Generic authorization Server

Configuring Event Properties for Authorization Events

You must manually configure JSA to interpret the incoming generic authorization events:

1. Forward all authentication server logs to your JSA system.

   For information about forwarding authentication server logs to JSA, see the vendor documentation for your authorized server.

2. Open the following file:

   /opt/ qradar /conf/genericAuthServer.conf

   Make sure you copy this file to systems that host the Event Collector and the JSA console.

3. Restart the Tomcat server:

   service tomcat restart

   A message is displayed indicating that the Tomcat server is restarted.

4. Enable or disable regular expressions in your patterns by setting the regex_enabled property. By default, regular expressions are disabled.

   For example:

   regex_enabled=false

   When you set the regex_enabled property to false, the system generates regular expressions (regex) based on the tags you entered when you try to retrieve the corresponding data values from the logs.

   When you set the regex_enabled property to true, you can define custom regex to control patterns. These regex configurations are applied directly to the logs and the first captured group is returned. When you define custom regex patterns, you must adhere to regex rules, as defined by the Java programming language. For more information, see http://download.oracle.com/javase/tutorial/essential/regex/

   To integrate the generic authorization server with JSA, make sure that you specify the classes directly instead of using the predefined classes. For example, the digit class(/\d/) becomes /[0-9]/. Rewrite the expression to use the primitive qualifiers (/?/,/*/ and /+/) rather than using numeric qualifiers.

5. Add the following lines to the genericAuthServer.conf file:

   The following table provides examples of values that you can use for each pattern.

   Pattern	Value	Example
   login_success=<login success pattern>	Accepted password	The following log message shows login_success_pattern=Accepted password:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2
   login_failed_pattern=<login failure pattern>	Failed password	The following log message shows login_failed_pattern=Failed password:Jun 27 12:58:33 expo sshd[20627]: Failed password for root from <IP_address> port 1849 ssh2
   logout_pattern=<logout pattern>	session closed	The following log message shows logout_pattern=session closed:Jun 27 13:00:01 expo su(<Username>)[22723]: session closed for user genuser
   source_ip_pattern=<source IP pattern>	from	The following log message shows source_ip_pattern=from:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2
   source_port_pattern=<source port pattern>	port	The following log message shows source_port_pattern=port:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2
   user_name_pattern=<for pattern>	for	The following log message shows user_name_pattern=for:Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from <IP_address> port 1727 ssh2

   Tip:

   All entries are case-insensitive.

   You are now ready to configure the log source in JSA.

Syslog Log Source Parameters for generic authorization server

If JSA does not automatically detect the log source, add a non-vendor specific generic authorization server log source on the JSA Console by using the Syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from generic authorization server: