Documentation Center
AlienVault® USM Anywhere™

IBM Tivoli Access Manager Web SEAL

When you configure IBM Tivoli Access Manager Web SEAL integration to send log data to USM Anywhere, you can use the IBM Tivoli Access Manager Web SEAL plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor IBM
Device type Proxy
Connection type Syslog
Vendor link https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.dsm.doc/
t_DSM_guide_IBM_TivoliAccess_cfg.html#t_dsm_guide_ibm_tivoliaccess_cfg
and https://www.ibm.com/blogs/sweeden/introduction-to-qradar-log-management-for-webseal-administrators/

Integrating the Tivoli Access Manager WebSEAL Device

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure Tivoli to send log data to USM Anywhere

  1. Log into Tivoli Access Manager's IBM Security Web Gateway.

  2. From the primary navigation menu, go to Secure Reverse Proxy Settings > Manage > Reverse Proxy.

  3. From the Instance column of the Reverse Proxy pane, select an instance.

  4. Click the Manage list and select Configuration > Advanced.

    The text of the WebSEAL configuration file appears.

  5. Locate the Authorization API Logging configuration, and configure event log forwarding to the USM Anywhere Sensor by copying and pasting the following command to a new line:

    logcfg = audit.azn:rsyslog server=<USM Anywhere_IP_address>,port=514,log_id=<log_name>

  6. Edit the remote syslog configuration, for example:

    logcfg = audit.azn:rsyslog server=<USM Anywhere_IP_address>,port=514,log_id=<log_name> logcfg = audit.authn:rsyslog server=<USM Anywhere_IP_address>,port=514,log_id=<log_name> logcfg = http:rsyslog server=<USM Anywhere_IP_address>,port=514,log_id=<log_name>

    Where:

    <Log_name> is the name assigned to the log that you want to forward to USM Anywhere, for example, log_id=WebSEAL-log.

  7. Configure the log format, for example:

    request-log-format = %h %l %u %t "%r" %s %b "%{user-agent}i"

    Where:

    %h = Client host

    %l = Client logname (RFC 1314) (default -)

    %u = Remote user

    %t = Time in Common Log Format

    %r = First line of the request

    %s = Response status

    %b = Bytes in the response, excluding HTTP headers in CLF format: '-' instead of 0 when no bytes are returned.

  8. Click Submit.

    The Deploy button appears in the navigation menu.

  9. Click Deploy.
  10. To continue, restart the reverse proxy instance:

    1. From the Instance column, select your instance configuration.

    2. From the Manage list, select Control > Restart.

      A status message appears after the restart completes.

For more information on configuring a syslog destination, see your IBM Tivoli Access Manager for e-business vendor documentation.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol=

  • bytes_out=

  • event_description=

  • event_name=

  • plugin_device=

  • plugin_device_type=

  • request_http_version=

  • request_method=

  • request_url=

  • request_user_agent=

  • response_code=

  • source_address=

  • source_hostname=

  • source_username=

  • time_zone=

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.ibm.com/support/knowledgecenter/en/SSPREK_8.0.0.2/com.ibm.amweb.doc_8.0.0.2/landing/trouble_landing.html