Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

CA SiteMinder

 

The CA SiteMinder DSM collects and categorizes authorization events from CA SiteMinder appliances with syslog-ng.

The CA SiteMinder DSM accepts access and authorization events that are logged in smaccess.log and forwards the events to JSA by using syslog-ng.

Configuring a Log Source

CA SiteMinder with JSA does not automatically discover authorization events that are forwarded with syslog-ng from CA SiteMinder appliances.

To manually create a CA SiteMinder log source:

  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  3. Click the Log Sources icon.

    The Log Sources window is displayed.

  4. In the Log Source Name field, type a name for your CA SiteMinder log source.
  5. In the Log Source Description field, type a description for the log source.
  6. From the Log Source Type list, select CA SiteMinder.
  7. From the Protocol Configuration list, select Syslog.

    The syslog protocol parameters are displayed.

    Note

    The log file protocol is displayed in the Protocol Configuration list, however, polling for log files is not a suitable configuration.

  8. Configure the following values:

    Table 1: Adding a Syslog Log Source

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for your CA SiteMinder appliance.

    Enabled

    Select this check box to enable the log source. By default, this check box is selected.

    Credibility

    From the list, type the credibility value of the log source. The range is 0 - 10.

    The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source device. Credibility increases if multiple sources report the same event. The default is 5.

    Target Event Collector

    From the list, select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Select this check box to enable the log source to coalesce (bundle) events.

    Automatically discovered log sources use the default value that is configured in the Coalescing Events list in the System Settings window, which is accessible on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see theJSA Administration Guide.

    Store Event Payload

    Select this check box to enable or disable JSA from storing the event payload.

    Automatically discovered log sources use the default value from the Store Event Payload list in the System Settings window, which is accessible on the Admin tab. When you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the JSA Administration Guide.

  9. Click Save.

    The Admin tab toolbar detects log source changes and displays a message to indicate when you need to deploy a change.

  10. On the Admin tab, click Deploy Changes.

You are now ready to configure syslog-ng on your CA SiteMinder appliance to forward events to JSA.

Configuring Syslog-ng for CA SiteMinder

You must configure your CA SiteMinder appliance to forward syslog-ng events to your JSA console or Event Collector.

JSA can collect syslog-ng events from TCP or UDP syslog sources on port 514.

To configure syslog-ng for CA SiteMinder:

  1. Using SSH, log in to your CA SiteMinder appliance as a root user.
  2. Edit the syslog-ng configuration file.

    /etc/syslog-ng.conf

  3. Add the following information to specify the access log as the event file for syslog-ng:
  4. Add the following information to specify the destination and message template:

    Where <QRadar IP> is the IP address of the JSA console or Event Collector.

  5. Add the following log entry information:
  6. Save the syslog-ng.conf file.
  7. Type the following command to restart syslog-ng:

    service syslog-ng restart

    After the syslog-ng service restarts, the CA SiteMinder configuration is complete. Events that are forwarded to JSA by CA SiteMinder are displayed on the Log Activity tab.