System Monitoring, notifications, and OS traps

OneSpan Authentication Server Appliance supports application-level system monitoring with SNMP. This allows you to monitor OneSpan Authentication Server Appliance processing to provide notifications when specific events occur.

System monitoring is performed based on OneSpan Authentication Server and OneSpan Authentication Server Appliance audit messages and their content, and creates an alert when specified messages appear. These alerts or targets are sent via text messages, emails, or SNMP traps.

Use the OneSpan Authentication Server Appliance configuration interfaces to enable and configure system monitoring:

• To enable system monitoring, switch to the  Authentication Server > System Monitoring Alerts tab in the OneSpan Authentication Server Appliance Configuration Tool and select Enabled.

Event filters help you to monitor critical events as they occur, rather than search through an extensive list of audit logs to locate potentially critical system events.

Event filters

System monitoring requires filters to specify which OneSpan Authentication Server Appliance events and audit messages should be monitored.

Filter details must include the following:

• Name
• Target, specifying which notification method is to be used
• Audit message type to monitor
• Specific field
• Condition
• Value for the specified field

A filter defines a match criteria that must be met to trigger a notification. To define a filter, specify which level of audit message to monitor and assign a target. Messages may be further filtered by specifying a field of the audit message and a value. System monitoring will notify you when that field of an audit message contains the specified value.

It is possible to assign multiple filters to a target. In that case, the target notification will only be triggered if the match criteria of all assigned filters are met.

Notification targets

System monitoring requires one or more targets to be defined to specify the output format.

The available target formats are:

• SMS
• Emails
• SNMP traps

Table: Target requirements lists the different required information for each target.

When you configure SNMP targets, make sure to set both the authentication type AND the privacy type for a complete trap configuration in the OneSpan Authentication Server Appliance Configuration Tool. You cannot set a privacy type without setting an authentication type.

Only the following combinations for SNMP communication are valid:

• Without authentication type and privacy type (both set to None).
• With authentication type, but without privacy type.
• With authentication type and privacy type.

Best practices: System monitoring with SNMP/SMS/email targets

If you are using OneSpan Authentication Server Appliance system monitoring, we recommend to define targets for the following OneSpan Authentication Server Appliance events:

• OneSpan Authentication Server errors. For these type of events, you should define an audit filter that extracts all error audit messages.
• Locked authenticator users. For these type of events, you should define a filter that extracts all audit messages with the audit code 'W-011003'.
• Failed administrative logons. For these type of events, you should define a filter that extracts all audit messages with the audit code 'F-004001'.
• Replication failures. For these type of events, you should define a filter that extracts all audit messages with the audit codes 'F-003001' or 'F-003002'.

Generally, when SNMP notifications are defined, a VASCO-AXSGUARD-IDENTIFIER-MIB::vdsIaAuditNotification trap is sent. The MIB file contains the information about the notification and the variables. For more information, refer to the VASCO-AXSGUARD-IDENTIFIER-MIB file. You can download this file in OneSpan Authentication Server Appliance via Settings > SNMP.