ActivIdentity 4TRESS AAA and Splunk. Integration Handbook

Transcription

1 ActivIdentity 4TRESS AAA and Splunk Integration Handbook Document Version 1.1 Released August 24, 2012

2 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 2 Table of Contents Table of Contents... 2 List of Figures Introduction Scope of Document Prerequisites ActivIdentity 4TRESS AAA Data Export Consolidate data Schedule Consolidation from the Command Line View and Export Authentication Logs View and Export Audit Logs Splunk installation Prerequisites Windows Installation Splunk Configuration Procedure 1 : Install the App Procedure 2 : Index and Log Repositories Procedure 3 : Create Indexes Procedure 4 : Assign Index Rights Procedure 5: Specify Data Inputs Procedure 6: Restart Splunk Splunk for ActivIdentity AAA: Overview View Authentication Dashboard and Reports View Authentication Logs View Audit Dashboard and Reports View Audit Logs... 32

3 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 3 List of Figures Figure 1 : Authentication Per RADIUS Request Over Time Figure 2 : Authentication RADIUS Requests by NAS Over Time Figure 3 : Authentication Top User ID by Request Figure 4 : Authentication Top RADIUS Server by Requests (by the AAA Server) Figure 5 : Authentication Top Status Authentication by Requests Figure 6 : Authentication Top Groups by Request Figure 7 : Auditing Operation Detail Over Time Figure 8 : Auditing Operation Over Time Figure 9 : Auditing Per User Action Over Time (Actions by the Admin ID) Figure 10 : Auditing Top Operation Figure 11 : Auditing Top Operation Detail Figure 12 : Auditing Top Users (Administrators and Operators)... 31

4 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Introduction Splunk is a software used to search, monitor and analyze machine-generated data by applications, systems, and IT infrastructure at scale via a Web-style interface. Splunk captures, indexes, and correlates real-time data in a searchable database from which it can generate graphs, reports, alerts, dashboards and visualizations. Splunk aims to make machine data accessible across an organization, identify data patterns, provide metrics, diagnose problems, and provide intelligence for business operations. Splunk is a horizontal technology used for application management, security and compliance, as well as business and Web analytics. The Splunk for ActivIdentity 4TRESS AAA is a set of field extractions, reports, lookups and dashboards which provide visibility into the 4TRESS authentication and audit data. ActivIdentity offers two solutions: ActivIdentity 4TRESS AAA Server for Remote Access Addresses the security risks associated with a mobile workforce remotely accessing systems and data. ActivIdentity 4TRESS Authentication Server (AS) Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens. 1.1 Scope of Document This document explains how to set up ActivIdentity 4TRESS AAA with Splunk. Use this handbook to generate graphs, reports, and a dashboard on ActivIdentity 4TRESS AAA solutions. This handbook covers only the Windows Splunk version. Configuration is similar for other systems. 1.2 Prerequisites The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) Splunk version 4.3.x

5 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P ActivIdentity 4TRESS AAA Data Export This chapter describes how to manually export the ActivIdentity 4TRESS AAA Authentication and audit data to a CSV file. Important: To produce more sophisticated statistics, you can directly access the data from the AAA Server database. (The data is stored in the A_AHLOG and A_AULOG tables.) Use a tool that supports ODBC. 2.1 Consolidate data Consolidation works only with servers that have logged data in the AAA Server database. 1. Select Tools, then click Consolidation. 2. In the Available column, select the server(s) from which to consolidate data, then click >. Use >> to consolidate data from every server. If you have only one server, then the Administration Console automatically sets this server in the Selected for Consolidation column. 3. Click Consolidate. 4. Click Close.

6 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Schedule Consolidation from the Command Line Please refer to the ActivIdentity 4TRESS AAA Administration Guide, specifically page View and Export Authentication Logs You must have administration rights to view and export authentication logs. 1. Select Tools, point to Log, then click View Authentication.

