Typical Usage of OneSpan Authentication Server System Monitoring

OneSpan Authentication Server system monitoring is typically used to receive notifications via an SNMP trap, to retrieve security alert details, and to retrieve details of the audit message.

Receiving notifications via an SNMP trap

You receive an SNMP trap issued by OneSpan Authentication Server. A typical SNMP trap will look as specified in this example.

Typical SNMP trap

2014-05-07 11:40:58 DEVTESTDC.DEVTEST.local [UDP: [10.143.225.21]:52911->[0.0.0.0]:0]:

SNMP-FRAMEWORK-MIB::snmpEngineTime.0 = INTEGER: 816 seconds

SNMP-FRAMEWORK-MIB::snmpEngineBoots.0 = INTEGER: 4

SNMPv2-MIB::snmpTrapOID.0 = OID: VASCO-IDENTIKEY-MIB::vdsIkSecAlertEvent

Retrieving security alert details

You can retrieve detailed information on the security alert raised in the notification step. This retrieval can be performed by issuing a SNMPGet command. For this operation, you will need to specify the security alert index as specified in the SNMP trap.

When requesting SNMP details for the object name vdsIkSecAlertContent.1, the following information will be provided by the SNMPGet command:

 

VASCO-IDENTIKEY-MIB::vdsIkSecAlertContent.1 = STRING:

"Time=\"2013/11/29 04:21:47\";

Code=\"S-002001\"; AMID=\"0xAF42C18AED1D6A3ED2ADA1AD0AB8BF68\";

Desc=\"User authentication was successful.\";"

Alternatively, you can retrieve the complete security alert table using an SNMP table command. This SNMP table operation should be performed using the object name vdsIkSecurityAlertTable. As a result of this operation the complete security alert data list is returned.

Typically output of an SNMP table operation using vdsIkSecurityAlertTable

vdsIkSecAlertTimevdsIkSecAlertType

vdsIkSecAlertContent

2013-11-29,4:21:47.9,-8:0Success

"Time=\"2013/11/29 04:21:47\"; Code=\"S-002001\"; AMID=\"0xAF42C18AED1D6A3ED2ADA1AD0AB8BF68\"; Desc=\"User authentication was successful.\";"

2013-11-29,4:23:24.6,-8:0Success

"Time=\"2013/11/29 04:23:24\"; Code=\"S-002001\"; AMID=\"0xC7AD24E99930D0B9B7C2F8249B1B39C4\"; Desc=\"User authentication was successful.\";"

2013-11-29,4:26:28.7,-8:0Success

"Time=\"2013/11/29 04:26:28\"; Code=\"S-002001\"; AMID=\"0xE20227F63CFD25D21E96079398DF5EF7\"; Desc=\"User authentication was successful.\";"

2013-11-29,8:13:26.9,-8:0Success

"Time=\"2013/11/29 08:13:26\"; Code=\"S-002001\"; AMID=\"0xEC42ADA0419071A9107DB4441B4FECD3\"; Desc=\"User authentication was successful.\";"

Retrieving audit message details

If you want to obtain more details about a security alert, you can consult the corresponding audit message. It suffices to use the audit message identifier (AMID) to start searching in the OneSpan Authentication Server auditing data. The relevant AMID is specified in entry content field of the security alert table. This operation can be performed using the OneSpan Authentication Server Audit Viewer or the Administration Web Interface.