SSO Logs with Splunk - Generate Analytical Reports

Document created by karve03 Employee on Feb 15, 2017Last modified by karve03 Employee on Feb 16, 2017
Version 2Show Document
  • View in full screen mode

In this document we will present on how to generate basic and useful analytical reports with SSO logs using Splunk analytical platform.

 

Introduction

SSO generates two types of logs, namely, smaccess and smtrace. 

smaccess: This log file consists of important transactional details like user's resource access information and status of the access request.

This logging is enabled from smconsole. This logging information can also be dumped into file on policy server machine.

This logging information can be dumped into file or external audit store. 

 

smtrace: This log file is an exhaustive information like server logging, tunnel service information, agent logging and function entry and exit statements.

This logging is also enabled from smconsole

 

In this article, we have used smaccess log file to generate various analytical reports. We will be describing on how to write Splunk queries in order  to generate the required reports.

 

Splunk: Splunk is an operational intelligence platform that monitors, analyzes data and provides insights. 

Splunk Enterprise is used in this exercise. 

 

What is not covered in this document:

Installation of Splunk Enterprise

How to write new Splunk queries and how Splunk dashboards are created

How to configure and generate SSO smaccess logs

Format and details of smaccess log fields

 

What kind of reports did we generate?

  1. How many number of requests per resource?
  2. What are 'authentication response' of all requests?
  3. What are the total requests from a selected user?
  4. What are the statistics of authentication response per user for all the requests?
  5. What are the total number of 'rejects' per user per resource?
  6. What are the total number of 'rejects' per user and all the corresponding resources?

 

Basic usage details of Splunk before generating reports:

   

Adding an input file:

Splunk home page-> Settings-> Data Input -> Files & directories -> add new

Give the path of the folder that has the log file here.

 

Adding new field:

Run any query

Check the fields sidebar. Fields in the Selected Fields and Interesting Fields categories appear here.

Select ‘All Fields’. If the required field is unavailable. Select ‘Extract New Field’ .

Select any one of the log entry from all the listed log entries. See below:

Select either Regular expression or Delimiters. In this example Regular Expression (see below) is selected.

Select any field that needs to be extracted. In the below example IP address field is selected and Field Name is given as ‘IP’:

Save the extracted field by clicking Finish as shown below:

The new is now listed as below and can be used in future queries

 

Queries and Reports:

1. How many number requests per resource?

source="C:\\access\\*"| top resoource 

Here 'resoource' is the new field added

 

2. What are 'authentication response' of all requests?

 source="C:\\access\\*" | top Auth_state 

Here Auth_state is a new field that we added

3. What are the total requests from a selected user?

source="C:\\access\\*" | where user_name like "bacssouser" 

Here user_name is a field that we added.

 

4. What are the statistics of authentication response per user for all the requests?

source="C:\\access\\*" | where user_name like "%bacssouser" |  top Auth_state

5. What are the total number of 'rejects' per user per resource?

source="C:\\access\\*" | where user_name like "%bacssouser" |where Auth_state like "AuthReject"| where resoource like "/myHRBAC/Redirector"

6. What are the total number of 'rejects' per user and all the corresponding resources?

source="C:\\access\\*" | where user_name like "%bacssouser" |where Auth_state like "AuthReject"| top resoource

 

 

You may visit Splunk help on how to write more effective queries to fulfill your needs. 

Disclaimer: This document to be used as self help guide only. CA SSO engineering is not responsible for Splunk integration issues and reporting issues.

2 people found this helpful

Attachments

    Outcomes