Overview

Passwork can record events from the Action History in CEF (Common Event Format), which allows configuring the sending of events to SIEM (Security Information and Event Management system).

info

We do not provide instructions or examples for configuring specific logging solutions, as such actions directly depend on the infrastructure of a particular company.

Activation

You need to go to Settings and Users → Action History → Settings, and activate the option — Record action history to syslog or Windows Event Log:

By default, after activation, all Passwork events will be recorded in a local file:

• DEB (Ubuntu, Debian, Astra Linux) — /var/log/syslog
• RPM (RED OS, CentOS, RedHat) — /var/log/messages
• Docker — /<passwork>/log/php/syslog
• Windows Server — Event Viewer configuration

warning

If the syslog file is missing on DEB-based Linux servers, you need to install the package — apt install syslog-ng -y

Each event includes:

• The Device value (depending on the client):
  • Web interface — web;
  • Browser extension — browser addon;
  • Mobile application — mobile;
  • API request — api;
  • Action performed by the system — internal.
• Event Code (Event ID) — a unique identifier of the action, for example item_created;
• Severity — the importance level of the event from 1 (low) to 10 (high);
• Description — description of the occurred action.
• Additional fields:
  • suid — ID of the user who performed the action;
  • suser — Login of the user who performed the action;
  • duid — ID of the user on whom the action was performed;
  • duser — Login of the user on whom the action was performed;
  • passworkIp — Client IP address.

Event structure:

CEF

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

The following events are implemented in Passwork and recorded in the local file — event List