SecureAuth IdP

[Jaxjohnny]

Good Day!

I'm asking about SecureAuth IdP. We are not sure why, and we do have a splunk support case opened. However, they are saying that they are not able to support custom configurations. They will try to help, but no guarantees.

The add-on we use for this data is: https://splunkbase.splunk.com/app/3008 - SecureAuth IdP Splunk App
It processes logins to apps and web sites.

These data sources were sending to syslog-ng prior to the SC4S upgrade. SC4S has been incredibly useful and excellent.

Situation
It appears that SC4S is dropping data. We see the data in tcpdump on both sender and receiving, but not in splunk.

• These are the notes from support case:
• We checked tcpdump and we were seeing secureauth data coming in SC4S server but those logs were not ingested to Splunk.
• We then tried to apply the filter in compliance conf/csv files but that didn't help.
• Regarding the issue with indexes, we checked that all the SC4S indexes were present in Splunk but still, we were seeing same errors.
• We also discussed that indexes defined in custom filters also need to be created in Splunk otherwise there might be the case that SC4S server is trying to send data to an index which not present in Splunk. Hence, please confirm if all the indexes defined in custom filters are present in SPlunk as well.
• And regarding secureauth data, we will check with our internal team and revert back to you with an update as soon as we've some leads.

inside the pcap, we run : syslog.msgid contains "20990"
There we find data. We see the same data at the sender source and the endpoint receiving the data

Here is the output from "follow the udp stream" inside wireshark.

<86>1 2023-06-01T15:58:40.640Z 10.16.2.132 SecureAuth0 9752 ID20990 [SecureAuth@27389 CompanyID="b3413a97-73ea-4e30-9b50-c3d74f9cfd1b" ApplianceID="46901235-ae95-e811-a16b-0050569105c7" ApplianceMachineName="SCASAPPR1" Realm="SecureAuth0" HashedUserID="Gnt8GzPRYfRYBHMMcLdRddzNmIM=" UserAgent="Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" UserHostAddress="10.16.2.132" ProductType="1" ReceiveToken="4" UseJava="False" AllowedTokens="BROWSERFINGERPRINT" AuthGuiMode="1" AuthRegMethod="NONE" AuthRegMethodInfo="" IsPreAuth="False" PreAuthPage="" DestinationSiteUrl="Authorized/WebAdminStart.aspx" ReturnUrl="" TargetUrl="" SAMLConsumerSiteUrl="" SAMLRelayState="" SAMLTargetUrl="" Succeed="False" Comment="Session Aborted" TimeStamp="2023-06-01T15:48:09.9081583Z" AEResult="" BrowserSession="cacc2903-83f6-46b8-86aa-c196b14fd3f4" RequestID="c39d1233-fd91-49ad-9239-df31239dc9eb" TrxResult="Session Aborted" Appliance="SecureAuth05VM.ff.com" Company="National Title Group Inc" Version="9.2.0.85" PEN="27389" HostName="10.16.2.132" Category="AUDIT" Priority="1" EventID="20990"] Session Aborted

and

<86>1 2023-06-01T16:02:57.015Z 10.16.2.132 SecureAuth5 2928 ID20990 [SecureAuth@27389 CompanyID="b3411237-73ea-4e30-9b50-c3d74f9cfd1b" ApplianceID="46901235-ae95-e811-a16b-0050569105c7" ApplianceMachineName="SCASAPPR1" Realm="SecureAuth5" HashedUserID="Gnt8GzPRYfRYBHMMcLdRddzNmIM=" UserAgent="" UserHostAddress="10.16.2.132" ProductType="1" ReceiveToken="4" UseJava="False" AllowedTokens="ZCOOKIE" AuthGuiMode="3" AuthRegMethod="NONE" AuthRegMethodInfo="" IsPreAuth="False" PreAuthPage="" DestinationSiteUrl="SecurePortal.aspx" ReturnUrl="" TargetUrl="" SAMLConsumerSiteUrl="https://fnf.com" SAMLRelayState="" SAMLTargetUrl="" Succeed="False" Comment="Session Aborted" TimeStamp="2023-06-01T15:52:38.2557478Z" AEResult="" BrowserSession="1b224037-1ec4-49ce-a2b8-13e782fc4bda" RequestID="b9404b12-c2bb-4b64-b414-e08dbf9a5861" TrxResult="Session Aborted" Appliance="SecureAuth05VM.fnf.com" Company="National Title Group Inc" Version="9.2.0.85" PEN="27389" HostName="10.16.2.132" Category="AUDIT" Priority="1" EventID="20990"] Session Aborted

