帮助手册 支持的日志类型 OneLogin Logs

OneLogin 日志

OneLogin 是基于云的身份和访问管理 (IAM) 提供商,可为企业业务提供统一的访问管理。您可以将 OneLogin 日志推送到 Site24x7 AppLogs,以便在统一控制台下全面监控它们、跟踪错误并接收告警和报表。

先决条件:您需要 OneLogin 企业或无限计划订阅。

目录

在 Site24x7 AppLogs 中创建日志类型

  1. 登录到您的Site24x7 帐户 > 管理 > AppLogs > 添加日志类型
  2. 输入显示名称
  3. 日志类型下拉列表中选择OneLogin 日志

  4. 输入保留期限最大上传限制
  5. 默认情况下,这是 Site24x7 AppLogs 为 OneLogin 日志识别的日志模式。
    • 日志模式:
    json $event.imported_user_id as imported_user_id$ $event.privilege_id as privilege_id$ $event.notes as notes$ $event.note_title as note_title$ $event.proxy_agent_name as proxy_agent_name$ $event.directory_sync_run_id as directory_sync_run_id$ $event.authentication_factor_id as authentication_factor_id$ $event.solved as solved$ $event.mapping_name as mapping_name$ $event.uuid as uuid$ $event.resolution as resolution$ $event.client_id as client_id$ $event.proxy_agent_id as proxy_agent_id$ $event.otp_device_id as otp_device_id$ $event.event_type_id as event_type_id:number$ $event.resource_type_id as resource_type_id$ $event.role_id as role_id$ $event.actor_user_name as actor_user_name$ $event.error_description as error_description$ $event.create._id as create__id$ $event.directory_id as directory_id$ $event.ipaddr as ipaddr$ $event.app_id as app_id$ $event.assuming_acting_user_id as assuming_acting_user_id$ $event.authentication_factor_type as authentication_factor_type$ $event.login_id as login_id$ $event.imported_user_name as imported_user_name$ $event.group_name as group_name$ $event.certificate_name as certificate_name$ $event.otp_device_name as otp_device_name$ $event.directory_name as directory_name$ $event.object_id as object_id$ $event.adc_id as adc_id$ $event.trusted_idp_name as trusted_idp_name$ $event.role_name as role_name$ $event.policy_type as policy_type$ $event.resolved_by_user_id as resolved_by_user_id$ $event.custom_message as custom_message$ $event.user_id as user_id:number$ $event.resolved_at as resolved_at$ $event.actor_system as actor_system$ $event.privilege_name as privilege_name$ $event.task_name as task_name$ $event.radius_config_name as radius_config_name$ $event.service_directory_id as service_directory_id$ $event.policy_id as policy_id$ $event.user_name as user_name$ $event.event_timestamp as event_timestamp:date:yyyy-MM-dd HH:mm:ss$ $event.api_credential_name as api_credential_name$ $event.certificate_id as certificate_id$ $event.actor_user_id as actor_user_id:number$ $event.param as param$ $event.adc_name as adc_name$ $event.user_field_name as user_field_name$ $event.user_field_id as user_field_id$ $event.proxy_ip as proxy_ip$ $event.note_id as note_id$ $event.policy_name as policy_name$ $event.app_name as app_name$ $event.login_name as login_name$ $event.account_id as account_id:number$ $event.group_id as group_id$ $event.authentication_factor_description as authentication_factor_description$ $event.mapping_id as mapping_id$ $event.radius_config_id as radius_config_id$ $event.trusted_idp_id as trusted_idp_id$ $event.entity as entity$
    • 示例日志:
      {"event":{"create":{"_id":"c451ec08-5e1a-4d7c-b4ff-0d61e7fa83a6"},"directory_name":null,"event_type_id":11,"role_id":null,"privilege_id":null,"group_name":null,"adc_id":null,"group_id":null,"service_directory_id":null,"radius_config_name":null,"policy_id":null,"privilege_name":null,"custom_message":null,"param":null,"client_id":null,"job_id":null,"app_id":null,"risk_cookie_id":null,"self_registration_profile_name":null,"report_id":null,"resource_type_id":null,"service_job_id":null,"login_name":null,"browser_fingerprint":null,"user_field_name":null,"uuid":"c451ec08-5e1a-4d7c-b4ff-0d61e7fa83a6","user_agent":"OneLogin Faraday Client v0.2.1","actor_system":"","ipaddr":"103.26.110.197","event_location_id":null,"directory_id":null,"authentication_factor_description":null,"proxy_agent_name":null,"directory_sync_run_id":null,"safe_to_unescape":null,"event_timestamp":"2021-08-18 05:18:29 UTC","user_name":"Dev User","role_name":null,"app_name":null,"policy_name":null,"mapping_name":null,"resolution":null,"entity":null,"authentication_factor_type":null,"authentication_factor_id":null,"service_job_name":null,"user_agent_id":null,"actor_user_id":146414317,"proxy_ip":null,"note_title":null,"certificate_id":null,"note_id":null,"account_id":195258,"actor_user_name":"Dev User","solved":null,"task_id":null,"otp_device_id":null,"resolved_by_user_id":null,"assumed_by_superadmin_or_reseller":null,"report_name":null,"user_field_id":null,"risk_score":null,"object_id":null,"self_registration_profile_id":null,"user_id":146414317,"imported_user_name":null,"mapping_id":null,"login_id":null,"radius_config_id":null,"otp_device_name":null,"adc_name":null,"task_name":null,"certificate_name":null,"proxy_agent_id":null,"notes":null,"api_credential_name":null,"assuming_acting_user_id":null,"risk_reasons":null,"policy_type":null,"job_name":null,"trusted_idp_name":null,"imported_user_id":null,"error_description":null,"resolved_at":null,"trusted_idp_id":null}}
  6. 复制下面给出的API 端点 URL,如屏幕截图所示。
  7. 单击保存

在 OneLogin 中创建 webhook

  1. 以管理员身份登录到您的 OneLogin 帐户并导航到Developers > Webhook > NewWebhook
  2. 为日志管理选择事件 Webhook
  3. New Broadcaster 弹出窗口中输入名称。选择SIEM作为格式。
  4. 将从 Site24x7 控制台复制的 API 粘贴到Listener URL 字段中
  5. 提供自定义标题(如果有)。
  6. 单击保存

  7. 您还可以参考此链接来创建 webhook。 

查看数据

  1. 登录到您的Site24x7 帐户 > AppLogs
  2. 在搜索栏中输入OneLogin作为日志类型,然后按 Enter
  3. 您可以在仪表板中看到以下指标:

    • 未经授权的 API
    • 登录失败
    • 已达到应用用户限制
    • 验证应用程序失败
    • 十大事件
    • 应用事件
    • 密码更改
    • 随时间推移的事件
    • 随着时间的推移成功登录
    • 随着时间的推移登录失败
    • 排名靠前的活跃用户
    • 按应用登录
    • 在应用程序中创建的用户
    • 十大错误
    • 事件前 10 名用户  

帮助手册 支持的日志类型 OneLogin Logs