Integration with IDP via Syslog

To enable this integration you need to configure EDFN agent to receive and parse syslog messages with Login / Logout events.

User Identity Agent Configuration

Open NFO web interface and navigate to External Data Feeder page or to the Network Conversations Monitor module’s page, and perform the following:

1. Open User Identity Monitor agent configuration window

2. Change schedule cron expression or leave default. The agent executed every minute by default: security event logs are requested every minute and user identity watch list is updated accordingly

3. Select UDP Syslog Input tab if you send Login events via UDP and/or TCP/TLS Syslog Input tab if you send Login events via TCP

4. Click and provide the following fields

   • IDP: Identity Provider name
   • Port: Input listening port for syslogs sent to NFO by the identity provider
   • Host Name: (optional) Host name of the identity provider. if left blank syslogs from any host will be received
   • Logon pattern: REGEX expression to parse Logon events, for example

     ^.* Logon account=(?<account>\S+) address=(?<address>\S+)$
   • Logoff pattern: REGEX expression to parse Logoff events, for example

     ^.* Logoff account=(?<account>\S+) address=(?<address>\S+)$
   • Session timeout: expiration time to keep mapping between user name and IP address after the login event is received
   • (TCP only) TLS: check the checkbox if your identity provider sends syslog over TCP with TLS encryption
   • (TCP only) TLS client certificates file: path to TLS client certificates file

   When agent’s parameters are saved, configuration can be validated by pressing “Run Now” green button from the agent configuration window. The User Identity monitoring agent is scheduled if module is enabled.