In the previous post on Integrating Centrify Server Suite with SIEM tools, we covered that Centrify Server Suite (CSS) is an agent-based solution for unified identity management across Windows, Linux and UNIX systems. The CSS agent can track over 300 different types of events in real-time on 450+ flavors of Windows, Linux and UNIX machines.
In this post, we cover how to integrate the Centrify events into your existing Splunk deployment.
Getting Started
First, how do I get Centrify events into Splunk? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Install Splunk Forwarder to centrally consolidate and index all Centrify events on machines with Centrify Agent running. To easily configure the location of the Centrify events use the Centrify Splunk Add-On, follow the installation guide for instructions on how to install the Centrify Add-on.
Check if events are forwarded, by clicking on Data Summary as shown below on the Splunk Web interface.
View Centrify events by searching for “Audit_Trail”, you should see all the Centrify events.
Normalizing events
Install the Centrify Splunk Add-on on the Splunk Server to normalize Centrify events, follow the instructions in the installation guide. Once the events are centrally collected and indexed within splunk, you can find the relevant events via the splunk search interface. To enable finding Centrify events and Centrify fields easily, we have created 18 event types within Splunk and custom parsed all the Centrify fields into Splunk.
Find below a list of all the categorized events, we’ve mapped all the event categories listed in the Centrify Server Suite events document here.
|
Centrify Event Category |
Splunk Event Type |
|
DirectAudit System Management |
centrify_directaudit_system_management |
|
Audit Manager |
centrify_audit_manager |
|
Audit Analyzer |
centrify_audit_analyzer |
|
DirectAuthorize - Windows |
centrify_directauthorize_windows |
|
DirectAudit Windows |
centrify_directaudit_windows |
|
Centrify Configuration |
centrify_configuration |
|
DirectControl UNIX Agent |
centrify_directcontrol_unix_agent |
|
DirectAudit UNIX Agent |
centrify_directaudit_unix_agent |
|
Centrify Commands |
centrify_commands |
|
Trusted Path |
centrify_trusted_path |
|
PAM |
centrify_pam |
|
dzdo |
centrify_dzdo |
|
dzsh |
centrify_dzsh |
|
dzinfo |
centrify_dzinfo |
|
command |
centrify_command |
|
Local Account Management |
centrify_local_account_management |
|
Centrify sshd |
centrify_sshd |
|
MFA |
centrify_mfa |
After Installing the Centrify Add-on, you would see “Centrify Add-on for Splunk” enabled in your Apps as shown below.
Leveraging Splunk’s Common Information Model
Splunk’s CIM enables tagging of common events from different vendors or source types, by enabling this Splunk unifies events from data domain of interest across the enterprise. Splunk has defined around 23 data models today and is rapidly growing. We’ve taken over a dozen events and mapped to Splunk’s Authentication data model.
Shown below, how to find events that are mapped into the authentication data model.
To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to Splunk and normalize the Centrify data leveraging our Splunk Add-on, easily.
In my next post I’ll demonstrate how one could leverage these events in your IBM QRadar Deployment. Meanwhile, you can try Splunk integration today with a free trial of Centrify Server Suite Standard Edition. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.
Links
48676
