| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Introduction
The tag tags beginning with auth.secureauth. identify events identifies all log events generated by SecureAuth IdP. This procedure was implemented for version 9.1.
For information about SecureAuth IdP, see the vendor documentation online.
Tag structure
This technology uses a single tag to support the audit, debug, and error logs generated by SecureAuth IdP. The tag is simply auth.secureauth.events and the associated events are saved in Devo in a table of the same name. For more information, read more about Devo tags.
To set up the sending of SecureAuth events to your Devo domain:
Set up the Devo relay rule that applies the tag to the SecureAuth events.
Configure event sending from SecureAuth to the Devo relay.
Step 1: Set up the Devo relay rule
On your Devo Relay, you'll set up a relay rule that applies the auth.secureauth.events tag before forwarding the events to Devo in syslog format. In the example below, we use port 13003 but you should use any port that you can dedicate to these events. This must be the same port you configure for the Syslog server in the next step..
Source Port → 13003
Target Tag → auth.secureauth.events
Check the Stop processing checkbox.
Step 2: Configure event sending in SecureAuth IdP
In SecureAuth, you need to enable the sending of the audit, debug, and error logs in syslog format, then set up your Devo relay as a syslog server. To do so, follow the vendor instructions for log configuration, and be sure to:
In the Log Options section, select the Syslog checkbox for each of the audit, debug, and error logs.
In the Syslog section, enter the Devo relay's IP address as the Syslog server and the port to which you will send the events. Note that this is the port for which you will set up the relay rule later in this procedure. Select RFC3164 as the Syslog RFC Spec and choose CEF as the Spec format.
Once events are being sent from SecureAuth to the Devo relay, the auth.securauth.events table will appear in Devo in Data Search → Finder.the SecureAuth authentication platform.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed asauth.secureauth. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
SecureAuth identity platform |
|
|
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
auth.secureauth.events
Field | Type | Field transformation | Source field name | Extra fields | ||
|---|---|---|---|---|---|---|
eventdate |
| |||||
hostname |
|
| hostchain | |||
cefVersion |
| |||||
embDeviceVendor |
| |||||
embDeviceProduct |
| |||||
deviceVersion |
| |||||
signatureID |
| |||||
name |
| |||||
severity |
| |||||
cat |
| |||||
ipRiskScore |
| |||||
priority |
| |||||
browserSession |
| |||||
analyzeEngineResult |
| |||||
companyName |
| |||||
requestID |
| |||||
requestDuration |
| |||||
userCountryCode |
| |||||
deviceUTCTime |
| |||||
dst |
| |||||
dvc |
| |||||
deviceFacility |
| |||||
msg |
| |||||
outcome |
| |||||
requestClientApplication |
| |||||
sourceServiceName |
| |||||
spid |
| |||||
src |
| |||||
suser |
| |||||
secureAuthIdPAppliance |
| |||||
hostchain |
| ✓ | ||||
tag |
| ✓ | ||||
rawMessage |
| ✓ |
auth.secureauth.radius
Field | Type | Extra fields |
|---|---|---|
eventdate |
| |
hostname |
| |
timestamp |
| |
server |
| |
product |
| |
logtype |
| |
process |
| |
transctionId |
| |
eventMessage |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |