grouper-users - [grouper-users] Grouper and Splunk
Subject: Grouper Users - Open Discussion List
List archive
- From: "Black, Carey M." <>
- To: "" <>
- Subject: [grouper-users] Grouper and Splunk
- Date: Sun, 27 May 2018 03:28:49 +0000
- Accept-language: en-US
- Authentication-results: spf=pass (sender IP is 128.146.138.10) smtp.mailfrom=osu.edu; internet2.edu; dkim=pass (signature was verified) header.d=osu.edu;internet2.edu; dmarc=pass action=none header.from=osu.edu;
- Authentication-results-original: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:GJnHYRAwMFgGVv+8Iv1pUyQJP3N1i/DPJgcQr6AfoPdwSPX5psbcNUDSrc9gkEXOFd2Cra4c0KyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUijexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJNyA3/nzLisJ+j6xboQ6uqRNwzIPPfIGVLeZycr/Bcd8GW2ZMWNtaWSxbAoO7aosCF+QNMPtcr4bnu1QOrgOyDhSyCez10D9HmH/31rA93eg7Hw3NwQstEMkKsHvOsNr1N70eXf2rwKTG1jjDaOhW2Srn5IfWbx8hvOiBULRtesTS0UkiDx3JgU+MpYD4Oj6Zy/kBv3We4upuWu+jl3IrpgR/ojexycohhYzEi4cXx1zZ6Sp12IQ4KNKiREJmbtOoDIFcui+EO4dsRs4uXXlkuCgkxbAFpZK2eS0Hx4o7yBPbdfOKdoyF7Qz+WOueJDp1h2lqd6yxihu39UWv0enxWdSy3V1XtCRKiMPMuWoI1xHL6siIVP99/kC51DiXyw3d7f1ILV4tmaTGM5At36c8lp0IvkvdBCP2n1j2jLONeUUj5+io7fnobq/+pp+GMI90lh/xPbgymsy+BuQ4NBICX2+G+eSg0L3j+kr5QLZQgvIqlanZtYjWJcUdpqGnHw9Yypgv5AyjAzu71dkUgGQLIE9AdRKJgIXlJ03CLfX2DfihjFmhnzJmyvXEM7H8HprBNn3Dn63gfbZ55U5c0g0zzdVH6p1PDrEOOu78WkzruNDFEBM0PRe5w+H8CNVgzI8RR3+AArKBPKPIrVCI/v4vI/WLZIINtzb9Mf8l5+P2jXAng18RZLSp3YAJZ3CiBfRrOEGZYXv3gtcdCmcGoBAyTO3siF2eTzFTfXCyULwg5j0lEo6pE5rMRp3+yICGiW20BJpLfm1cT02XHG3zX4SCR/oWbi+OeIlsniFOHeyuUYg8zRy08RLhxqB8BuvS5iACs5//jp546/CFxj8o8jkhRe6Z2mqOCylfl3kFVncTmuo39UZ5w1yAl/Ei2NRfDsEV6v9UBFRpfaXAxvB3XoihEjnKec2EHQ6r
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
All,
Before I start to reinvent the wheel....
For those of you who use Grouper and Splunk.... (or any other SEIM tool )
How/What data are you exporting from Grouper to Splunk?
"Just" feeding it some of the standard log4J UI logs? Loader
Logs? WS Logs? PSP/NG Logs?
Did you setup any specific log levels/classes
specifically for Splunk visibility?
Do you try to send Grouper audit data? ( "User audit" and/or "PIT
audit" ? )
Do you try to "limit"/"shape" the details that are headed to Splunk
or just dumping it all?
Part of me thinks I should try to capture only this data and get it into
Splunk:
Membership changes in:
External System of Record group changes ( loaded from: loader
jobs, script integrations, etc... )
Grouper System of Record Groups (Think: manual groups
maintained in Grouper, like includes/excludes )
Access Policy groups ( any group "used by an external system")
And not send data about membership changes all of the "group math" /
intermediate role up groups between the SOR's and the Access Policies.
And then parts of me thinks knowing who changed what about
the group math structure would also be good to have logged too. ( Just not
the membership changes for those groups.)
However, doing exactly that would take some work to identify/maintain the
"right groups" and could be subject to "Opps, missed that group" problems too.
( Maybe use a custom change log consumer to directly emit the
"Splunk" data in a "Splunk format" ?)
Anyone what to share their strategy?
--
Carey Matthew
- [grouper-users] Grouper and Splunk, Black, Carey M., 05/27/2018
Archive powered by MHonArc 2.6.19.