RSA enVision^® Discussions

RSAAdmin · ‎2011-04-18

Hello,

We have added CA Siteminder r12 into our log collection and via Analysis Event Viewer/Message view, I am able to see the logs in enVision.

However I am having trouble figuring out if its properly parsing them and how to create a simple report such as all authenticated users in past hour.

When I go to Analysis/Query & create a new query I dont know what table to query thus dont know how to get started?

Any pointers or examples of existing Siteminder reports would be most welcome,

Thanks in advance

RSAAdmin · ‎2011-04-22

Paul,

You can get an idea of where the messages parse by looking at the Manage Messages to Parse screen in enVision. Go to Overview >> System Configuration >> Messages >> Manage Messages to Parse, then find your Siteminder event source.

In there, you'll see a list of every table to which every defined message will parse. That will give you an idea of where you can start querying for data.

Additonally, there are two "Class Generic" reports in the Access Control area of the Ad Hoc report menu that should ideally return data from Siteminder:

- Overview of Failed Authentication Events

- Overview of Successful Authentication Events

I hope that helps!

RSAAdmin · ‎2011-04-25

Thanks Matt,

It turns out the data collected from a UNIX machine running Siteminder isnt supported, thus my confusion with my first attempt. I worked with a very helpful RSA support engineer and they plan to make some updates in the next event source which should help. Once updated I will use your solution to guide me through the data.

Thanks again!

RSA enVision® Discussions

Siteminder analysis & reporting - how to? From the basics for a new user

RSA enVision^® Discussions