CA SiteMinder
The CA SiteMinder DSM collects and categorizes authorization events from CA SiteMinder appliances with syslog-ng.
The CA SiteMinder DSM accepts access and authorization events
that are logged in smaccess.log and forwards the events to JSA by using syslog-ng.
Syslog Log Source Parameters for CA SiteMinder
If JSA does not automatically detect the log source, add a CA SiteMinder log source on the JSA Console by using the Syslog protocol.
When using the Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from CA SiteMinder:
Table 1: Syslog Log Source Parameters for the CA SiteMinder DSM
Parameter | Value |
|---|---|
Log Source name | Type a name for your log source. |
Log Source description | Type a description for the log source. |
Log Source type | CA SiteMinder |
Protocol Configuration | Syslog |
Log Source Identifier | Type the IP address or host name for your CA SiteMinder appliance. |
Enabled | Select this check box to enable the log source. By default, this check box is selected. |
Credibility | From the list, type the credibility value of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source device. Credibility increases if multiple sources report the same event. The default is 5. |
Target Event Collector | From the list, select the Target Event Collector to use as the target for the log source. |
Coalescing Events | Select this check box to enable the log source to coalesce (bundle) events. Automatically discovered log sources use the default value that is configured in the Coalescing Events list in the System Settings window, which is accessible on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide. |
Store Event Payload | Select this check box to enable or disable JSA from storing the event payload. Automatically discovered log sources use the default value from the Store Event Payload list in the System Settings window, which is accessible on the Admin tab. When you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide. |
Configuring Syslog-ng for CA SiteMinder
You must configure your CA SiteMinder appliance to forward syslog-ng events to your JSA console or Event Collector.
JSA can collect syslog-ng events from TCP or UDP syslog sources on port 514.
To configure syslog-ng for CA SiteMinder:
- Using SSH, log in to your CA SiteMinder appliance as a root user.
- Edit the syslog-ng configuration file.
/etc/syslog-ng.conf - Add the following information to specify the access log
as the event file for syslog-ng:
source s_siteminder_access { file("/opt/apps/siteminder/sm66/siteminder/log/smaccess.log"); }; - Add the following information to specify the destination
and message template:
destination d_remote_q1_siteminder { udp("<QRadar IP>" port(514) template ("$PROGRAM $MSG\n")); };Where <QRadar IP> is the IP address of the JSA console or Event Collector.
- Add the following log entry information:
log { source(s_siteminder_access); destination(d_remote_q1_siteminder); }; - Save the
syslog-ng.conffile. - Type the following command to restart syslog-ng:
service syslog-ng restart
After the syslog-ng service restarts, the CA SiteMinder configuration is complete. Events that are forwarded to JSA by CA SiteMinder are displayed on the Log Activity tab.