7 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 7 2. For the Time Criteria, specify the From and To dates for the time period required. 3. For the General Criteria: Select the Server for the authentication data that you want to view. To view the logs for a specific server with a pool of servers, select the Server IP address for the required server. To view data for a specific user, enter the User ID. To view only error data, select REJECTED only. 4. Click Show to display the authentication data corresponding to the specified criteria. 5. To export the authentication log to a.csv file, click Export.

8 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 8 6. In the Save As window, enter a file name and location for the exported log, then click Save. The log is exported to a text file with data values separated by commas.

9 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P View and Export Audit Logs You must have administration rights to view and export audit logs. 1. From the menu bar, select Tools, point to Log, then click Audit. The following dialog opens, displaying data specific to your system. 2. In the Select restrictive criteria section, filter log entries based on dates, User IDs, Objects, Object Names, and other criteria. You can select an option from the drop-down lists or manually enter the criteria.

10 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 10 Use the From and To fields to enter a range of dates. Use the User ID drop-down list to select an Administration Console operator. Use the Object drop-down list to select the type of object you require (ex: a serial number for a device). The Object name list includes Device, LDAP Query, Logoff, Logon, Options, and Security. Use the Object Name drop-down list to specify the name of the object. 3. Click Show at the top right of the dialog to display filter results or refresh the screen between filter choices. 4. To export the audit log to a.csv file, click Export. 5. In the Save As window, select a file name and location for the exported log, then click Save. The log is exported to a text file with the data values separated by commas.

11 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Splunk installation 3.1 Prerequisites 1. Create a splunk account: 2. Download Splunk for free: 3. Download the ActivIdentity AAA App from Splunkbase:

12 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Windows Installation If you're just getting started using Splunk, here are some resources that might be helpful: 1. Watch videos on installing Splunk on Windows and other platforms: 2. Read the installation guide: 3. Take the search tutorial: Installation on a Windows Platform: 1. To start the installer, double-click the splunk.msi file. 2. In the Welcome panel, click Next. 3. Read the licensing agreement and check the box next to "I accept the terms in the license agreement". Click Next to continue installing. 4. For Customer Information, enter the requested details and click Next. 5. In the Destination Folder panel, click Change to specify a different location to install Splunk, or click Next to accept the default value. 6. Splunk is installed by default into the \Program Files\Splunk directory. 7. The Logon Information panel is displayed. Select Local system user and click Next. 8. If you want to learn about the other user option, refer to the detailed instructions for installing Splunk on Windows. 9. After you specify a user, the pre-installation summary panel is displayed. Click Install to proceed. 10. In the Installation Complete panel, select the boxes to Launch browser with Splunk and Create Start Menu Shortcut now. 11. Click Finish. When the installation is finished, Splunk starts, and Splunk Web launches in a supported browser.

13 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Splunk Configuration 4.1 Procedure 1 : Install the App After unzipping the Splunk App for ActivIdentity AAA, copy the Splunk_AI_4TRESS_AAA directory into the /etc/apps directory of your Splunk installation, as illustrated next.

14 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Procedure 2 : Index and Log Repositories Create a repository for the logs storage and the logs index in the repository/directory of your choice, as illustrated next.

15 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Procedure 3 : Create Indexes 1. Log into the Splunk portal. 2. Select Manager. 3. Click Indexes. 4. Click New. The Add new page is diplayed, as illustrated next.

16 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 16 Specify an Index name. Specify the Home path of your index repository created previously. Specify the Max size for your index. 5. Click Save. You will see index_aaa in the Indexes view, as illustrated next.

17 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Procedure 4 : Assign Index Rights 1. Select Manager. 2. Click Access controls. 3. Click Roles.

18 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Click on admin (or other role listed). 5. Scroll to the Indexes searched by default section. 6. Add your index by double-clicking on it. 7. Click Save.

