Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Generic Authorization Server

 

The generic authorization server DSM for JSA records all relevant generic authorization events by using syslog.

You need to configure JSA to interpret the incoming generic authorization events, and manually create a log source.

Configuring Event Properties

To configure JSA to interpret the incoming generic authorization events:

  1. Forward all authentication server logs to your JSA system.

    For information on forwarding authentication server logs to JSA, see your generic authorization server vendor documentation.

  2. Open the following file:

    /opt/ qradar /conf/genericAuthServer.conf

    Make sure you copy this file to systems that host the Event Collector and the JSA console.

  3. Restart the Tomcat server:

    service tomcat restart

    A message is displayed indicating that the Tomcat server is restarted.

  4. Enable or disable regular expressions in your patterns by setting the regex_enabled property. By default, regular expressions are disabled.

    For example:

    regex_enabled=false

    When you set the regex_enabled property to <false>, the system generates regular expressions (regex) based on the tags you entered when you try to retrieve the corresponding data values from the logs.

    When you set the regex_enabled property to <true>, you can define custom regex to control patterns. These regex configurations are applied directly to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java programming language. For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/

    To integrate the generic authorization server with JSA, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class(/\d/) becomes /[0-9]/. Also, instead of using numeric qualifiers, rewrite the expression to use the primitive qualifiers (/?/,/*/ and /+/).

  5. Review the file to determine a pattern for successful login:

    For example, if your authentication server generates the following log message for accepted packets:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

    The pattern for successful login is:

    Accepted password

    .

  6. Add the following entry to the file:

    login_success_pattern=<login success pattern>

    Where: <login success pattern> is the pattern that is determined in Step 5.

    For example:

    login_success_pattern=Accepted password

    All entries are case insensitive.

  7. Review the file to determine a pattern for login failures.

    For example, if your authentication server generates the following log message for login failures:

    Jun 27 12:58:33 expo sshd[20627]: Failed password for root from 10.100.100.109 port 1849 ssh2

    The pattern for login failures is Failed password.

  8. Add the following to the file:

    login_failed_pattern=<login failure pattern>

    Where: <login failure pattern> is the pattern that is determined for login failure.

    For example:

    login_failed_pattern=Failed password

    All entries are case insensitive.

  9. Review the file to determine a pattern for logout:

    For example, if your authentication server generates the following log message for logout:

    Jun 27 13:00:01 expo su(pam_unix)[22723]: session closed for user genuser

    The pattern for lookout is session closed.

  10. Add the following to the genericAuthServer.conf file:

    logout_pattern=<logout pattern>

    Where: <logout pattern> is the pattern that is determined for logout in step 9.

    For example:

    logout_pattern=session

    All entries are case insensitive.

  11. Review the file to determine a pattern, if present, for source IP address and source port.

    For example, if your authentication server generates the following log message:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

    The pattern for source IP address is from and the pattern for source port is port.

  12. Add an entry to the file for source IP address and source port:

    source_ip_pattern=<source IP pattern>

    source_port_pattern=<source port pattern>

    Where: <source IP pattern> and <source port pattern> are the patterns that are identified in 11 for source IP address and source port.

    For example:

    source_ip_pattern=from

    source_port_pattern=port

  13. Review the file to determine whether a pattern exists for user name.

    For example:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

    The pattern for user name is for.

  14. Add an entry to the file for the user name pattern:

    For example:

    user_name_pattern=for

    You are now ready to configure the log source in JSA.

Configuring a Log Source

To integrate generic authorization appliance event with JSA, you must manually create a log source to receive the events as JSA does not automatically discover or create log sources for events from generic authorization appliances.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Configurable Authentication message filter.
  9. Using the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Table 1: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your generic authorization appliance.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The log source is added to JSA. Events that are forwarded to JSA by generic authorization appliances are displayed on the Log Activity tab.