Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

CA SiteMinder

The CA SiteMinder DSM collects and categorizes authorization events from CA SiteMinder appliances with syslog-ng.

The CA SiteMinder DSM accepts access and authorization events that are logged in smaccess.log and forwards the events to JSA by using syslog-ng.

Syslog Log Source Parameters for CA SiteMinder

If JSA does not automatically detect the log source, add a CA SiteMinder log source on the JSA Console by using the Syslog protocol.

When using the Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from CA SiteMinder:

Table 1: Syslog Log Source Parameters for the CA SiteMinder DSM

Parameter

Value

Log Source name

Type a name for your log source.

Log Source description

Type a description for the log source.

Log Source type

CA SiteMinder

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for your CA SiteMinder appliance.

Enabled

Select this check box to enable the log source. By default, this check box is selected.

Credibility

From the list, type the credibility value of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source device. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

From the list, select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

Automatically discovered log sources use the default value that is configured in the Coalescing Events list in the System Settings window, which is accessible on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide.

Store Event Payload

Select this check box to enable or disable JSA from storing the event payload.

Automatically discovered log sources use the default value from the Store Event Payload list in the System Settings window, which is accessible on the Admin tab. When you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide.

Configuring Syslog-ng for CA SiteMinder

You must configure your CA SiteMinder appliance to forward syslog-ng events to your JSA console or Event Collector.

JSA can collect syslog-ng events from TCP or UDP syslog sources on port 514.

To configure syslog-ng for CA SiteMinder:

  1. Using SSH, log in to your CA SiteMinder appliance as a root user.

  2. Edit the syslog-ng configuration file.

    /etc/syslog-ng.conf

  3. Add the following information to specify the access log as the event file for syslog-ng:

  4. Add the following information to specify the destination and message template:

    Where <QRadar IP> is the IP address of the JSA console or Event Collector.

  5. Add the following log entry information:

  6. Save the syslog-ng.conf file.

  7. Type the following command to restart syslog-ng:

    service syslog-ng restart

    After the syslog-ng service restarts, the CA SiteMinder configuration is complete. Events that are forwarded to JSA by CA SiteMinder are displayed on the Log Activity tab.