The first log that I wanted to parse with our new Splunk Enterprise system was catalina.out log from our CAS server. CAS, or Central Authentication Server, is a web-based, federated, single sign-on service available at http://www.jasig.org/cas/. We use it for, among other things, our authentication for Google Apps for Education.
Configuring the universal forwarder on the CAS server was fairly straight forward. However, although CAS logs are log4j formatted, the defaults in Splunk will cause the multi-line entries to split into separate events since there are some timestamps in the middle of events. As such I needed to create a new source type to deal with this. So I created a new file at ‘/opt/splunk/etc/system/local/props.conf’ and added the following contents.
As the events began to fill in I created two field extractions on my Splunk search head; one to tag the usernames and the other to tag the client IP addresses. I also set the permissions so that both fields would show up in all apps.
Next I installed the Google Maps App from https://apps.splunk.com/app/368/ onto each of my Splunk servers. This not only provides me with the ability to plot points on a map, but it also gives me access to the MaxMind GeoIP database. Once it was installed the ‘geoip’ command was still not working. After some research I found that I needed to edit ‘/opt/splunk/etc/apps/maps/default/geoip.conf’ to change the path to the GeoIP database file. the absolute path seems to be required.
index=authentication TICKET_GRANTING_TICKET_CREATED client_ip=* | geoip client_ip
I chose ‘TICKET_GRANTING_TICKET_CREATED’ to return only events where the user is logging into CAS with their username and password, client_ip=* to avoid any errors where the client_ip was not present, and then I simply piped it into the geoip command to return the following data.