Multi-Pass Log Sync Service

Multi-Pass Log Sync Service

This document outlines how Multi-Pass Log Service can be integrated with various Security Information and Event Management (SIEM) products. The service is a standalone solution to collect JSON-formatted events from Multi-Pass Authentication Service (MPAS) and forward them to your SIEM system for further analysis and processing.

Key Features

Standalone Service: Operates independently and can be managed directly.

On-Prem Deployment: Can be deployed within your internal infrastructure.

Managed Deployment: Ensures the service remains up-to-date with the latest updates and improvements.

Event Collection: Gathers JSON-formatted events from MPAS.

SIEM Forwarding: Forwards collected events to SIEM products for centralized monitoring and analysis using the HTTPS POST protocol.

User and admin events: get access sensitive information—such as IP addresses, usernames, and event details—redacted. This behavior is configurable via environment variables

Architecture Diagram

When a new event occurs, it is accessible from the Multi-Pass API. The Multi-Pass log sync service pull from the Multi-Pass API and then publish the event with a POST to the SIEM API.

On-Prem

This section provides step-by-step instructions for deploying a Docker container on-premises using the Multi-Pass Log Sync Service Docker image, hosted at kzpublic.azurecr.io. You will configure your Docker environment, pull the image from the repository, and run the container on your local infrastructure.

The service is designed to be stateless, meaning it does not store persistent data locally within the container environment.

Prerequisites

Before deploying the Multi-Pass Log Sync Service, ensure the following requirements are met:

Docker Installed: Docker must be installed on your system. If not, follow the official installation guide for your operating system.

Repository Access: Ensure you have access to kzpublic.azurecr.io (Docker Hub or a private repository).

Network Connectivity: Your system must have internet or network access to reach the Docker repository.

User Credentials: A user with view-event permissions must be created with a username and password.

Create the mpas-log-sync user in MPAS:

1. Inside the Credentials tab, create a new credential for the new user.
   

1. Within the Role Mapping tab, assign the view-events role to the new user.

Usage

Additional Information : SIEM documentation

Docker Image Name :

1. kzpublic.azurecr.io/sso/mpas-event-log-sync:latest

Updating the Docker Service :

To update the Docker service to the latest version, you must first stop the current container, then pull and start the container with the latest version. This process ensures that the update is applied cleanly and avoids inconsistencies.

Update with Docker Compose :

For Docker Compose users, refer to the documentation.

Example commands:

1. $ docker compose stop # stops all services
2. $ docker compose pull # pulls the latest image if the "latest" tag is used
3. $ docker compose up -d # starts all services

Docker Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services defined in your configuration.

1. Important Note on YAML Variables :
   
1. When inputting data for variables, ensure you follow standard YAML rules.
   
2. For passwords or variables containing special characters, you may need to escape them properly (for example, using $ as the escape character) or properly quote the variable.
   
3. If you're unsure about YAML escaping rules or prefer a simpler approach, it’s recommended to use alphanumeric characters only.
   

External documentation links: 

1. https://docs.docker.com/compose/intro/compose-application-model/
   
2. https://docs.linuxserver.io/general/docker-compose/
   

Update with Docker CLI :

For Docker CLI users, refer to the documentation.

Example commands:

1. $ docker stop mpas-log-sync # stops the container
2. $ docker rm mpas-log-sync # optional: removes the container
3. $ docker pull <image-name>:latest # pulls the latest image
4. $ docker run -d [see SIEM docker cli section for details]

External documentation link:

1. https://docs.docker.com/reference/cli/docker/

Single Instance Requirement:
To ensure accurate event collection and avoid duplicate entries in your SIEM system, only run one instance of the service at a time. Running multiple instances simultaneously can lead to data inconsistencies, affect performance and accuracy of your security monitoring, and potentially trigger false positive alerts depending on your SIEM setup.

Potential Event Loss:
During the Docker update process—specifically when stopping and removing the running container—some events may be temporarily lost. This is due to the inherent interruption in event collection during the container restart.

