Audit log messages
ChrisLane
Newbie ✭
I often see messages in the format "Download file xyz Failed", e.g.
49 38 07:13:03 May 10 2024 Download file mw.exe Failed 84.252.92.18 (59993) xxxx (80) X1
48 37 07:13:00 May 10 2024 Download file db.exe Failed 84.252.92.18 (59587) xxxx (80) X1
In this case I know this is a scheduled external test. Today I have seen messages as follows, which are speculative requests from a Russian ASN:
188 117 06:59:07 Jul 16 2024 Export to file user_data.csv Failed 91.92.244.227 (45204) xxxx (80) X1
187 116 06:59:07 Jul 16 2024 Download file wallet_backup.zip Failed 91.92.244.227 (47880) xxxx (80) X1
186 115 06:59:07 Jul 16 2024 Export to file event_log.csv Failed 91.92.244.227 (46846) xxxx (80) X1
But I haven't seen "Export to file" before, how is the remote user triggering that behaviour?
Answers
They are presumably fetching the required URL to do that. You can test this yourself with Web Developer tools in a browser and see what URL is access when you export the logs, for example.
I assume they are denied because they're not logged in.
But….you really shouldn't be listening on port 80!
I think it's just set to redirect 80 > 443 so will still get a response. I'll turn that off in any case.
I can't see anything via the browser tools as the Export button just posts server side (I'm no dev so unsure of the terminology).
Thanks.