here is the custom conf

#begin whitelist for SecureAuth - JB
block parser secureauth_forward-postfilter() {
channel {
rewrite {
r_set_splunk_dest_default(
sourcetype('secureauth:idp')
index('app_security_other')
product('SecureAuth IdP')
template('t_standard')
);
};
};
};
application secureauth_forward-postfilter[sc4s-postfilter] {
filter {

    match("10.16.2.132"  value("HOST") type(string)) or match ("10.16.2.133" value ("HOST") type(string)) or
    match ("10.1.2.132" value ("HOST")) or match ("10.1.2.133" value ("HOST") type(string)) or
    match ("10.16.2.153" value("HOST") type(string)) or match ("10.16.2.154" value("HOST") type(string))     ;

};
parser { secureauth_forward-postfilter(); };

};

This is the filter support had me create in compliance_meta_by_source.conf - note: i changed the IP addresses for this post.

filter f_secureauth_idp {
host("10.16.2.132" type(glob)) or
host("10.16.2.133" type(glob)) or
host("10.1.2.132" type(glob)) or
host("10.1.2.133" type(glob)) or
host("10.16.2.153" type(glob)) or
host("10.16.2.154" type(glob))
};

and the corresponding values from compliance_meta_by_source.csv

f_secureauth_idp,.splunk.index,"app_security_other"
f_secureauth_idp,.splunk.sourcetype,"secureauth:idp"

I don't know if this is helpful, but:

0000 00 50 56 9f ce ef 00 50 56 9f 32 84 08 00 45 00 .PV....PV.2...E.
0010 04 3b 66 bb 40 00 40 11 e4 30 0a a4 02 84 0a 84 .;f.@.@..0......
0020 d4 1a 80 a6 02 02 04 27 29 7d 3c 38 36 3e 31 20 .......')}<86>1
0030 32 30 32 33 2d 30 36 2d 30 31 54 31 36 3a 30 32 2023-06-01T16:02
0040 3a 35 37 2e 30 31 35 5a 20 31 30 2e 31 36 34 2e :57.015Z 10.16.
0050 32 2e 31 33 32 20 53 65 63 75 72 65 41 75 74 68 2.132 SecureAuth
0060 35 20 32 39 32 38 20 49 44 32 30 39 39 30 20 5b 5 2928 ID20990 [
0070 53 65 63 75 72 65 41 75 74 68 40 32 37 33 38 39 SecureAuth@27389
0080 20 43 6f 6d 70 61 6e 79 49 44 3d 22 62 33 34 31 CompanyID="b123
0090 33 61 39 37 2d 37 33 65 61 2d 34 65 33 30 2d 39 3a97-73ea-4e30-9
00a0 62 35 30 2d 63 33 64 37 34 66 39 63 66 64 31 62 b50-c3d74f9cfd1b
00b0 22 20 41 70 70 6c 69 61 6e 63 65 49 44 3d 22 34 " ApplianceID="4
00c0 36 39 30 65 62 64 35 2d 61 65 39 35 2d 65 38 31 690ebd5-ae95-e81
00d0 31 2d 61 31 36 62 2d 30 30 35 30 35 36 39 31 30 1-a16b-005056910
00e0 35 63 37 22 20 41 70 70 6c 69 61 6e 63 65 4d 61 5c7" ApplianceMa
00f0 63 68 69 6e 65 4e 61 6d 65 3d 22 53 45 43 41 53 chineName="SCAS
0100 41 50 50 52 30 30 31 22 20 52 65 61 6c 6d 3d 22 APPR1" Realm="
0110 53 65 63 75 72 65 41 75 74 68 35 22 20 48 61 73 SecureAuth5" Has
0120 68 65 64 55 73 65 72 49 44 3d 22 47 6e 74 38 47 hedUserID="Gnt8G
0130 7a 50 52 59 66 52 59 42 48 4d 4d 63 4c 64 52 64 zPRYfRYBHMMcLdRd
0140 64 7a 4e 6d 49 4d 3d 22 20 55 73 65 72 41 67 65 dzNmIM=" UserAge
0150 6e 74 3d 22 22 20 55 73 65 72 48 6f 73 74 41 64 nt="" UserHostAd
0160 64 72 65 73 73 3d 22 31 30 2e 31 36 34 2e 32 2e dress="10.16.2.
0170 31 33 32 22 20 50 72 6f 64 75 63 74 54 79 70 65 132" ProductType
0180 3d 22 31 22 20 52 65 63 65 69 76 65 54 6f 6b 65 ="1" ReceiveToke
0190 6e 3d 22 34 22 20 55 73 65 4a 61 76 61 3d 22 46 n="4" UseJava="F
01a0 61 6c 73 65 22 20 41 6c 6c 6f 77 65 64 54 6f 6b alse" AllowedTok
01b0 65 6e 73 3d 22 5a 43 4f 4f 4b 49 45 22 20 41 75 ens="ZCOOKIE" Au
01c0 74 68 47 75 69 4d 6f 64 65 3d 22 33 22 20 41 75 thGuiMode="3" Au
01d0 74 68 52 65 67 4d 65 74 68 6f 64 3d 22 4e 4f 4e thRegMethod="NON
01e0 45 22 20 41 75 74 68 52 65 67 4d 65 74 68 6f 64 E" AuthRegMethod
01f0 49 6e 66 6f 3d 22 22 20 49 73 50 72 65 41 75 74 Info="" IsPreAut
0200 68 3d 22 46 61 6c 73 65 22 20 50 72 65 41 75 74 h="False" PreAut
0210 68 50 61 67 65 3d 22 22 20 44 65 73 74 69 6e 61 hPage="" Destina
0220 74 69 6f 6e 53 69 74 65 55 72 6c 3d 22 53 65 63 tionSiteUrl="Sec
0230 75 72 65 50 6f 72 74 61 6c 2e 61 73 70 78 22 20 urePortal.aspx"
0240 52 65 74 75 72 6e 55 72 6c 3d 22 22 20 54 61 72 ReturnUrl="" Tar
0250 67 65 74 55 72 6c 3d 22 22 20 53 41 4d 4c 43 6f getUrl="" SAMLCo
0260 6e 73 75 6d 65 72 53 69 74 65 55 72 6c 3d 22 68 nsumerSiteUrl="h
0270 74 74 70 73 3a 2f 2f 66 6e 66 2e 63 6f 6d 22 20 ttps://fnf.com"
0280 53 41 4d 4c 52 65 6c 61 79 53 74 61 74 65 3d 22 SAMLRelayState="
0290 22 20 53 41 4d 4c 54 61 72 67 65 74 55 72 6c 3d " SAMLTargetUrl=
02a0 22 22 20 53 75 63 63 65 65 64 3d 22 46 61 6c 73 "" Succeed="Fals
02b0 65 22 20 43 6f 6d 6d 65 6e 74 3d 22 53 65 73 73 e" Comment="Sess
02c0 69 6f 6e 20 41 62 6f 72 74 65 64 22 20 54 69 6d ion Aborted" Tim
02d0 65 53 74 61 6d 70 3d 22 32 30 32 33 2d 30 36 2d eStamp="2023-06-
02e0 30 31 54 31 35 3a 35 32 3a 33 38 2e 32 35 35 37 01T15:52:38.2557
02f0 34 37 38 5a 22 20 41 45 52 65 73 75 6c 74 3d 22 478Z" AEResult="
0300 22 20 42 72 6f 77 73 65 72 53 65 73 73 69 6f 6e " BrowserSession
0310 3d 22 31 62 32 32 34 30 33 37 2d 31 65 63 34 2d ="1b224037-1ec4-
0320 34 39 63 65 2d 61 32 62 38 2d 31 33 65 37 38 32 49ce-a2b8-13e782
0330 66 63 34 62 64 61 22 20 52 65 71 75 65 73 74 49 fc4bda" RequestI
0340 44 3d 22 62 39 34 30 34 62 31 32 2d 63 32 62 62 D="b9404b12-c2bb
0350 2d 34 62 36 34 2d 62 34 31 34 2d 65 30 38 64 62 -4b64-b414-e08db
0360 66 39 61 35 38 36 31 22 20 54 72 78 52 65 73 75 f9a5861" TrxResu
0370 6c 74 3d 22 53 65 73 73 69 6f 6e 20 41 62 6f 72 lt="Session Abor
0380 74 65 64 22 20 41 70 70 6c 69 61 6e 63 65 3d 22 ted" Appliance="
0390 53 65 63 75 72 65 41 75 74 68 30 35 56 4d 2e 66 SecureAuth05VM.f
03a0 6e 66 2e 63 6f 6d 22 20 43 6f 6d 70 61 6e 79 3d nf.com" Company=
03b0 22 46 69 64 65 6c 69 74 79 20 4e 61 74 69 6f 6e "Fidelity Nation
03c0 61 6c 20 54 69 74 6c 65 20 47 72 6f 75 70 20 49 al Title Group I
03d0 6e 63 22 20 56 65 72 73 69 6f 6e 3d 22 39 2e 32 nc" Version="9.2
03e0 2e 30 2e 38 35 22 20 50 45 4e 3d 22 32 37 33 38 .0.85" PEN="2738
03f0 39 22 20 48 6f 73 74 4e 61 6d 65 3d 22 31 30 2e 9" HostName="10.
0400 31 36 34 2e 32 2e 31 33 32 22 20 43 61 74 65 67 16.2.132" Categ
0410 6f 72 79 3d 22 41 55 44 49 54 22 20 50 72 69 6f ory="AUDIT" Prio
0420 72 69 74 79 3d 22 31 22 20 45 76 65 6e 74 49 44 rity="1" EventID
0430 3d 22 32 30 39 39 30 22 5d 20 53 65 73 73 69 6f ="20990"] Sessio
0440 6e 20 41 62 6f 72 74 65 64 n Aborted

