Bastion and filters Events in the Event Viewer
The reported events are viewed under Windows Logs > Application, as shown here:
SIP Filter Log Filter
In order to view only SIP Filter related logs click 'Filter Current Logs' and select the following in the 'Event Sources' drop down list:
LAC Filter Log Filter
In order to view only LAC Filter related logs click 'Filter Current Logs' and select the following in the 'Event Sources' drop down list:
All the Error events have the Event ID 259.
All Warning events have the Event ID 258.
All Information events have the Event ID 257.
The following table contains a list of possible events displayed in the event viewer/logs.
Table of Events
Event | Source | Description | Alert Level | Type of message |
IP Address '10.0.2.50' not authorized for login. User: John@Contoso.com. Device Type: All. | Lync Access Control | Login attempt was made from an IP address that does not match authorized IP addresses permitted in settings (seeRestricting access by IP addresses). Access is denied. | Error | Security threshold reached |
User: John@Contoso.com matches a rule in Denied users list. Access was denied. | Lync Access Control | Access attempt was made by auser who matches a pattern (regex) of users to deny access (seeRestricting user authentication based on access rules). Access is denied.
| Error | Security threshold reached |
User: John@Contoso.com does not match any rule in Allowed users list. Access was denied. | Lync Access Control | Access attempt was made by auser who does not match any pattern (regex) of users to allow access (seeRestricting user authentication based on access rules). Access is denied. | Error | Security threshold reached |
Brute force attack detected. Access blocked until 10:25:47 (Local time). User: John@Contoso.com. | Lync Access Control | SkypeShield's DDOS component blocked a user for a period of time after exceeding the permitted number of failed log-in attempts. This prevents the Active Directory user account from being locked and corporate servers being potentially overloaded (brute force attack). Access is denied. | Error | Security threshold reached |
Too many exceptions in file watcher thread: shutting down thethread. | Bastion Reverse Proxy | Too many exceptions in file watcher thread: shutting down thethread. | Error | Bastion System crash. |
Listener 'Skype for BusinessListener' has neither HTTP nor HTTPS (SSL) port defined, and therefore cannot be configured. Skipping listener. | Bastion Reverse Proxy | The listener is not configured correctly in Bastion.xmlconfiguration file. | Error | Bastion configuration |
Listener 'Skype for BusinessListener' cannot listen on port 10.5.2.68:802 since it is already occupied by excListener. | Bastion Reverse Proxy | Two listeners are configured to thesame port. | Error | Bastion configuration |
Authentication of AD credentials failed for user John@Contoso.com. Attempt #2. | Lync Access Control | This warning indicates that a second failed log-in attempt was made by the user. When SkypeShield's DDOS number of failed log-in attempts is reached, the DDOS component will block that user to avoid Active Directory user from being locked and corporate servers from being potentially overloaded (brute force attacked). | Warning | Possible Security event |
User count has reached 80 percent of the maximum limit (80 out of 100). Please consider upgrading your license to support more users. | Lync Access Control | User count has reached percentage threshold. When threshold is reached, a login problem may occur. | Warning | SkypeShield product license warning |
[DbProvider] Device registration timeout is not configured in the Access Portal database; using the default value of 15 minutes. | Lync Access Control | Missing setting value for Device registration timeout. The default value was taken. | Warning | Settings warning |
[DbProvider] Number of Devices to Auto-Register is not set. Setting to 0. | Lync Access Control | Missing setting value for Device registration timeout. The default value was taken. | Warning | Settings warning |
[DbProvider] Number of PCs to Auto-Register is not set. Setting to 0. | Lync Access Control | Missing setting value for Device registration timeout. The default value was taken. | Warning | Settings warning |
[DbProvider] Last sync time accuracy required is not configured in the Access Portal database, using the default value of 24 hours. | Lync Access Control | Missing setting value for Device registration timeout. The default value was taken. | Warning | Settings warning |
Could not define a listener without a name. Please assign the listener a name in the configuration file. | Bastion Reverse Proxy | A listener inBastion.xml file was configured without a name. | Warning | Bastion configuration |
A listener called 'Skype for BusinessListener' is already defined. Skipping listener. | Bastion Reverse Proxy | A listener inBastion.xml file is configured twice. | Warning | Bastion configuration |
IP Address '80.35.24.80' authorized. User: John@Contoso.com. Traffic type - ALL. | Lync Access Control | The user is accessing Skype for Business from an authorized IP address. | Info | Audit |
User: John@Contoso.com is allowed according to access rules. Access allowed. | Lync Access Control | The user is permitted authentication, via SfB with restricted user authen-tication access rules. | Info | Audit |
Bastion Service version 1.4.0.9 is starting.
| Bastion Reverse Proxy | Bastion Service is starting | Info | Audit |
Lync Access Control version 1.5.0.1 has started.
| Lync Access Control | Lync Access Control filter is starting | Info | Audit |
Error while decrypting Password for policy web service. Check that AES-KEY and AES-IV in the config file match the AccessPortal configuration file. Padding is invalid and cannot be removed. | SkypeShieldSIPFilter | The SIP filter access to the Access Portal Website, and therefore cannot pull the current Ethical Wall policy | Error | Audit |