Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Broadcom Symantec SiteMinder

Broadcom Symantec SiteMinder is formerly known as CA SiteMinder. The name remains as CA SiteMinder in JSA.

The JSA Symantec SiteMinder DSM collects syslog-ng events from Symantec SiteMinder appliances.

The Symantec SiteMinder DSM collects access and authorization events that are logged in the smaccess.log file, then forwards the events to JSA by using syslog-ng.

To integrate Symantec SiteMinder with JSA, complete the following steps:

  1. If automatic updates are not enabled, download the most recent version of the CA SiteMinder DSM RPM from the Juniper Downloads.

  2. Configure your Symantec SiteMinder appliance to send events to JSA. For more information, see Configuring syslog-ng for Broadcom Symantec SiteMinder.

  3. Add a Symantec SiteMinder log source on the JSA Console.

Broadcom Symantec SiteMinder DSM specifications

When you configure the Broadcom Symantec SiteMinder DSM, understanding the specifications for the Broadcom Symantec SiteMinder DSM can help ensure a successful integration. For example, knowing what the supported version of Broadcom Symantec SiteMinder is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Symantec SiteMinder DSM.

Table 1: Symantec SiteMinder DSM Specifications

Specification

Value

Manufacturer

Broadcom

DSM name

CA SiteMinder

RPM file name

DSM-CASiteMinder-QRadar_versionbuild_number.noarch.rpm

Supported version

SiteMinder 12.8

Protocol

Syslog, Log File

Event format

Syslog

Recorded event types

All events

Automatically discovered?

No

Includes identity?

Yes

Includes custom properties?

No

More information

Symantec SiteMinder documentation

Syslog Log Source Parameters for Broadcom Symantec SiteMinder

If JSA does not automatically detect the log source, add a Broadcom Symantec SiteMinder log source on the JSA Console by using the Syslog protocol.

When using the Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Symantec SiteMinder:

Table 2: Syslog Log Source Parameters for the Symantec SiteMinder DSM

Parameter

Value

Log Source name

Type a name for your log source.

Log Source description

Type a description for the log source.

Log Source type

CA SiteMinder

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for your Symantec SiteMinder appliance.

Enabled

Select this check box to enable the log source. By default, this check box is selected.

Credibility

From the list, type the credibility value of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source device. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

From the list, select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

Automatically discovered log sources use the default value that is configured in the Coalescing Events list in the System Settings window, which is accessible on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide.

Store Event Payload

Select this check box to enable or disable JSA from storing the event payload.

Automatically discovered log sources use the default value from the Store Event Payload list in the System Settings window, which is accessible on the Admin tab. When you create a new log source or update the configuration for an automatically discovered log source that you can override the default value by configuring this check box for each log source. For more information, see the Juniper Secure Analytics Administration Guide.

Configuring syslog-ng for Broadcom Symantec SiteMinder

You must configure your Broadcom Symantec SiteMinder appliance to forward syslog-ng events to your JSA console or Event Collector.

JSA can collect syslog-ng events from TCP or UDP syslog sources on port 514.

To configure syslog-ng for Symantec SiteMinder:

  1. Using SSH, log in to your Symantec SiteMinder appliance as a root user.

  2. Edit the syslog-ng configuration file.

    /etc/syslog-ng.conf

  3. Add the following information to specify the access log as the event file for syslog-ng:

  4. Add the following information to specify the destination and message template:

    Where <QRadar IP> is the IP address of the JSA console or Event Collector.

  5. Add the following log entry information:

  6. Save the syslog-ng.conf file.

  7. Type the following command to restart syslog-ng:

    service syslog-ng restart

    After the syslog-ng service restarts, the Symantec SiteMinder configuration is complete. Events that are forwarded to JSA by Symantec SiteMinder are displayed on the Log Activity tab.

Broadcom Symantec SiteMinder Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Symantec SiteMinder Sample Message when you use the Syslog Protocol

Sample 1: The following sample event message shows that authorization is accepted.

Table 3: Highlighted Fields in the Symantec SiteMinder Event

JSA field name

Highlighted values in the event payload

Event ID

AuthAccept

Source IP

10.236.235.223

Username

Test Useruser

Log Source Time

11/Mar/2021:15:53:45 -0500 (extracted from date and time fields)

Identity IP

10.236.235.223

Identity Username

Test Useruser

Sample 2: The following sample event message shows an authorization logout.

Table 4: Highlighted Fields in the Symantec SiteMinder Event

JSA field name

Highlighted values in the event payload

Event ID

AuthLogout

Source IP

10.6.172.171

Username

Testuser01TesTU@example.com

Log Source Time

24/May/2012:14:14:50 -0500 (extracted from date and time fields)