Generic Authorization Server - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual

28
Step 1
Step 2
Step 3
Step 4
G
ENERIC
A STRM generic authorization server DSM accepts events using syslog. STRM
records all relevant events. Before you configure STRM to integrate with generic
authorization server, you must:
Forward all authentication server logs to your STRM system.
Note: For information on forwarding authentication server logs to STRM, see your
generic authorization server vendor documentation.
Open the following file:
/opt/qradar/conf/genericAuthServer.conf
Note: Make sure you copy this file to systems hosting the Event Collector and the
Console.
Restart the Tomcat server:
service tomcat restart
A message appears indicating that the Tomcat server has restarted.
Enable or disable regular expressions in your patterns by setting the
regex_enabled property accordingly. By default, regular expressions are disabled.
For example:
regex_enabled=false
When you set the regex_enabled property to false, the system generates regular
expressions (regex's) based on the tags you entered while attempting to retrieve
the corresponding data values from the logs.
When you set the regex_enabled property to true, you can define custom regex's
to control patterns. These regex are directly applied to the logs and the first
captured group is returned. When defining custom regex patterns, you must
adhere to regex rules, as defined by the Java programming language. For more
information, see the following web site:
http://java.sun.com/docs/books/tutorial/extra/regex/
To integrate the generic authorization server with STRM, make sure you specify
the classes directly instead of using the predefined classes. For example, the digit
class becomes
(/\d/)
re-write the expression to use the primitive qualifiers
Configuring DSMs Guide
A
UTHORIZATION
. Also, instead of using numeric qualifiers,
/[0-9]/
S
ERVER
(/?/,/*/ and /+/)
.