Managed Deployment

We offer a Managed Deployment as a Service to provide a seamless, secure, and efficient deployment experience for the Multi-Pass Log Sync Service. Our team handles the entire deployment lifecycle—from initial setup to ongoing maintenance and updates. We deliver a customized deployment solution tailored to your specific application requirements and infrastructure.

Prerequisites

1. Internet or Network Access: Ensure that the SIEM ingestion HTTPS interface is publicly available
2. HTTPS: Verify that the HTTPS certificate is valid and properly signed by a trusted root Certificate Authority (CA).

Initial Setup

To get started with the Managed Deployment service, please contact us.

Events Log Format

The following is an example of the log format forwarded to a SIEM. This sample demonstrates the structure of the log entries, including the data fields and their formatting.

Admin Event Sample:

1. {
2.   "timestamp": "2025-02-12T19:27:48.633Z",
3.   "eventType": "admin-event",
4.   "event": {
5.     "time": 1739388468633,
6.     "realmId": "51881d96-bc7f-4c97-aa51-77548224d5e0",
7.     "authDetails": {
8.       "realmId": "9bafbd1b-7323-4da3-955a-56a5def096fa",
9.       "clientId": "d5ba73e7-33b2-4947-ba61-a12b530c7725",
10.       "userId": "82e179b6-e630-4bae-95fd-e7d88cd2b183",
11.       "ipAddress": "<redacted>"
12.     },
13.     "operationType": "DELETE",
14.     "resourceType": "USER_SESSION",
15.     "resourcePath": "sessions/887cec96-6bc1-4e80-b773-c060ed1935ae",
16.     "representation": "<redacted>"
17.   }
18. }

Admin Event representation:

Name	Type
Timestamp	String
eventType	String
time	long(int64)
realmId	String
authDetails	AuthDetailsRepresentation
operationType	String
resourceType	String
resourcePath	String
representation	String
error	String
details	Map of [String]

Auth Details Representation:

Name	Type
realmId	String
clientId	String
userId	String
ipAddress	String

User Event Sample:

1. {
2.   "timestamp": "2025-02-12T19:27:50.156Z",
3.   "eventType": "user-event",
4.   "event": {
5.     "time": 1739388470156,
6.     "type": "LOGIN",
7.     "realmId": "51881d96-bc7f-4c97-aa51-77548224d5e0",
8.     "clientId": "admin-cli",
9.     "userId": "8069b335-7653-4339-bd54-aad69a1f1cca",
10.     "sessionId": "d81367f3-b449-4f4e-92a7-8fab95940160",
11.     "ipAddress": "<redacted>",
12.     "details": {
13.       "auth_method": "openid-connect",
14.       "token_id": "d4e59faa-ab60-4520-8180-e18518b61322",
15.       "grant_type": "password",
16.       "refresh_token_type": "Refresh",
17.       "scope": "profile email",
18.       "refresh_token_id": "b28dfff9-3d54-430d-907b-444aef903d9d",
19.       "client_auth_method": "client-secret",
20.       "username": "<redacted>"
21.     }
22.   }
23. }

Representation:

Name	Type
timestamp	String
eventType	String
time	Long (int64)
type	String
realmId	String
clientId	String
userId	String
sessionId	String
ipAddress	String
error	String
details	Map of [String]

Integration Process

Follow the SIEM product documentation 

• Related Articles

• SIEM - FortiSIEM

  FortiSIEM Before diving into this documentation, we recommend reading the article Multi-Pass Log Sync Service to give you the foundational knowledge needed to fully understand the elements discussed in this article. This document explains how to ...

• HaloPSA - SSO configuration

  This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for HaloPSA using MPAS. SSO simplifies user authentication by allowing access to multiple ...

• Auvik - SSO configuration

  This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Auvik using MPAS. SSO simplifies user authentication by allowing access to multiple ...

• Blumira - SSO Configuration

  This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Blumira using MPAS. SSO simplifies user authentication by allowing access to multiple ...

• Getting Started

  Getting Started This guide will help you get started on Multi-Pass. During this process, you will create your organization's environment, create your first deployment (for your own organization), and create your passwordless credentials. Step 1: ...