asterisk users - Mar 2014 - Security log format / content

I've noticed that the Asterisk (v11) security log captures attempts do dial
without first authenticating, and places the number dialed into the
"accountid" field.


I'm trying to distinguish between failed attempts to register and attempts
to dial without registering, but the security log treats them identically (using
the accountid field for either the username or number dialed).  I have noticed
that the eventversion field is set to 2 for failed dial attempts, and 1
otherwise.


Is this coincidence?  Or can I rely on the eventversion=2 in the future to
distinguish these two event types?  (I've looked here:
https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format? but it
doesn't really help)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20140327/99f81495/attachment.html>

----- Original Message ----- 
> From: "Michelle Dupuis" <mdupuis at ocg.ca>
> To: "Asterisk Users List" <asterisk-users at
lists.digium.com>
> Sent: Thursday, March 27, 2014 12:55:21 AM
> Subject: [asterisk-users] Security log format / content
> I've noticed that the Asterisk (v11) security log captures attempts
> do dial without first authenticating, and places the number dialed
> into the "accountid" field.
> I'm trying to distinguish between failed attempts to register and
> attempts to dial without registering, but the security log treats
> them identically (using the accountid field for either the username
> or number dialed). I have noticed that the eventversion field is set
> to 2 for failed dial attempts, and 1 otherwise.
> Is this coincidence? Or can I rely on the eventversion=2 in the
> future to distinguish these two event types? (I've looked here:
> https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format
> but it doesn't really help)
The "eventversion" field is just a way to distinguish different
versions of the same event.  Between Asterisk 10 and 11, that particular
event's logging output changed requiring a bump up in the version.  It
should not be used to distinguish different events.

What do you mean by "eventversion field is set to 2 for failed dial
attempts, and 1 otherwise"?  What is the event?  I have a feeling those are
two different events.

You are correct about the events looking identical whether it is a failed
registration or a failed dial attempt.  From the standpoint of Asterisk, an
attempt was made to either register or place a call but the credentials failed. 
Therefore, an "InvalidPassword" event is logged.

When an authorized device successfully places a call, you will only have a
"ChallengeSent" entry in your log.

If an attempt to place a call is made and it does not respond back with the
right credentials to the challenge sent to Asterisk, then you will have a
"ChallengeSent" entry with a subsequent "InvalidPassword". 
You should be able to connect the two events based on the fields in those
events.

If a successful attempt to register is made, you will have a
"ChallengeSent" with a subsequent "SuccessfulAuth".  If it
is not successful, then you will have a "ChallengeSent" with a
subsequent "InvalidPassword".  Again, there should be enough
information present with the other fields to help connect the events together.

The security events in Asterisk are designed to present the events.  It does not
determine anything else for you.  You have to create a consumer of those events
that can attempt to connect the dots for you.  Hopefully we are providing enough
information for the consumer to do whatever you would like the consumer to do
with the information.

I hope that helps.

Michael