Re: [cas-user] Querying CAS audit data with Splunk

[Waldbieser, Carl]

Also, here are my settings for cas from 
"$SPLUNK_HOME/etc/apps/search/local/props.conf":

  [cas]
  SHOULD_LINEMERGE = True
  BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
  EXTRACT-cas_log_level = 
^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s(?P<log_level>DEBUG|INFO|ERROR|WARN|WARNING)\s
  REPORT-cas_action = cas_xform_action
  REPORT-cas_client_ip = cas_xform_client_ip
  REPORT-cas_what = cas_xform_what
  REPORT-cas_who = cas_xform_who
  EXTRACT-ticket = (?P<ticket>(ST|TGT|PGT|PT)-\d+-\w+-cas\.lafayette\.edu)

And the relevant transforms from 
"$SPLUNK_HOME/etc/apps/search/local/transforms.conf":

    [cas_xform_action]
    CLEAN_KEYS = 1
    MV_ADD = 0
    REGEX = (?m)^ACTION:\s+(?P<action>.+?)$

    [cas_xform_client_ip]
    CLEAN_KEYS = 1
    MV_ADD = 0
    REGEX = (?m)^CLIENT IP ADDRESS:\s+(?P<client_ip>.+?)$

    [cas_xform_what]
    CLEAN_KEYS = 1
    MV_ADD = 0
    REGEX = (?m)^WHAT:\s+(?P<what>.+?)$

    [cas_xform_who]
    CLEAN_KEYS = 1
    MV_ADD = 0
    REGEX = (?m)^WHO:\s+(?P<who>.+?)$

Thanks,
Carl

----- Original Message -----
From: "Carl Waldbieser" <waldb...@lafayette.edu>
To: cas-user@lists.jasig.org
Sent: Friday, July 17, 2015 10:48:58 AM
Subject: Re: [cas-user] Querying CAS audit data with Splunk

Not sure how the mail list likes attachments.
I have attached a tarball "cas-splunk.tgz" that has several of the more useful 
dashboards.
Nothing that follows every service access-- I think that will require some 
unusual joins.

However, some of the statisics dashboards give some good high level overviews, 
and the geolocation dashboards are fun if you want to see where folks are 
authenticating from, or where your service providers are located.

Thanks,
Carl

----- Original Message -----
From: "Marvin Addison" <marvin.addi...@gmail.com>
To: cas-user@lists.jasig.org
Sent: Friday, July 17, 2015 10:19:57 AM
Subject: Re: [cas-user] Querying CAS audit data with Splunk

>
> Yes, I have some nice splunk dashboards for CAS I can share if there is
> interest.
>

If you have a dashboard/query that can follow all service accesses in a
single SSO session, then I would be very interested.

M

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user