UPSSO ADMINISTRATION – SIEM INTEGRATION

This document explains how to integrate the UPSSO application with any Syslog server (SIEM)

CONFIGURING SYSLOG SERVER

  1. Login into the UPSSO application as an administrator
  2. Click on the “SIEM Integration” link on the left side navigation menu.
  3. Enter the Syslog server hostname or IP address.
  4. Enter the Syslog server port number.
  5. Select the Syslog server protocol to send the logs (TCP/UDP)

6. Click on the “SAVE” button.

Note: As highlighted in the above screenshot administrator can enable/disable sending logs to the Syslog server using the “Enable SIEM notifications” slider button.

CONFIGURING THE EVENT TYPES

The administrator can specify which of the UPSSO application events should be sent to the Syslog server.

  1. Login into the UPSSO application as an administrator.
  2. Click on the “SIEM Integration” link on the left side navigation menu.
  3. Under the “ENABLE/DISABLE EVENT TYPES” section, select or unselect the event types using the On/Off slider buttons. Only the logs under selected event types will be sent to the Syslog server.

4. Click on the “SAVE” button.

UPSSO SIEM LOG REFERENCE

The following are the log events that will be generated from the UPSSO application,

NOSEVERITYMESSAGEEVENT TYPE
1ERRORIDP AUTHENTICATION FAILURE. USERNAME=<USERNAME>IDP AUTHENTICATION
2INFOIDP AUTHENTICATION SUCCESSFUL. USERNAME=<USERNAME>IDP AUTHENTICATION
3ERRORSAML MFA AUTHENTICATION FAILURE. USERNAME=<USERNAME>;APPLICATION NAME=<APP_NAME>SAML MFA EVENTS
4INFOSAML MFA AUTHENTICATION SUCCESSFUL. USERNAME=<USERNAME>;APPLICATION NAME=<APP_NAME>SAML MFA EVENTS
5ERRORRADIUS MFA AUTHENTICATION FAILURE. USERNAME=<USERNAME>;DEVICE NAME=<APP_NAME>RADIUS MFA EVENTS
6INFORADIUS MFA AUTHENTICATION SUCCESSFUL. USERNAME=<USERNAME>;DEVICE NAME=<APP_NAME>RADIUS MFA EVENTS
7INFOUSER CREATED. USERNAME=<USERNAME>USER DATA EVENTS
8INFOUSER DISABLED. USERNAME=<USERNAME>USER DATA EVENTS
9INFOUSER ENABLED. USERNAME=<USERNAME>USER DATA EVENTS
10INFOUSER ROLE UPDATED. USERNAME=<USERNAME>;ROLENAME=<ROLENAME>USER DATA EVENTS
11INFOAPPLICATION ADDED TO ROLE. APP NAME=<APP_NAME>; ROLE NAME=<ROLENAME>ROLE EVENTS
12INFOAPPLICATION REMOVED FROM ROLE. APP NAME=<APP_NAME>; ROLE NAME=<ROLENAME>ROLE EVENTS
13INFODEVICE ADDED TO ROLE. DEVICE NAME=<APP_NAME>; ROLE NAME=<ROLENAME>ROLE EVENTS
14INFODEVICE REMOVED FROM ROLE. DEVICE NAME=<APP_NAME>; ROLE NAME=<ROLENAME>ROLE EVENTS
15INFOLDAP SECURITY GROUP ADDED. GROUP NAME = <GROUP_NAME>CONFIG EVENTS
16INFOLDAP SECURITY GROUP REMOVED. GROUP NAME = <GROUP_NAME>CONFIG EVENTS
17INFOLDAP CONFIG CHANGED BY USER = <USERNAME>CONFIG EVENTS
18INFOSMTP CONFIG CHANGED BY USER = <USERNAME>CONFIG EVENTS
19INFOSMS CONFIG CHANGED BY USER = <USERNAME>CONFIG EVENTS
20INFOLDAP CONFIG CHANGED BY USER = <USERNAME>CONFIG EVENTS
21INFODEVICE ADDED.DEVICE NAME=<DEVICE_NAME> ;USERNAME=<USERNAME>CONFIG EVENTS
22INFOAPPLICATION REMOVED.APPLICATION NAME=< APPLICATION _NAME> ;USERNAME=<USERNAME>CONFIG EVENTS
23INFOAPPLICATION ADDED. APPLICATION NAME=< APPLICATION _NAME> ;USERNAME=<USERNAME>CONFIG EVENTS
24INFODEVICE REMOVED.DEVICE NAME=<DEVICE_NAME> ;USERNAME=<USERNAME>CONFIG EVENTS
25ERRORUPSSO ERROR EVENT. ERROR MESSAGE=<ERR_MSG>ERROR EVENTS

SAMPLE SYSLOGS

Note: The Syslog messages originating from the UPSSO application  will have the,

  • Host = UPSSO
  • Process = SSO_MFA

Here’s a screenshot of sample Syslog messages from the UPSSO application,