[asterisk-users] Security log format / content

Michelle Dupuis mdupuis at ocg.ca
Fri Mar 28 19:35:27 CDT 2014

Why does the failed authentication place the number dialed, instead of the username used, in the account field?

Any way to distinguish a failed dial attempt from a failed register attempt using just the security log?  (I couldn't see how looking at the log)

From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at lists.digium.com> on behalf of Michael L. Young <myoung at acsacc.com>
Sent: Thursday, March 27, 2014 2:42 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Security log format / content

----- Original Message -----

> From: "Michelle Dupuis" <mdupuis at ocg.ca>
> To: "Asterisk Users List" <asterisk-users at lists.digium.com>
> Sent: Thursday, March 27, 2014 12:55:21 AM
> Subject: [asterisk-users] Security log format / content

> I've noticed that the Asterisk (v11) security log captures attempts
> do dial without first authenticating, and places the number dialed
> into the "accountid" field.

> I'm trying to distinguish between failed attempts to register and
> attempts to dial without registering, but the security log treats
> them identically (using the accountid field for either the username
> or number dialed). I have noticed that the eventversion field is set
> to 2 for failed dial attempts, and 1 otherwise.

> Is this coincidence? Or can I rely on the eventversion=2 in the
> future to distinguish these two event types? (I've looked here:
> https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format
> but it doesn't really help)

The "eventversion" field is just a way to distinguish different versions of the same event.  Between Asterisk 10 and 11, that particular event's logging output changed requiring a bump up in the version.  It should not be used to distinguish different events.

What do you mean by "eventversion field is set to 2 for failed dial attempts, and 1 otherwise"?  What is the event?  I have a feeling those are two different events.

You are correct about the events looking identical whether it is a failed registration or a failed dial attempt.  From the standpoint of Asterisk, an attempt was made to either register or place a call but the credentials failed.  Therefore, an "InvalidPassword" event is logged.

When an authorized device successfully places a call, you will only have a "ChallengeSent" entry in your log.

If an attempt to place a call is made and it does not respond back with the right credentials to the challenge sent to Asterisk, then you will have a "ChallengeSent" entry with a subsequent "InvalidPassword".  You should be able to connect the two events based on the fields in those events.

If a successful attempt to register is made, you will have a "ChallengeSent" with a subsequent "SuccessfulAuth".  If it is not successful, then you will have a "ChallengeSent" with a subsequent "InvalidPassword".  Again, there should be enough information present with the other fields to help connect the events together.

The security events in Asterisk are designed to present the events.  It does not determine anything else for you.  You have to create a consumer of those events that can attempt to connect the dots for you.  Hopefully we are providing enough information for the consumer to do whatever you would like the consumer to do with the information.

I hope that helps.


-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:

More information about the asterisk-users mailing list