19 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Procedure 5: Specify Data Inputs If you have the appropriate permissions, then you can view and manage all of the data in your indexes from Splunk Manager's data inputs configuration page. To access this page, perform the following steps. 1. Click Manager. (This link should always be available, regardless of the app you are currently using.) 2. From the list of Splunk system configuration pages, click Data inputs. The Data inputs configuration page displays a table listing the type of data and a count of the existing inputs for each type. 3. Click Files & Directories.

20 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Click New. 5. Select Skip preview and click Continue.

21 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P In the Source section, select the option to continuously index data. 7. Enter the Full path to your data (the directory created previously). 8. Select the More settings option. (This enables you to override Splunk's default settings for Host, Source type, and Index).

22 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P For Source type, select Manual from the drop-down list, and enter ai_4tress_aaa in the Source type field. Note : ai_4tress_aaa is hardcoded in the Splunk App and is case-sensitive. 10. From the Set the Destination index drop-down list, select the index you previously created. 11. Click Save.

23 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Copy the exported authentication and audit data of your 4TRESS AAA Server to the data repository that you previously created. 4.6 Procedure 6: Restart Splunk 1. To apply the modifications, restart the splunk service using a DOS command line.

24 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P Now, login to the Web interface, and you will see a new app listed in the App menu, as illustrated next. 5.0 Splunk for ActivIdentity AAA: Overview This section provides an overview of the Splunk App for 4TRESS AAA dashboard functions. 5.1 View Authentication Dashboard and Reports 1. Select Authentication Statistics, and then click Authentication Dashboard.

25 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P You can define filters, and specify a period of time for a report. For example, define a specific group, and then select Last 30 days from the drop-down list. 3. Press the Enter key. The loading bar appears. If you do not specify a filter, then all data appear. You will see the authentication status (accepted or rejected authentication) over that period of time, as illustrated next. Figure 1 : Authentication Per RADIUS Request Over Time The following illustrations show some other report examples.

26 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 26 Figure 2 : Authentication RADIUS Requests by NAS Over Time Figure 3 : Authentication Top User ID by Request Figure 4 : Authentication Top RADIUS Server by Requests (by the AAA Server)

27 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 27 Figure 5 : Authentication Top Status Authentication by Requests Figure 6 : Authentication Top Groups by Request

28 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P View Authentication Logs To view authentication logs, perform the following steps. 1. Select Authentication Statistics, and then click Authentication Logs. 2. Specify filters and time range, and then press the Enter key. The loading bar appears. If you do not specify a filter, then all data appear.

29 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P View Audit Dashboard and Reports To view the Audit Dashboard, perform the following steps. 1. Select AAA Audit Statistics, and then click Audit Dashboard. 2. Specify filters and time range, and then press the Enter key. The loading bar appears. If you do not specify a filter, then all data appear. You will see the operation details over that period of time, as illustrated next. Figure 7 : Auditing Operation Detail Over Time The following illustrations show some other examples.

30 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 30 Figure 8 : Auditing Operation Over Time Figure 9 : Auditing Per User Action Over Time (Actions by the Admin ID) Figure 10 : Auditing Top Operation

31 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 31 Figure 11 : Auditing Top Operation Detail Figure 12 : Auditing Top Users (Administrators and Operators)

32 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P View Audit Logs To view Audit Logs perform the following steps. 1. Select AAA Audit Statistics, and then click Audit Logs. 2. Specify filters and time range, and then press the Enter key.

33 ActivIdentity 4TRESS AAA and Splunk Integration Handbook P 33 Legal Disclaimer Americas US Federal Europe +33 (0) Asia Pacific +61 (0) info@actividentity.com Web ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced herein are either registered trademarks or trademarks of HID Global Corporation in the United States and/or other countries. The absence of a mark, product, service name or logo from this list does not constitute a waiver of the trademark or other intellectual property rights concerning that name or logo. Cisco and the Cisco logo are registered trademarks of Cisco, Inc. in the United States and other countries.the names of other third-party companies, trademarks, trade names, service marks, images and/or products that happened to be mentioned herein are trademarks of their respective owners. Any rights not expressly granted herein are reserved.