I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3.
I recently installed the Splunk App for Palo Alto on our indexers and search heads and setup a syslog feed to one of our indexers from our Palo Alto. Using the app on that indexer worked perfectly. When I switched to our search heads no data was being populated in the app, however, the index was still accessible from search. After doing some research I found that a change to the data model was necessary.
In the SplunkAppForPaloAlto data model the “pan_index” constraint must be changed to index=pan_logs. (Note the removal of quotes). They also recommended disabling acceleration for this data model while making the change. Continue reading Using Splunk to Monitor Palo Alto Firewalls
Earlier this year I attended the Educause Security Professional Conference in St. Louis. I went to a session at which Nick Hannon from Swarthmore College explained how Splunk could combine MaxMind GeoIP data with authentication logs to detect credential theft. I couldn’t find an exact tutorial online, so this is my execution of his idea. I based much of the syntax on another Splunk report I found here.
First we will need to get CAS sending its authentication logs to Splunk, see this post for details.
Next we can use the MaxMind database included in the Google Maps app for Splunk. Get that here: http://apps.splunk.com/app/368/. This will give us access to the “geoip” command which provides (among other things) the longitude and latitude of an IP address. Continue reading Detecting Credential Theft Using Splunk Geographic Information