grouper-users - [grouper-users] RE: Grouper and Splunk
Subject: Grouper Users - Open Discussion List
List archive
- From: "Black, Carey M." <>
- To: " Mailing List" <>
- Subject: [grouper-users] RE: Grouper and Splunk
- Date: Fri, 14 Sep 2018 13:57:03 +0000
- Accept-language: en-US
- Authentication-results: spf=pass (sender IP is 128.146.163.18) smtp.mailfrom=osu.edu; internet2.edu; dkim=pass (signature was verified) header.d=osu.edu;internet2.edu; dmarc=pass action=none header.from=osu.edu;
- Authentication-results-original: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:SFbepBzkIAKfQ8nXCy+O+j09IxM/srCxBDY+r6Qd2ukQIJqq85mqBkHD//Il1AaPAd2Eraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HRbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolikJKiI5/m/UhMxxkK1Vrx2uqgdjw47NfI2ZKOZycr/Dcd4cWGFPXtxRVytEAo6kYYcCEu4BMvxEoIn+v1cFsAWzChO2BOzxyj5Dm3j40bc03+88FgzJxwggEMgSv3TXttn5KbkeXO6uwanP1jXDcula1ing54jVax0sp+yHU7FoccfJ10UgDR/JgkiVpID4Ij+Zy+EAs2aU4uZ8Se6ijmAnpB9+rzeyw8ohj4vEip4Wx1zc6yl0z5w5KcOkREN4e9KoDoVcui+AO4drQM4vQHlkuCgkxbAFpZK2eS0Hx4g6yBHCcPOKdoaI7Q7nWemPJDp1hW5pdbO/ihu38UWv1OLxW8+p21hQtCVFiMPDtnUV2hzT9MeHTvx981+51zuT0A7f9u5JLVkqmKTCNpIt27kwmYENvkjZGS/2hVn2g7SRdkU5/Oin9v7rYq38pp+bK497lB3xMrgvmsy4B+Q0KA8OX3WH+eS4073j+k75TK9Wgf0xl6nVqJHaJcIFqa6lGwJZzJws5wqiAzqjzdgUgGQLIVdLeB+Ik4TlJ1TDIP7mAvqwnluhlTJmyvLaMrDiGpnNK2LMkLblfbZz8U5czw8zwMhE6JJQEL4OPPHzVlXsuNDGABI0KAu0w/36CNlnyIwRRH+PDreDMKzOqV+I+v4vI+6UaY8aojb9LOUl5+bwgn8jgFMdYLKp0oUNaHCjBflmJ0SZYWHwgtcaD2sGpAs+TOr2iFKcSz5TYWi9X74i6j0hFo2pEJrDFciRh+nL0z28A4VbfCVbEV2WCl/pcZmJQfEBdHjUL8N82hkNVLygTYBp8RC1qEWyn7V9KffM9zddqInuzsNd5uvPmAs0+CAuScmRzjfeYXtzmzZCbTs/16M76Wd00FqSmY0+ybQMH9ha7PAPC11hHZnH0qp3B82kCVGJRcuAVFvzGobuOjo2VN9km4VUMU9gB9WviAzC1CO2ArgT0qaGH4Ew7rmFjiGjPN5znm7Pz7Jpz0IrRMdCLyWHvuZ+7ECKXd6PyhnH0f/0LuJFjG+oli+YyHaW+kRRUQp+S6LACHcEew3bocmqrkLEU7K0D7k7aE1MxdPRYqdJa9i8lVxdX7+jI9XRZWuthn29TQmB3fuSYZDrdWQQ0GS4agAEngkf8GzAOV05HTrnrm7DXz1oCV/1ZU7wq69zpG7oBkMxxhuBOlVozKH98xUJhPuaHvUU2L9MuCoopzhuWlin2NeDDMGd4QdtYfZR
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
All,
Poking an old thread.
So far I have received no comments/strategies. ( Should I assume that no one
is doing anything like this? )
--
Carey Matthew
Office of the Chief Information Officer (OCIO)
Identity and Access Management - Security Engineer-Lead
614-292-6079 Office
-----Original Message-----
From: Black, Carey M.
Sent: Saturday, May 26, 2018 11:29 PM
To:
Subject: Grouper and Splunk
All,
Before I start to reinvent the wheel....
For those of you who use Grouper and Splunk.... (or any other SEIM tool )
How/What data are you exporting from Grouper to Splunk?
"Just" feeding it some of the standard log4J UI logs? Loader
Logs? WS Logs? PSP/NG Logs?
Did you setup any specific log levels/classes
specifically for Splunk visibility?
Do you try to send Grouper audit data? ( "User audit" and/or "PIT
audit" ? )
Do you try to "limit"/"shape" the details that are headed to Splunk
or just dumping it all?
Part of me thinks I should try to capture only this data and get it into
Splunk:
Membership changes in:
External System of Record group changes ( loaded from: loader
jobs, script integrations, etc... )
Grouper System of Record Groups (Think: manual groups
maintained in Grouper, like includes/excludes )
Access Policy groups ( any group "used by an external system")
And not send data about membership changes all of the "group math" /
intermediate role up groups between the SOR's and the Access Policies.
And then parts of me thinks knowing who changed what about
the group math structure would also be good to have logged too. ( Just not
the membership changes for those groups.)
However, doing exactly that would take some work to identify/maintain the
"right groups" and could be subject to "Opps, missed that group" problems too.
( Maybe use a custom change log consumer to directly emit the
"Splunk" data in a "Splunk format" ?)
Anyone what to share their strategy?
--
Carey Matthew
- [grouper-users] RE: Grouper and Splunk, Black, Carey M., 09/14/2018
- Re: [grouper-users] RE: Grouper and Splunk, Carl Waldbieser, 09/14/2018
- Re: [grouper-users] RE: Grouper and Splunk, Jeffrey Williams, 09/17/2018
- Re: [grouper-users] RE: Grouper and Splunk, Carl Waldbieser, 09/14/2018
Archive powered by MHonArc 2.6.19.