Ca Site Minder¶
Product: Site Minder
Log type(s): auth
Theoretical injector performance¶
AssertionGenerate thsssosit06p [23/Feb/2017:12:19:33 +0100] " " " "    
ValidateAccept thsssosit06p [23/Feb/2017:12:19:27 +0100] "220.127.116.11 uid=T000000,ou=Internal,ou=People,o=group" "pghj-ws-dzefd.ezrd.dksjq GET /T2/Ts.ltc" [idletime=54000;maxtime=18000;authlevel=5;]   
AuthAttempt thsssosit06p [23/Feb/2017:12:24:12 +0100] "18.104.22.168 T0000000" "azd.dzaz.azddd GET /profile/yoloapplications.php?polReboot"    
At first glance, we could assume the log pattern is CSV [space] separated. The main format as following :
[[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource] [TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]]
BUT, [[Status Message]] is an error status looking like a sentence but without any wrapping double quote nor brackets. This leads to an unparsable CSV log using the [space] character. So we decided to use Grok patterns to solve this issue.
Conclusion : This parser only rely on Grok patterns located under .