Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

Introduction

The tag tags beginning with auth.secureauth.events identifies all log identify events generated by SecureAuth IdP. This procedure was implemented for version 9.1.

For information about SecureAuth IdP, see the vendor documentation online.

Tag structure

This technology uses a single tag to support the audit, debug, and error logs generated by SecureAuth IdP. The tag is simply auth.secureauth.events and the associated events are saved in Devo in a table of the same name. For more information, read more about Devo tags.

To set up the sending of SecureAuth events to your Devo domain:

  1. Set up the Devo relay rule that applies the tag to the SecureAuth events.

  2. Configure event sending from SecureAuth to the Devo relay.

Step 1: Set up the Devo relay rule

On your Devo Relay, you'll set up a relay rule that applies the auth.secureauth.events tag before forwarding the events to Devo in syslog format. In the example below, we use port 13003 but you should use any port that you can dedicate to these events. This must be the same port you configure for the Syslog server in the next step..

  • Source Port → 13003

  • Target Tag → auth.secureauth.events

  • Check the Stop processing checkbox.

Step 2: Configure event sending in SecureAuth IdP

In SecureAuth, you need to enable the sending of the audit, debug, and error logs in syslog format, then set up your Devo relay as a syslog server. To do so, follow the vendor instructions for log configuration, and be sure to:

  • In the Log Options section, select the Syslog checkbox for each of the audit, debug, and error logs.

  • In the Syslog section, enter the Devo relay's IP address as the Syslog server and the port to which you will send the events. Note that this is the port for which you will set up the relay rule later in this procedure. Select RFC3164 as the Syslog RFC Spec and choose CEF as the Spec format.

Once events are being sent from SecureAuth to the Devo relay, the auth.securauth.events table will appear in Devo in Data Search → Finder.the SecureAuth authentication platform.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed asauth.secureauth. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

SecureAuth identity platform

auth.secureauth.events

auth.secureauth.events

auth.secureauth.radius

auth.secureauth.radius

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

Anchor
tag1
tag1
auth.secureauth.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

Code Block
split(hostchain, "=", 0)

hostchain

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

cat

str

ipRiskScore

float8

priority

int8

browserSession

str

analyzeEngineResult

str

companyName

str

requestID

str

requestDuration

str

userCountryCode

str

deviceUTCTime

timestamp

dst

ip4

dvc

ip4

deviceFacility

str

msg

str

outcome

str

requestClientApplication

str

sourceServiceName

str

spid

int4

src

ip4

suser

str

secureAuthIdPAppliance

str

hostchain

str

tag

str

rawMessage

str

Anchor
tag2
tag2
auth.secureauth.radius

Field

Type

Extra fields

eventdate

timestamp

hostname

str

timestamp

str

server

str

product

str

logtype

str

process

str

transctionId

str

eventMessage

str

hostchain

str

tag

str

rawMessage

str