Also, here are my settings for cas from "$SPLUNK_HOME/etc/apps/search/local/props.conf":
[cas] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3} EXTRACT-cas_log_level = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s(?P<log_level>DEBUG|INFO|ERROR|WARN|WARNING)\s REPORT-cas_action = cas_xform_action REPORT-cas_client_ip = cas_xform_client_ip REPORT-cas_what = cas_xform_what REPORT-cas_who = cas_xform_who EXTRACT-ticket = (?P<ticket>(ST|TGT|PGT|PT)-\d+-\w+-cas\.lafayette\.edu) And the relevant transforms from "$SPLUNK_HOME/etc/apps/search/local/transforms.conf": [cas_xform_action] CLEAN_KEYS = 1 MV_ADD = 0 REGEX = (?m)^ACTION:\s+(?P<action>.+?)$ [cas_xform_client_ip] CLEAN_KEYS = 1 MV_ADD = 0 REGEX = (?m)^CLIENT IP ADDRESS:\s+(?P<client_ip>.+?)$ [cas_xform_what] CLEAN_KEYS = 1 MV_ADD = 0 REGEX = (?m)^WHAT:\s+(?P<what>.+?)$ [cas_xform_who] CLEAN_KEYS = 1 MV_ADD = 0 REGEX = (?m)^WHO:\s+(?P<who>.+?)$ Thanks, Carl ----- Original Message ----- From: "Carl Waldbieser" <waldb...@lafayette.edu> To: cas-user@lists.jasig.org Sent: Friday, July 17, 2015 10:48:58 AM Subject: Re: [cas-user] Querying CAS audit data with Splunk Not sure how the mail list likes attachments. I have attached a tarball "cas-splunk.tgz" that has several of the more useful dashboards. Nothing that follows every service access-- I think that will require some unusual joins. However, some of the statisics dashboards give some good high level overviews, and the geolocation dashboards are fun if you want to see where folks are authenticating from, or where your service providers are located. Thanks, Carl ----- Original Message ----- From: "Marvin Addison" <marvin.addi...@gmail.com> To: cas-user@lists.jasig.org Sent: Friday, July 17, 2015 10:19:57 AM Subject: Re: [cas-user] Querying CAS audit data with Splunk > > Yes, I have some nice splunk dashboards for CAS I can share if there is > interest. > If you have a dashboard/query that can follow all service accesses in a single SSO session, then I would be very interested. M -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user