Mapping CAS Logins with Splunk
September 9, 2014 - Splunk
The first log that I wanted to parse with our new Splunk Enterprise system was catalina.out log from our CAS server. CAS, or Central Authentication Server, is a web-based, federated, single sign-on service available at http://www.jasig.org/cas/. We use it for, among other things, our authentication for Google Apps for Education.
Configuring the universal forwarder on the CAS server was fairly straight forward. However, although CAS logs are log4j formatted, the defaults in Splunk will cause the multi-line entries to split into separate events since there are some timestamps in the middle of events. As such I needed to create a new source type to deal with this. So I created a new file at ‘/opt/splunk/etc/system/local/props.conf’ and added the following contents.
The main difference is that the RegEx for BREAK_ONLY_BEFORE is more strict than the default log4j configuration, so timestamps in the middle of an entry will not cause a new entry to start.
As the events began to fill in I created two field extractions on my Splunk search head; one to tag the usernames and the other to tag the client IP addresses. I also set the permissions so that both fields would show up in all apps.
Next I installed the Google Maps App from https://apps.splunk.com/app/368/ onto each of my Splunk servers. This not only provides me with the ability to plot points on a map, but it also gives me access to the MaxMind GeoIP database. Once it was installed the ‘geoip’ command was still not working. After some research I found that I needed to edit ‘/opt/splunk/etc/apps/maps/default/geoip.conf’ to change the path to the GeoIP database file. the absolute path seems to be required.
With that everything should be in place to run a query. From the Splunk search head I opened the Google Maps app and entered the following command.
index=authentication TICKET_GRANTING_TICKET_CREATED client_ip=* | geoip client_ip
I chose ‘TICKET_GRANTING_TICKET_CREATED’ to return only events where the user is logging into CAS with their username and password, client_ip=* to avoid any errors where the client_ip was not present, and then I simply piped it into the geoip command to return the following data.