Tuesday, October 29, 2013

Analyze Siteminder Logs

Here is the understanding of analyzing Siteminder Event logs

If the event category is authentication  or authorization , the format is:
lpszEvent lpszHostName lpszTimeString "szClientIp szUserName" "szAgentName szAction szResource" [szTransactionId] [nReason] szStatusMsg
 
The above format is described as follows,
  • lpszEvent. The name (type) of the access event: 
    SmLogAccessEvent_AuthAccept : lpszEvent = "AuthAccept"
SmLogAccessEvent_AuthReject : lpszEvent = "AuthReject"
SmLogAccessEvent_AuthAttempt : lpszEvent = "AuthAttempt"
SmLogAccessEvent_AuthChallenge : lpszEvent = "AuthChallenge"
SmLogAccessEvent_AzAccept : lpszEvent = "AzAccept"
SmLogAccessEvent_AzReject : lpszEvent = "AzReject"
SmLogAccessEvent_AdminLogin : lpszEvent = "AdminLogin"
SmLogAccessEvent_AdminLogout : lpszEvent = "AdminLogout"
SmLogAccessEvent_AdminReject : lpszEvent = "AdminReject"
SmLogAccessEvent_AuthLogout : lpszEvent = "AuthLogout"
SmLogAccessEvent_ValidateAccept : lpszEvent = "ValidateAccept"
SmLogAccessEvent_ValidateReject : lpszEvent = "ValidateReject"
  • lpszHostName. The name of the host.
  • lpszTimeString. The timestamp of the occurrence of the event, in the format: [//:::
    ]. For example: [27/Jun/2000:11:27:29 -0500]
  • szClientIp. The IP address of the client machine.
  • szUserName. The name of the user.
  • szAgentName. The name of the agent.
  • szAction. The action associated with the resource.
  • szResource. The accessed resource.
  • [szTransactionId]. A string that contains: idletime=.
  • [nReason]. The reason associated with the event. Reasons are enumerated in Sm_Api_Reason_t, which is in SmApi.h.
  • szStatusMsg. The message associated with the event. The message depends on the event type, as shown in in the following table:
For example:
AuthAccept testbox [27/Jun/2000:11:27:29 -0500] "190.158.4.90 uid=scarter,ou=people,o=airius.com" "testagent GET /test/index.html" [idletime=3600;maxtime=7200;authlevel=5;] [0]
In this example,
  • lpszEvent is AuthAccept
  • lpszHostName is testbox
  • lpszTimeString is [27/Jun/2000:11:27:29 -0500]
  • szClientIp is 190.158.4.90
  • szUserName is uid=scarter,ou=people,o=airius.com
  • szAgentName is testagent
  • szAction is GET
  • szResource is /test/index.html
  • [szTransactionId] is [idletime=3600;maxtime=7200;
        authlevel=5;]
  • [nReason] is [0]
  • szStatusMsg is not specified. 

 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)