local Yarngate+remote System, Queries the remote system for current configured information (WIP)

  • Filters

    • Username

    • App Profile

    • Customer

    • Cluster

    • Interfaces

    • Time Range

Info

Limited to 30 results

System Audit Check

Provides a report to verify Audit settings have been enabled on Target Systems where supported.

Supported Nodes will have a Pass/Fail if the Audit policy has been applied and/or there is syslog activity detected for the last 3 days.

The audit Policies can be configured for syslog destination(s), Syslog Level, and correct filter(s)