Presentation is loading. Please wait.

Presentation is loading. Please wait.

Splunk log management Andrijana Todosijevic

Published byHannah Hancock Modified over 7 years ago

Similar presentations

Presentation on theme: "Splunk log management Andrijana Todosijevic"— Presentation transcript:

1 Splunk log management Andrijana Todosijevic
User services engineer 5th SIG-NOC Meeting, Geneva 26-27 April 2017

2 Splunk log management - BPD
Campus Best Practices SIG SCOPE Best Practice Document (BPD) “Splunk log management”- collecting and analysing the log data in terms of eduroam service Spunk in AMRES – eduroam Asterisk PBX iAMRES Identity Federation Web-site (App) Filesender (App)

3 Generation of logs messages
eduroam RADIUS statistics: Access-Accept/Access-Reject – authentication result; IdP – domain of the institution; MAC – MAC address of the user device; AP – string based on which the location of AP is determined; RP – RADIUS attribute Operator-Name. Asterisk: callerid, src, dst - caller name and extensions from, to – SIP IDs startcall, end, callduration - time disposition – answering info iAMRES: SP – Service Provider IdP – Identity Provider User - Person's principal name at home organization syslog T03:07:24-04: cdr: "callerid:"AMRESHELPDESK" <199>","src:199","dst:121","from:SIP/amreshelpdesk ","to:SIP/andrijana.todosijevic a","startring: :06:26","startcall: :06:30","end: :07:39","callduration:69","disposition:ANSWERED“ T18:26:02-04: simplesamlphp[18100]: 5 STAT [ac329f5d52] saml20-idp-SSO

4 Generation of logs messages
linelog splunk { filename = syslog format = "" reference = "%{%{reply:Packet-Type}:-format}" Access-Accept ="Access-Accept: IdP=%{tolower:%{Realm}} MAC=%{Calling-Station-Id} AP=%{Called-Station-Id} RP=%{Operator-Name}" Access-Reject ="Access-Reject: IdP=%{tolower:%{Realm}} MAC=%{Calling-Station-Id} AP=%{Called-Station-Id} RP=%{Operator-Name}“ } rewrite r_ap_use { ################################## ## UNIVERSITY OF BELGRADE ## subst("18-ef-63-aa-aa-aa:eduroam", "cisco1142-rcub-sf1"); eduroam syslog-ng iAMRES rsyslog Asterisk syslog Jan 28 15:37:21 ftlr1 radiusd[31369]: Access-Accept: IdP=etf.bg.ac.rs MAC= f2-80-5c AP=cisco1142-rcub-studenjak5 RP=1rcub.bg.ac.rs

5 Collection of logs messages

6 Collection of logs messages

7 Collection of logs messages
index = “eduroam” “login” “ipphones” sourcetype = “syslog” host = “ip address/DNS”

8 Splunk Search Processing Language (SPL)
Number of requests by IdP, per chosen location in AMRES network

9 Splunk Visualisation Number of distinct successfully authenticated MAC addresses per chosen location

10 Splunk fields Extract new fields New tags New event types
index="eduroam" IdP MAC RP Access-Accept sourcetype=syslog > eduroam_success

11 Splunk lookups Institution City AP_MAC AP_Name Latitude Longitude
School of Architecture Belgrade 00-3a-7d :eduroam cisco2702-amres-bg.arh1 School of Economics 00-3a-7d-a :eduroam cisco2702-amres-bg.ekfak1 School of Electrical Engineering 00-3a-7d-a :eduroam cisco2702-amres-bg.etf1

12 eduroam monitoring

13 eduroam monitoring AMRES users (.ac.rs domain) All users:
Foreign users (other) All users: Use by institution; Use by location; Combinations: different MAC addresses successful authentications number of requests use by IdP use by AP use by RP

14 Asterisk monitoring

15 Number of attack attempts on Asterisk, on public ip address
Asterisk monitoring Number of attack attempts on Asterisk, on public ip address

16 Access per services and per user domains
iAMRES monitoring Access per services and per user domains

17 AMRES Web Analytics

18 User journey flow through AMRES web-site
AMRES Web Analytics User journey flow through AMRES web-site

19 Filesender monitoring
Number of downloads per file

20

Download ppt "Splunk log management Andrijana Todosijevic"

Similar presentations

eduroam Delegate Authentication System with Shibboleth SSO

eduroam Delegate Authentication System with Shibboleth SSO
SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Good afternoon. My name is Marek Pawłowski

Good afternoon. My name is Marek Pawłowski
Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Eric Raff. Usergroup up

Eric Raff. Usergroup up
Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia, 19.06.2014.

Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.

1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.
+ NG911 - Server Po-Shun Hsu. + Server information Server platform: Apache Tomcat + Mobicents Sip servlets for sip related messages transmission T140Handler.

+ NG911 - Server Po-Shun Hsu. + Server information Server platform: Apache Tomcat + Mobicents Sip servlets for sip related messages transmission T140Handler.
1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.

1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.
Lecturer: Ghadah Aldehim

Lecturer: Ghadah Aldehim
The Internet Writer’s Handbook 2/e Introduction to World Wide Web Terms Writing for the Web.

The Internet Writer’s Handbook 2/e Introduction to World Wide Web Terms Writing for the Web.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.

DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Vantage Report 3.0 Product Sales Guide

Vantage Report 3.0 Product Sales Guide

Similar presentations

Ads by Google