Quote Originally Posted by pellerano View Post
Can someone help us by pointing out which connectors to use and how to send access logs?
We need to analyze these logs and create correlations on them.

The format of access log files is of this type (extended format from Netiq Access Manger access gateway):
#Software:Multi Access Gateway
#Fields: date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem c-version sc-status sc(Content-Length) sc-bytes cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) sc(CACHE_STATUS) sc(BALANCER_WORKER_IP) cs(X-Forwarded-For) x-origin-ip rs-bytes
2018-12-20 14:43:46 <Client IP> public <server ip> <site name> GET <uri> "GET / HTTP/1.1" 302 164 5350 2016 629 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "_ga=GA1.3.xxxxxxx.xxxxxx; Jump.Localization.CultureName=it; _gid=GA1.3.yyyyyyyy.yyyyyyyy; .AspNet.ApplicationCookie=kkiCSN2M...." "<referrer url>" "-" "-" "-" 2016

Sentile 8.1 version.
Use Access Manager's built in configuration to point your audit server to Sentinel (don't try and modify syslog configuration directly on the MAG or IDP), then use the NetIQ Access Manager collector with the appropriate Syslog connector.