Broadcom Symantec SiteMinder
Broadcom Symantec SiteMinder is formerly known as CA SiteMinder. The name remains as CA SiteMinder in JSA.
The JSA Symantec SiteMinder DSM collects syslog-ng events from Symantec SiteMinder appliances.
The Symantec SiteMinder DSM collects access and authorization events that are logged in the smaccess.log file, then forwards the events to JSA by using syslog-ng.
To integrate Symantec SiteMinder with JSA, complete the following steps:
-
If automatic updates are not enabled, download the most recent version of the CA SiteMinder DSM RPM from the Juniper Downloads.
-
Configure your Symantec SiteMinder appliance to send events to JSA. For more information, see Configuring syslog-ng for Broadcom Symantec SiteMinder.
-
Add a Symantec SiteMinder log source on the JSA Console.
Broadcom Symantec SiteMinder DSM specifications
When you configure the Broadcom Symantec SiteMinder DSM, understanding the specifications for the Broadcom Symantec SiteMinder DSM can help ensure a successful integration. For example, knowing what the supported version of Broadcom Symantec SiteMinder is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the Symantec SiteMinder DSM.
Specification |
Value |
---|---|
Manufacturer |
Broadcom |
DSM name |
CA SiteMinder |
RPM file name |
DSM-CASiteMinder-QRadar_versionbuild_number.noarch.rpm |
Supported version |
SiteMinder 12.8 |
Protocol |
Syslog, Log File |
Event format |
Syslog |
Recorded event types |
All events |
Automatically discovered? |
No |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
Syslog Log Source Parameters for Broadcom Symantec SiteMinder
If JSA does not automatically detect the log source, add a Broadcom Symantec SiteMinder log source on the JSA Console by using the Syslog protocol.
When using the Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Symantec SiteMinder:
Parameter |
Value |
---|---|
Log Source name |
Type a name for your log source. |
Log Source description |
Type a description for the log source. |
Log Source type |
CA SiteMinder |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for your Symantec SiteMinder appliance. |
Enabled |
Select this check box to enable the log source. By default, this check box is selected. |
Credibility |
From the list, type the credibility value of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source device. Credibility increases if multiple sources report the same event. The default is 5. |
Target Event Collector |
From the list, select the Target Event Collector to use as the target for the log source. |
Coalescing Events |
Select this check box to enable the log source to coalesce (bundle) events. Automatically discovered log sources use the default value that is configured in the Coalescing Events list in the System Settings window, which is accessible on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide. |
Store Event Payload |
Select this check box to enable or disable JSA from storing the event payload. Automatically discovered log sources use the default value from the Store Event Payload list in the System Settings window, which is accessible on the Admin tab. When you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide. |
Configuring syslog-ng for Broadcom Symantec SiteMinder
You must configure your Broadcom Symantec SiteMinder appliance to forward syslog-ng events to your JSA console or Event Collector.
JSA can collect syslog-ng events from TCP or UDP syslog sources on port 514.
To configure syslog-ng for Symantec SiteMinder:
-
Using SSH, log in to your Symantec SiteMinder appliance as a root user.
Edit the syslog-ng configuration file.
/etc/syslog-ng.conf
Add the following information to specify the access log as the event file for syslog-ng:
source s_siteminder_access { file("/opt/apps/siteminder/sm66/siteminder/log/smaccess.log"); };
Add the following information to specify the destination and message template:
destination d_remote_q1_siteminder { udp("<QRadar IP>" port(514) template ("$PROGRAM $MSG\n")); };
Where <QRadar IP> is the IP address of the JSA console or Event Collector.
Add the following log entry information:
log { source(s_siteminder_access); destination(d_remote_q1_siteminder); };
Save the syslog-ng.conf file.
-
Type the following command to restart syslog-ng:
service syslog-ng restart
After the syslog-ng service restarts, the Symantec SiteMinder configuration is complete. Events that are forwarded to JSA by Symantec SiteMinder are displayed on the Log Activity tab.
Broadcom Symantec SiteMinder Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Symantec SiteMinder Sample Message when you use the Syslog Protocol
Sample 1: The following sample event message shows that authorization is accepted.
<173>Mar 11 15:53:54 ca.siteminder.test ca-siteminder [Auth][AuthAccept][][ca.siteminder.test] [11/Mar/2021:15:53:45 -0500][31l-apache-aaaaa111-agent][A1aAaAAAAAaAa11aaaaAaaA1AAA=] [CN=Test Useruser,OU=Standard,OU=Domain Users,DC=ad,DC=example,DC=com] [01-00001a11-0111-1a1a-1111-11a111a10000][root-realm][01-000011aa-1111-111a-aaa1-111111a1a1aa] [10.236.235.223][/aaaa/aaaAaaaAaaaaaAaaaaaaaaaa.jsp][GET][Production AD][plswa245:636 plswa246:636,plswa247:636 plswa245:636,prewa223:636 prewa224:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,plswa248:636 plswa248:636,plswa246:636 plswa247:636,prewa224:636 prewa225:636,prewa227:636 prewa226:636,plswa245:636 plswa246:636,plswa246:636 plswa247:636,plswa247:636 plswa245:636,prewa223:636 prewa224:636,prewa224:636 prewa225:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,prewa227:636 prewa226:636,plswa248:636 plswa248:636,plswa245:636 plswa246:636,prewa223:636 prewa224:636,prewa224:636 prewa225:636,prewa225:636 prewa223:636,prewa226:636 prewa227:636,prewa227:636 prewa226:636,plswa248:636 plswa248:636] [LDAP:][idletime=3600;maxtime=7200;authlevel=5;][][http://aaaaa111.aaa.example.com-11][][][][][]
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
AuthAccept |
Source IP |
10.236.235.223 |
Username |
Test Useruser |
Log Source Time |
11/Mar/2021:15:53:45 -0500 (extracted from date and time fields) |
Identity IP |
10.236.235.223 |
Identity Username |
Test Useruser |
Sample 2: The following sample event message shows an authorization logout.
AuthLogout osand001 [24/May/2012:14:14:50 -0500] "10.6.172.171 uid=Testuser01TesTU@example.com,ou=people,ou=AAAA A AA-AAAAA LTD.,ou=dcp,dc=aaaaaa,dc=com" "aaaa01aaa01-aaaa1 " [] [41] [] []
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
AuthLogout |
Source IP |
10.6.172.171 |
Username |
Testuser01TesTU@example.com |
Log Source Time |
24/May/2012:14:14:50 -0500 (extracted from date and time fields) |