Symantec Access Management

I'm looking for recommendations on a good log analysis tool to provide reports to Sr management on authentication activity within SiteMinder (SSO) -- reviewing the SMAccess or possibly the SMPS logs.

Does anyone have any recommendations? I've looked at sawmill and splunk so far. I'm not interested in using the report server that comes with SM.

The main things I'm looking for with the tool are:

• Web based tool
• Provide easy reporting tool for the creation of graphs showing logins per day, week, month, etc. per application, etc. going back in time
• Dashboard creation showing what ever graphs I select from the search tool
• Automated reports via PDF or html sent to a web server (share point, etc.) or via email
• In-depth reporting via login that's SM (native or via SAML) protected

Any suggestions?

For some overall graphs, I would recomend getting "smpolicysrv -stats"  run in cron/schedule task, at regular interval (say every 20min or so).

Then you can run the smps log analysis on the smps.log files for the last month or week, from the Policy trace analysis module :

Siteminder Policy Trace Analysis

You can then get a nice graph of number of connections/number active worker threads/ throughput that occur over the week or month.

It produces a .pdf report, and individual .png files if you need them, and the latest version does run from the cmd line.

Cheers - Mark

Thanks Mark for the suggestion. I'm already getting the stats, what I'm really looking for is a web based reporting tool based on analysis of the SM Access / SMPS logs where I can see

• how many authentications are happening now, vs 2 hours ago vs today vs last week vs last month, etc.
• What is the most used protected application (based on agent name)
• What are my peak vs non-peak times of the day / week
• How many SAML based authentications are happening vs agent based

The goal is to provide these reports via fancy graphs to Sr management on a scheduled and ad-hoc basis. I would like to automate the report generation to auto upload to a web server OR give people the ability to view a read only dashboard.

In this case ,CA  wily introscope tool can be used . Its a web based monitoring tool and almost satisfy  all your needs.

I'm not looking for application performance, only a log analytic tool that can produce reports and graphs. We're looking outside CA now at splunk to solve this need. Thank you all for the suggestions.

Take a look at Spylogix its monitoring/reporting tool specialized for CA SSO.  On a high level IdentityLogix is a CA technology partner whose product SpyLogix for CA SSO  is a CA validated software solution, which provides the ability to quickly analyze policy, performance and activity data in real-time for operational visibility.  Our security messaging middleware is designed to handle "Big Data" issues that associated with IAM and web infrastructures. It natively accesses CA SSO event and audit data continuously from CA SSO’s API without the need to have logs turned on eliminating a performance impact that typically a trace log would create on a policy server. SpyLogix allows you to easily analyze streaming data within minutes, employ forensic data drill-down capabilities, sort complex data and apply new visualization to address audit, security and reporting challenges maximize and efficiently leverage SiteMinder’s rich data capabilities for improving key performance indicators (KPIs), such as lowering mean time to recover (MTTR) or meantime between system incidents (MTBSI).  

http://www.identitylogix.com/phocadownload/Modules/spylogix%20for%20ca%20single%20sign-on.pdf 

We use Splunk to monitor  login activities. 

You can achieve some reports like, 

Unique users login

Active Users OR High login Outliers

Successful Logins vs Failed Logins

Threat Analytics like seeing more hits which is unusual. Like Trying to login with invalid creds more than (>Usual Count).

Login from different IP at same time using same user account.

Thanks!