Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Generic Authorization Server

 

The generic authorization server DSM for JSA records all relevant generic authorization events by using syslog.

You need to configure JSA to interpret the incoming generic authorization events, and manually create a log source.

Configuring Event Properties

To configure JSA to interpret the incoming generic authorization events:

  1. Forward all authentication server logs to your JSA system.

    For information on forwarding authentication server logs to JSA, see your generic authorization server vendor documentation.

  2. Open the following file:

    /opt/ qradar /conf/genericAuthServer.conf

    Make sure you copy this file to systems that host the Event Collector and the JSA console.

  3. Restart the Tomcat server:

    service tomcat restart

    A message is displayed indicating that the Tomcat server is restarted.

  4. Enable or disable regular expressions in your patterns by setting the regex_enabled property. By default, regular expressions are disabled.

    For example:

    regex_enabled=false

    When you set the regex_enabled property to <false>, the system generates regular expressions (regex) based on the tags you entered when you try to retrieve the corresponding data values from the logs.

    When you set the regex_enabled property to <true>, you can define custom regex to control patterns. These regex configurations are applied directly to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java programming language. For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/

    To integrate the generic authorization server with JSA, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class(/\d/) becomes /[0-9]/. Also, instead of using numeric qualifiers, rewrite the expression to use the primitive qualifiers (/?/,/*/ and /+/).

  5. Review the file to determine a pattern for successful login:

    For example, if your authentication server generates the following log message for accepted packets:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

    The pattern for successful login is:

    Accepted password

    .

  6. Add the following entry to the file:

    login_success_pattern=<login success pattern>

    Where: <login success pattern> is the pattern that is determined in Step 5.

    For example:

    login_success_pattern=Accepted password

    All entries are case insensitive.

  7. Review the file to determine a pattern for login failures.

    For example, if your authentication server generates the following log message for login failures:

    Jun 27 12:58:33 expo sshd[20627]: Failed password for root from 10.100.100.109 port 1849 ssh2

    The pattern for login failures is Failed password.

  8. Add the following to the file:

    login_failed_pattern=<login failure pattern>

    Where: <login failure pattern> is the pattern that is determined for login failure.

    For example:

    login_failed_pattern=Failed password

    All entries are case insensitive.

  9. Review the file to determine a pattern for logout:

    For example, if your authentication server generates the following log message for logout:

    Jun 27 13:00:01 expo su(pam_unix)[22723]: session closed for user genuser

    The pattern for lookout is session closed.

  10. Add the following to the genericAuthServer.conf file:

    logout_pattern=<logout pattern>

    Where: <logout pattern> is the pattern that is determined for logout in step 9.

    For example:

    logout_pattern=session

    All entries are case insensitive.

  11. Review the file to determine a pattern, if present, for source IP address and source port.

    For example, if your authentication server generates the following log message:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

    The pattern for source IP address is from and the pattern for source port is port.

  12. Add an entry to the file for source IP address and source port:

    source_ip_pattern=<source IP pattern>

    source_port_pattern=<source port pattern>

    Where: <source IP pattern> and <source port pattern> are the patterns that are identified in 11 for source IP address and source port.

    For example:

    source_ip_pattern=from

    source_port_pattern=port

  13. Review the file to determine whether a pattern exists for user name.

    For example:

    Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

    The pattern for user name is for.

  14. Add an entry to the file for the user name pattern:

    For example:

    user_name_pattern=for

    You are now ready to configure the log source in JSA.

Syslog Log Source Parameters for Generic Authorization Server

If JSA does not automatically detect the log source, add a Generic Authorization Server log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Generic Authorization Server:

Table 1: Syslog Log Source Parameters for the Generic Authorization Server DSM

Parameter

Value

Type a name for your log source

Type a name for your log source.

Log Source Description

Type a description for the log source.

Log Source type

Configurable Authentication

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your generic authorization appliance.