How to retain historical log of VPN connections from MI Sentry servers


#1

For compliance purpose, there’s a need to capture VPN connections from our user to our Sentry servers.

I have Syslog enable on our sentry server dump data into our Splunk server. However, data being sent are mainly just warning and info data even though the syslog threshold was change to “Debug”.

After speaking to MI engineer, they had confirmed that editing the threshold from the UI is not effective and needs to be done through the CLI with DEV privilege.
Per Engineering, the current designed behavior of Sentry is not to feed all the debugging logs, monitoring script outputs, audit logs etc… to Splunk Syslog server. Changing this behavior in any way will impact customers using those features and causing major overhead to the Splunk server. Debugging logs especially may contain sensitive information in payload of the traffic and leaking that to Splunk servers will be serious. Lastly, the Syslog settings in UI is also used for configuring MobileIron Monitor and exporting debug logs to MobileIron Monitor is not a good idea, either. At this time, the Syslog’s level (Warn, Info, Debug, etc.) selection UI will not have any effect and only include WARN/INFO data by default. Selecting a different logging level will not change this behavior.

Anyone encounter the need for this and would love to hear what your solution is.

Thank you,


#2

How granular do you need to capture? Are you looking to capture AppTunnel connections to Sentry or each individual connection to a back-end resource?


#3

Hi @adam

We were able to get the necessary info with the upgrade of Sentry 9.2.1.
This upgrade allows us to add the sentry to our Splunk environment which allows us to see which user, device, time, date, resource they’re accessing, deny or allow etc.