DarrenLodgeDarr
Contributor
Contributor

Log of active authorised devices on DS or SEG

Hello, Our internal security have posed a question to me that so far VMware Support haven't been able to understand correctly, let alone provide a suitable answer for.


What our security teams want to do is be able to review all the live inbound connections (via IP) to our Device Services and SEG and then compare this against a live log from the DS or SEG so they can exclude all the authorised Workspace ONE devices. This will leave us with a list of IPs showing where unauthorised or unsuccessful attempts have been made to access Workspace ONE.


Our intention is to pipe the log file into our Security Information and Event Management (SIEM) tool and then live compare this against the firewall log that is already held within our SIEM tool. With this information we will be able to identify where our service is attempting to be being accessed from via non-authorised devices.


Is there a log on the DS or SEG that details this? Would it be included as part of the IIS log? On our DS, there is a file called activedevices.csv however its blank and can find to reference to this anywhere. The DeviceServices.log also doesn’t seem to give this level of detail in a readable format.


 Many thanks Darren

Labels (1)
0 Kudos
2 Replies
RicardoPachecoR
Enthusiast
Enthusiast

You can try the Syslog from the Console (Groups & Settings -> All Settings -> System -> Enterprise Integration -> Syslog. Now, for inbound connections hitting your Device Services or Secure Email Gateway, your devices are probably using some DCHP service to receive an IP Address and while the lease can allow them to renew them, for mobile phones, those are probably going to change often enough for your security team to receive false positives. AirWatch does have some API which can help develop an integration with Cisco ISE to determine if the devices are MDM enrolled. Or, maybe you could use the IIS Logs for your SEG. If you have the correct compliance policies in place, SEG does the verification already. IIS logs can be easily parsed with some good PERL scripting, or LogParser. IP Address based filtering/monitoring may not be a good approach.
0 Kudos
DarrenLodgeDarr
Contributor
Contributor

Many thanks for the response Ricardo, sorry its a slow reply, I didn't receive a notification you'd commented.

In our infrastructure, everything is presented behind a Load Balancer so all the IIS and AirWatch logs have the inside address of our Load Balancer rather than any assigned address so I'm not sure whether we're going to get anywhere with the IP approach. At the moment I can't even find a simple log that shows the connection behaviour of our enrolled devices such as device X connected at 09:05:01 , device Y connected at 10:45:01, device Z disconnected at 11:04:01.

I'll take another look at the syslog integration and see if we're already reciving some of the data we wanted or whether we need to enable a few more Module/Category Events.
0 Kudos