Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: Grouper and Splunk

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: Grouper and Splunk

Chronological Thread 
  • From: Carl Waldbieser <>
  • To: "Carey M. Black" <>
  • Cc: grouper-users <>
  • Subject: Re: [grouper-users] RE: Grouper and Splunk
  • Date: Fri, 14 Sep 2018 11:17:20 -0400 (EDT)
  • Ironport-phdr: 9a23:qywTixbmSo8InFVhsE7+yxb/LSx+4OfEezUN459isYplN5qZr8m8bnLW6fgltlLVR4KTs6sC17KJ9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCa/bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjm58axlVAHnhzsGNz4h8WHYlMpwjL5AoBm8oxBz2pPYbJ2JOPZ7eK7WYNEUSndbXstJWSJPAp2yYYgNAOoPIOhXoJXyqVQPrRW5GQmhH//vxz1UiXPqx6A2z+YsHAfb1wIgBdIOt3HUoc3rOagIS+C1yLTDwjXZYPNSxDjy84nIfQ46of6SR7J7bM3cyEc1GAPBk1qfso3lMC2J2ekWt2iU9eRgWvivimE5twFxviagyt0yhYbUm4IY01bJ/jh6zoYtPdC0VUB2bNq+HJdNuCyXNZF6Tt4/T21ypSo3xb8LtYamcCUEzJkr3QPTZvOFfoSS/x7uVPydLSlkiH54YL6zmhi//Ey6xuHhWcS50kxGojdYntXWq3wA2QLf586aQfVn5EihwyyA1wXL5+FEP080ka3bJoYkwr4sjJUes17PHivsl0X4lqCXdlsr+vS06+v5eLnpuIKTN5JshgH/NKQhhNC/DPwlPgUAW2WX4/mw2bLh8EHjXblGk+c6nrTWvZ3YPcgbo7S2Aw5R0oYt8Ra/CDKm3cwWnHYdKFJKZQmIj4n3NF7SO/34Ce2wg1q2nzZr2f/GIqHhDYvXInfdjbjhYK5x61RAxwor0dBf+5VUB6kOIPLpXU/xqcTYAQEjMwCt3ubnE8ty1pkFWW+UBq+ZMbjSsUOT5u4xOeWMZYkVuCrjJPg/4f7hk2M5lUEHcaa3wJQXdSPwIvMzaW6Qe3f9yvJHWU0OtwE9BqS+glmLWj0VPizpd6Un+3c2BJ/wXqnZQYX4q7Wb2G+EF5labGFLEV2WWSP3foGIUfYBYwqWK8FogzEYSbXnRoM8g0L9/DTmwqZqe7KHshYTsojugZ0sv7Xe


We are basically shipping our changelogger and provisioner logs to Splunk.
This includes the events that are sent/received/processed for each service.
Those logs are useful for alerting if a provisioner runs into trouble. We
have standard web logs, and grouper_error logs going in, but I don't find
those as useful for day-to-operations.

Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Carey M. Black"
To: "grouper-users"
Sent: Friday, 14 September, 2018 09:57:03
Subject: [grouper-users] RE: Grouper and Splunk


Poking an old thread.
So far I have received no comments/strategies. ( Should I assume that no one
is doing anything like this? )

Carey Matthew

Office of the Chief Information Officer (OCIO)
Identity and Access Management - Security Engineer-Lead
614-292-6079 Office

-----Original Message-----
From: Black, Carey M.
Sent: Saturday, May 26, 2018 11:29 PM

Subject: Grouper and Splunk


Before I start to reinvent the wheel....

For those of you who use Grouper and Splunk.... (or any other SEIM tool )
How/What data are you exporting from Grouper to Splunk?
"Just" feeding it some of the standard log4J UI logs? Loader
Logs? WS Logs? PSP/NG Logs?
Did you setup any specific log levels/classes
specifically for Splunk visibility?
Do you try to send Grouper audit data? ( "User audit" and/or "PIT
audit" ? )
Do you try to "limit"/"shape" the details that are headed to Splunk
or just dumping it all?

Part of me thinks I should try to capture only this data and get it into
Membership changes in:
External System of Record group changes ( loaded from: loader
jobs, script integrations, etc... )
Grouper System of Record Groups (Think: manual groups
maintained in Grouper, like includes/excludes )
Access Policy groups ( any group "used by an external system")

And not send data about membership changes all of the "group math" /
intermediate role up groups between the SOR's and the Access Policies.
And then parts of me thinks knowing who changed what about
the group math structure would also be good to have logged too. ( Just not
the membership changes for those groups.)

However, doing exactly that would take some work to identify/maintain the
"right groups" and could be subject to "Opps, missed that group" problems too.
( Maybe use a custom change log consumer to directly emit the
"Splunk" data in a "Splunk format" ?)

Anyone what to share their strategy?

Carey Matthew

Archive powered by MHonArc 2.6.19.

Top of Page