Security Log

Today our Cisco SPA lost registration and after a reboot its fine, thought i would have a look to see what the error is but our log is filled up with this repeating itself

Looks like somebody has or attempting to get in to my PBX

[2017-05-26 17:59:01] SECURITY[4330] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2017-05-26T17:59:01.957+0100”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0xb4a98e58”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/60068”,UsingPassword=“0”,SessionTV=“2017-05-26T17:59:01.957+0100”
[2017-05-26 17:59:01] SECURITY[4330] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2017-05-26T17:59:01.977+0100”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0xb47a3390”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/60076”,UsingPassword=“0”,SessionTV=“2017-05-26T17:59:01.977+0100”
[2017-05-26 17:59:01] SECURITY[4330] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2017-05-26T17:59:01.983+0100”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0xb466f000”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/60080”,UsingPassword=“0”,SessionTV=“2017-05-26T17:59:01.983+0100”
[2017-05-26 17:59:03] VERBOSE[3882] asterisk.c: Remote UNIX connection
[2017-05-26 17:59:03] VERBOSE[6781] asterisk.c: Remote UNIX connection disconnected
[2017-05-26 17:59:03] VERBOSE[3882] asterisk.c: Remote UNIX connection
[2017-05-26 17:59:03] VERBOSE[6783] asterisk.c: Remote UNIX connection disconnected
[2017-05-26 17:59:03] VERBOSE[3882] asterisk.c: Remote UNIX connection
[2017-05-26 17:59:03] VERBOSE[6785] asterisk.c: Remote UNIX connection disconnected
[2017-05-26 17:59:22] SECURITY[4330] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2017-05-26T17:59:22.643+0100”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0xb47eac90”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/60084”,UsingPassword=“0”,SessionTV=“2017-05-26T17:59:22.643+0100”
[2017-05-26 17:59:58] SECURITY[4330] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2017-05-26T17:59:58.564+0100”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0xb47eac90”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/60088”,UsingPassword=“0”,SessionTV=“2017-05-26T17:59:58.564+0100”
[2017-05-26 18:00:01] SECURITY[4330] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2017-05-26T18:00:01.825+0100”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0xb47eac90”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/60092”,UsingPassword=“0”,SessionTV=“2017-05-26T18:00:01.825+0100”
[2017-05-26 18:00:01] SECURITY[4330] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2017-05-26T18:00:01.905+0100”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0xb4a98e58”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/60096”,UsingPassword=“0”,SessionTV=“2017-05-26T18:00:01.905+0100”

Yes, your FreePBX at 127.0.0.1 is doing that through the AMI interface, luckily for you it is succeeding

(That log is from Asterisk not FreePBX)

To be clear this is normal activity not “Looks like somebody has or attempting to get in to my PBX” ??

Good Zombie revival, but specifically, the connection logs tell you everything you need to know - specifically that the ‘admin’ user is logging into the Asterisk Service using a password and from “127.0.0.1” which is the server itself.

If the ‘from_address’ was something else, it would be scary. This, however, is fine.

If the excessive security notifications are driving you crazy when in the Asterisk CLI (and they were for me) you can turn them off in the console. In the FreePBX GUI go to Setting -> Asterisk Logfile Settings, click on the Log Files tab. For console line, turn Security to Off.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.