I recently installed the Splunk App for Palo Alto on our indexers and search heads and setup a syslog feed to one of our indexers from our Palo Alto. Using the app on that indexer worked perfectly. When I switched to our search heads no data was being populated in the app, however, the index was …
Earlier this year I attended the Educause Security Professional Conference in St. Louis. I went to a session at which Nick Hannon from Swarthmore College explained how Splunk could combine MaxMind GeoIP data with authentication logs to detect credential theft by looking for geo impossible logins. I couldn’t find an exact tutorial online, so this is …
Geo Impossible Logins: Detecting Credential Theft in Splunk Read More »
Let’s find out what our popular CAS services are by pulling our authentication logs for the server into Splunk Enterprise. To start review my CAS+Splunk configuration from my last post. We need to add a new field extraction for service_url like I did below. Then I started with the following query:
The first log that I wanted to parse with our new Splunk Enterprise system was catalina.out log from our CAS server. CAS, or Central Authentication Server, is a web-based, federated, single sign-on service available at http://www.jasig.org/cas/. We use it for, among other things, our authentication for Google Apps for Education. Once the logs were indexed into …
