topic Re: proxy log name resolution in Security

proxy log name resolution

jonathanfalconi — Tue, 24 Jul 2012 06:31:11 GMT

In the context of proxy logs - could Splunk (via APIs or what not) enable the resolution of IP addresses to the logged in username for a particular log from a proxy?

Re: proxy log name resolution

MarioM — Tue, 24 Jul 2012 15:50:55 GMT

what kind of IP? Public?internal? internal from dhcp?
Here an example of dns lookup dns lookup external script

Re: proxy log name resolution

dwaddle — Tue, 24 Jul 2012 15:58:48 GMT

Assuming the information is actually available, sure. But you need to drop a little more detail on us. The assumption would have to be that there is something that can tie the IP address in the proxy server logs to a logged-in user at the machine that is assigned the IP in the proxy logs themselves.

The clearest solution is to have the proxy require authentication. If you can't do that, then you need to be able to know who is logged into a given machine at a given time. With a multi-user system, like a Windows Terminal Server or any Unix machine this is far more difficult.

I think you need to figure out what data you have available to you before you can begin to try to piece together a solution.