Skip to content

OpenAM

OpenAM

About

OpenAM provides an infrastructure for managing users, roles, and access to resources, and centralizes access control by handling both authentication and authorization.

Product Details

Vendor URL: OpenAM

Product Type: Identity/Access Management

Product Tier: Tier II

Integration Method: Syslog

Integration URL: n/a

Log Guide: n/a

Parser Details

Log Format: CSV and KV

Expected Normalization Rate: near 100%

Data Label: OPENAM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Statically Defined extensions.auth.type
eventName metadata.product_event_type
description metadata.description
ad.trackingIds metadata.product_log_id
Statically Defined metadata.product_name
Statically Defined metadata.vendor_name
shost principal.hostname
src_ip, client.ip, info.ipAddress principal.ip
client.port principal.port
nodeId principal.resource.id
treeName principal.resource.name
authLevel principal.resource.resource_subtype
nodeType principal.resource.type
am_user principal.user.email_addresses
am_group principal.user.group_identifiers
am_user principal.user.userid
dhost target.hostname
dst, serverip target.ip
serverport target.port
loginId, am_user target.user.email_addresses
am_group target.user.group_identifiers
am_user target.user.userid
Statically Defined network.application_protocol
requestMethod network.http.method
request network.http.referral_url
user-agent network.http.user_agent

Product Event Types

Product Event Description UDM Event
AM-LOGIN USER_LOGIN
AM-SESSION-CREATED USER_LOGIN
AM-TREE-LOGIN-COMPLETED USER_LOGIN
AM-NODE-LOGIN-COMPLETED USER_LOGIN
AM_LOGOUT USER_LOGOUT
AM-SESSION-DESTROYED USER_LOGOUT
AM-SESSION-IDLE_TIMED_OUT USER_LOGOUT
AM-SESSION-LOGGED_OUT USER_LOGOUT
AM-NODE USER_UNCATEGORIZED
AM-ACCESS-OUTCOME NETWORK_HTTP
Default src_ip not empty STATUS_UPDATE
Default All other events GENERIC_EVENT

Log Sample

Jul 25 15:50:13 10.10.10.10 CEF: 0|ForgeRock|OpenAM|||AM-TREE-LOGIN-COMPLETED|Unknown| eventId=eventid externalId=externalid art=1658778613794 rt=1658778613794 outcome=SUCCESSFUL shost=shost.com src=10.10.10.10 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 sntdom=/associates suser=user destinationServiceName=Authentication cs2={"info":{"treeName":"Kerberos","ipAddress":"10.10.10.10","authLevel":"0"}} cs5=0 cs6=transactionId\=#transactionid# userId\=#id\=user, result\=#SUCCESSFUL# principal\=#["pr_user"]# context\=## entries\=#[{"info":{"treeName":"Kerberos","ipAddress":"10.10.10.10","authLevel":"0"}}]# component\=#Authentication# realm\=#/associates# cs1Label=Context cs2Label=Entries cs3Label=Auth Control Flag cs5Label=Auth Level flexString1Label=Node Outcome ahost=ahostname agt=10.10.10.10 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=macAddress av=7.15.0.8295.0 atz=CST6CDT at=syslog ad.trackingIds=["trackingIds"] ad.TreeName=Kerberos ad.externalId=ad.externalid_value aid=aid_value

Sample Parsing

intermediary.ip = "10.10.10.10"
metadata.product_event_type = "AM-TREE-LOGIN-COMPLETED"
metadata.description = "Tree login completed"
metadata.event_timestamp = "1658764213"
metadata.vendor_name = "ForgeRock"
metadata.product_name = "OpenAM"
metadata.event_type = "USER_LOGIN"
metadata.product_log_id = "trackingIds"
principal.hostname = shost.com
target.user.userid = "user"
security_result.action = "ALLOW"
security_result.action_details = "#SUCCESSFUL#"
extensions.auth.type = "SSO"

Parser Alerting

This product currently does not have any Parser-based Alerting