[Jaxjohnny]

When using Splunk Connect for Syslog (SC4S), which is a podman container around syslog-ng, the data between brackets was not collected. This is because secureauth is not sending true RFC5424 format.
For your future reference, to correct this, we used the syslog-ng template, t_5424_hdr_sdata_msg

#Send RFC5424 message
template t_5424_hdr_sdata_msg {
template('${ISODATE} $(if ("${HOST}" ne "") "${HOST}" "-") ${PROGRAM:--} ${PID:--} ${MSGID:--} ${SDATA:--}${MESSAGE}');
};

SC4S was ignoring all data in between the brackets - see below

This is what Wireshark shows for the data, follow UDP stream. nothing inside the square brackets is making it into splunk. [ ]

<86>1 2023-06-01T15:57:33.760Z 10.164.2.132 SecureAuth2 2928 ID90020 [SecureAuth@27389 UserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" UserHostAddress="10.1.2.2" RequestID="d2014021-4e06-45c6-a580-346e12346b60" Realm="SecureAuth2" Appliance="SecureAuth05VM.domain.com" Company="National Title Group Inc" Version="9.2.0.85" PEN="27389" HostName="10.1.2.2" Category="AUDIT" Priority="4" EventID="90020"] Application - Begin request

The only thing we see in splunk is the text, Application - Begin request

This is the final parser:

#begin whitelist for SecureAuth - JB
block parser secureauth_forward-postfilter() {
channel {
rewrite {
r_set_splunk_dest_default(
sourcetype('secureauth:idp')
index('ent_app_security_other')
product('SecureAuth IdP')
template('t_5424_hdr_sdata_msg')
);
};
};
};
application secureauth_forward-postfilter[sc4s-postfilter] {
filter {

    match("10.1.2.2"  value("HOST") type(string)) or match ("10.1.2.3" value ("HOST") type(string)) or
    match ("10.15.2.2" value ("HOST")) or match ("10.15.2.3" value ("HOST") type(string)) or
    match ("10.1.2.53" value("HOST") type(string)) or match ("10.1.2.4" value("HOST") type(string))     ;

};
parser { secureauth_forward-postfilter(); };

};

[rjha-splunk]

thank you for the update, it looks good, we can add it to supported parser in next release.