How it Works
HID
Loading...
Splunk and AAA
User Manual
33 pgs1 Mb0
Table of contents
Loading...

HID Splunk and AAA User Manual

ActivIdentity® 4TRESS AAA and Splunk®
Integration Handbook
Document Version 1.1 | Released | August 24, 2012
P 2
ActivIdentity

Table of Contents

Table of Contents ....................................................................................................................................................... 2
List of Figures ............................................................................................................................................................. 3
1.0 Introduction ....................................................................................................................................................... 4
1.1 Scope of Document .................................................................................................................................... 4
1.2 Prerequisites .............................................................................................................................................. 4
2.0 ActivIdentity 4TRESS AAA Data Export ........................................................................................................... 5
2.1 Consolidate data ........................................................................................................................................ 5
2.2 Schedule Consolidation from the Command Line ...................................................................................... 6
2.3 View and Export Authentication Logs ........................................................................................................ 6
2.4 View and Export Audit Logs ....................................................................................................................... 9
3.0 Splunk installation ........................................................................................................................................... 11
3.1 Prerequisites ............................................................................................................................................ 11
3.2 Windows Installation ................................................................................................................................. 12
4.0 Splunk Configuration ....................................................................................................................................... 13
4.1 Procedure 1 : Install the App .................................................................................................................... 13
4.2 Procedure 2 : Index and Log Repositories ............................................................................................... 14
4.3 Procedure 3 : Create Indexes .................................................................................................................. 15
4.4 Procedure 4 : Assign Index Rights ........................................................................................................... 17
4.5 Procedure 5: Specify Data Inputs ............................................................................................................ 19
4.6 Procedure 6: Restart Splunk .................................................................................................................... 23
5.0 Splunk for ActivIdentity AAA: Overview .......................................................................................................... 24
5.1 View Authentication Dashboard and Reports .......................................................................................... 24
5.2 View Authentication Logs ......................................................................................................................... 28
5.3 View Audit Dashboard and Reports ......................................................................................................... 29
5.4 View Audit Logs ........................................................................................................................................ 32
External Use | August 24, 2012 | © 2012
P 3
ActivIdentity

List of Figures

Figure 1 : Authentication – Per RADIUS Request Over Time .............................................................................. 25
Figure 2 : Authentication – RADIUS Requests by NAS Over Time ..................................................................... 26
Figure 3 : Authentication – Top User ID by Request ............................................................................................ 26
Figure 4 : Authentication – Top RADIUS Server by Requests (by the AAA Server) ............................................ 26
Figure 5 : Authentication – Top Status Authentication by Requests .................................................................... 27
Figure 6 : Authentication – Top Groups by Request ............................................................................................ 27
Figure 7 : Auditing – Operation Detail Over Time ................................................................................................ 29
Figure 8 : Auditing – Operation Over Time ........................................................................................................... 30
Figure 9 : Auditing – Per User Action Over Time (Actions by the Admin ID) ....................................................... 30
Figure 10 : Auditing – Top Operation ................................................................................................................... 30
Figure 11 : Auditing – Top Operation Detail ......................................................................................................... 31
Figure 12 : Auditing – Top Users (Administrators and Operators) ....................................................................... 31
External Use | August 24, 2012 | © 2012
P 4
ActivIdentity

1.0 Introduction

Splunk® is a software used to search, monitor and analyze machine-generated data by applications, systems, and IT infrastructure at scale via a Web-style interface. Splunk captures, indexes, and correlates real-time data in a searchable database from which it can generate graphs, reports, alerts, dashboards and visualizations.
Splunk aims to make machine data accessible across an organization, identify data patterns, provide metrics, diagnose problems, and provide intelligence for business operations. Splunk is a horizontal technology used for application management, security and compliance, as well as business and Web analytics.
The Splunk for ActivIdentity® 4TRESS AAA is a set of field extractions, reports, lookups and dashboards which provide visibility into the 4TRESS authentication and audit data.
ActivIdentity offers two solutions:
ActivIdentity 4TRESS AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce remotely accessing systems and data.
ActivIdentity 4TRESS Authentication Server (AS)—Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.

1.1 Scope of Document

This document explains how to set up ActivIdentity 4TRESS AAA with Splunk. Use this handbook to generate graphs, reports, and a dashboard on ActivIdentity 4TRESS AAA solutions.
This handbook covers only the Windows® Splunk version. Configuration is similar for other systems.

1.2 Prerequisites

The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7)
Splunk version 4.3.x
External Use | August 24, 2012 | © 2012
P 5
ActivIdentity
Important: To produce more sophisticated statistics, you can directly access the data from the AAA
1. Select Tools, then click Consolidation.

2.0 ActivIdentity 4TRESS AAA Data Export

This chapter describes how to manually export the ActivIdentity 4TRESS AAA Authentication and audit data to a CSV file.
Server database. (The data is stored in the A_AHLOG and A_AULOG tables.) Use a tool that supports ODBC.
2.1 Consolidate data
Consolidation works only with servers that have logged data in the AAA Server database.
2. In the Available column, select the server(s) from which to consolidate data, then click >.
Use >> to consolidate data from every server.
If you have only one server, then the Administration Console automatically sets this server in the Selected for Consolidation column.
3. Click Consolidate.
4. Click Close.
External Use | August 24, 2012 | © 2012
P 6
ActivIdentity

2.2 Schedule Consolidation from the Command Line

Please refer to the ActivIdentity 4TRESS AAA Administration Guide, specifically page 92.

2.3 View and Export Authentication Logs

You must have administration rights to view and export authentication logs.
1. Select Tools, point to Log, then click View Authentication.
External Use | August 24, 2012 | © 2012
P 7
ActivIdentity
2. For the Time Criteria, specify the From and To dates for the time period required.
3. For the General Criteria:
Select the Server for the authentication data that you want to view.
To view the logs for a specific server with a pool of servers, select the Server IP address for
the required server.
To view data for a specific user, enter the User ID.
To view only error data, select REJECTED only.
4. Click Show to display the authentication data corresponding to the specified criteria.
5. To export the authentication log to a .csv file, click Export.
External Use | August 24, 2012 | © 2012
P 8
ActivIdentity
6. In the Save As window, enter a file name and location for the exported log, then click Save.
The log is exported to a text file with data values separated by commas.
External Use | August 24, 2012 | © 2012
P 9
ActivIdentity

2.4 View and Export Audit Logs

You must have administration rights to view and export audit logs.
1. From the menu bar, select Tools, point to Log, then click Audit. The following dialog opens, displaying data specific to your system.
2. In the Select restrictive criteria section, filter log entries based on dates, User IDs, Objects, Object Names, and other criteria. You can select an option from the drop-down lists or manually enter the criteria.
External Use | August 24, 2012 | © 2012
P 10
ActivIdentity
Use the From and To fields to enter a range of dates.
Use the User ID drop-down list to select an Administration Console operator.
Use the Object drop-down list to select the type of object you require (ex: a serial number for
a device). The Object name list includes Device, LDAP Query, Logoff, Logon, Options, and Security.
Use the Object Name drop-down list to specify the name of the object.
3. Click Show at the top right of the dialog to display filter results or refresh the screen between filter choices.
4. To export the audit log to a .csv file, click Export.
5. In the Save As window, select a file name and location for the exported log, then click Save.
The log is exported to a text file with the data values separated by commas.
External Use | August 24, 2012 | © 2012
Loading...
+ 23 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use