Let’s find out what services are using our CAS server for authentication using Splunk Enterprise. To start review my CAS+Splunk configuration from my last post.
We need to add a new field extraction for service_url like I did below.
Then I started with the following query: Continue reading Finding popular CAS services with Splunk
The first log that I wanted to parse with our new Splunk Enterprise system was catalina.out log from our CAS server. CAS, or Central Authentication Server, is a web-based, federated, single sign-on service available at http://www.jasig.org/cas/. We use it for, among other things, our authentication for Google Apps for Education.
Configuring the universal forwarder on the CAS server was fairly straight forward. However, although CAS logs are log4j formatted, the defaults in Splunk will cause the multi-line entries to split into separate events since there are some timestamps in the middle of events. As such I needed to create a new source type to deal with this. So I created a new file at ‘/opt/splunk/etc/system/local/props.conf’ and added the following contents.
The main difference is that the RegEx for BREAK_ONLY_BEFORE is more strict than the default log4j configuration, so timestamps in the middle of an entry will not cause a new entry to start. Continue reading Mapping CAS Logins with Splunk