Ca Site Minder¶
Product: Site Minder
Log type(s): auth
Theoretical injector performance¶
AssertionGenerate fakehost [23/Feb/2017:12:19:33 +0100] " " " "    
ValidateAccept fakehost [23/Feb/2017:12:19:27 +0100] "22.214.171.124 uid=T000000,ou=Internal,ou=People,o=group" "pghj-ws-dzefd.ezrd.dksjq GET /T2/Ts.ltc" [idletime=54000;maxtime=18000;authlevel=5;]   
AuthAttempt fakehost [23/Feb/2017:12:24:12 +0100] "126.96.36.199 T0000000" "azd.dzaz.azddd GET /profile/yoloapplications.php?polReboot"    
At first glance, we could assume the log pattern is CSV [space] separated. The main format as following :
[[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource] [TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]]
BUT, [[Status Message]] is an error status looking like a sentence but without any wrapping double quote nor brackets. This leads to an unparsable CSV log using the [space] character. So we decided to use Grok patterns to solve this issue.
Conclusion : This parser only rely on Grok patterns located under .