Extract Individual Fields from Audit Log

[Strickland, David R]

Michael, Scott,

Thanks very much. I was able to get what I need by making changes to the
shibboleth.AuditFormattingMap in audit.xml.

I think I was looking at an old question and answer about v2 that made me
think the format was hard-coded. Nice to see that this was changed in v3.

Regarding the Splunk use-case, I think it has more to do with how we handle
field extraction in our environment. If I use the name=value syntax, I think
our Splunk instance will extract these fields as events are indexed, rather
than all at once at search time with a rex statement. There may be
workarounds in Splunk, but I'm going off of a request from our ISO. Anyway,
audit.xml gives me the knobs I need.

Thanks again!
-David

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Michael A
Grady
Sent: Friday, March 17, 2017 12:17 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Extract Individual Fields from Audit Log


> On Mar 16, 2017, at 8:35 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> 
>> On 3/16/17, 9:21 PM, "users on behalf of Michael A Grady"
<users-bounces at shibboleth.net on behalf of mgrady at unicon.net> wrote:
>> 
>> Perhaps I'm not understanding what David wants to do, but couldn't 
>> you do that for the audit log by modifying the AuditFormattingMap in
conf/audit.xml?
> 
> Umm, or that. Cut me a break, I had 6 hours of meetings today.
> 
> -- Scott

I had the "unfair advantage" of needing to look at audit log config in the
last day or two, which is the key reason it was fresh in my mind.  
--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6162 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20170321/fe7ed798/attachment.p7s>