Yes, I have some nice splunk dashboards for CAS I can share if there is interest.
Though I can sympathize with Marvin about the output format. It required at the very least some newline mangling before splunk could ingest the logs very well. Something like: "key1=value, key2=value, key3=value, ..." that contains all the conceivable data about the TGT, related STs, the type of credentials presented, associated principal, client IP, etc. would be the ideal. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College ----- Original Message ----- From: "Misagh Moayyed" <[email protected]> To: [email protected] Sent: Friday, July 17, 2015 10:02:24 AM Subject: Re: [cas-user] Querying CAS audit data with Splunk At the last Apereo conference, Lafayette college demoed a very impressive tool that allowed them to run those types of queries. I don’t offhand remember the exact tool name, (and it may very well have been splunk) but Carl was showing some very impressive queries that Lafayette uses in order to track TGT activity. That might help you get an idea. Note that this sort of thing will no longer be possible in the future because you will no longer, at least by default get ticket data in the logs. The general consensus at Apereo was that a “dashboard” to manage SSO sessions would generally be a much better fit to correlate service access with TGTs and other types of similar activity, delegated access, etc. Sean and other folks at USUHS are and have been working on a prototype. > On Jul 17, 2015, at 9:12 AM, Marvin Addison <[email protected]> wrote: > > I recall having seen some discussion of CAS+Splunk in the past. We've been > ingesting all CAS logs into Splunk for over a year now and it's generally > awesome. We recently had a need to query for a list of services accessed by a > single user, and that turns out to be spectacularly difficult due to the > layout of the audit logs. The root problem is that the CAS audit log is a > record-oriented log (timestamp, what, principal, action,...), but the TGT > that could be used to correlate the service access events jumps around. In > the case of an authentication, where the user principal is logged, it's in > the "what" field. In the service ticket creation events, where you see the > service name in the "what" field, it appears in the "principal" field. That > precludes the use of the Splunk "transaction" command, which would make the > query trivial. > > Given the layout of CAS audit logs, has anyone accomplished this sort of > query? I think join with field renaming may be promising, but I am afraid the > performance may be so terrible it won't be feasible for any large time window. > > I don't know how popular Splunk is in the CAS community, but we might > consider some changes to the audit log format to facilitate "follow this > ticket" kind of queries. It could arguably have value beyond Splunk. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
