We are not using the Shib splunkbase app..
I'm not sure why not.
Here are the props.conf and transforms.conf
Props.conf
[idp-audit]
CHARSET=UTF-8
MAX_TIMESTAMP_LOOKAHEAD=18
#REPORT-idp_audit=REPORT-idp_audit
SHOULD_LINEMERGE=false
disabled=false
TIME_FORMAT=%Y%m%dT%H%M%SZ
TIME_PREFIX=|
TZ=UTC
REPORT-idp-audit = REPORT-idp-audit
##From shib docs field name is 'a'
FIELDALIAS-src_ip = SSOclientIP AS src_ip
FIELDALIAS-src = SSOclientIP AS src
##field name is 'u'
FIELDALIAS-user = SSOprincipalName AS user
FIELDALIAS-url = SSOrelyingPartyID AS url
FIELDALIAS-SSOrelayingPartyID = SSOrelyingPartyID AS SSOrelayingPartyID
[idp-process]
EVAL-app = "shibboleth"
EVAL-action = case(vendor_action="succeeded" OR vendor_action="true","success", vendor_action="failed" OR vendor_action="false","failure")
FIELDALIAS-dest = SSOrelayingPartyID AS dest
EXTRACT-log_level,process,pid = ^(?:[^ \n]* ){3}(?P<log_level>\w+)\s+\[(?P<process>[^\]:]+)\:(?<pid>\d+)\]
EXTRACT-src_ip = \] \- (?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
EXTRACT-user,vendor_action = Login by '(?P<user>\S+)'\s+(?P<vendor_action>.+)
EXTRACT-signature,vendor_action,user = net\.shibboleth\.idp\.authn\..*\] \- (?<signature>.*?)\:.*?\s+(?P<vendor_action>\S+) for '(?P<user>\S+)'
EXTRACT-signature = \.\d{1,3}\s\-\s(?P<signature>[^:]+)\:
EXTRACT-signature,user,vendor_action = net\.shibboleth\.idp\.authn\..*\] \- (?<signature>.*?)\:.*(?<user>No username)\s.*(?<vendor_action>UsernamePasswordContext)
REPORT-idp-process-fields = REPORT-idp-process-fields
##From shib docs field name is 'a'
FIELDALIAS-src_ip = SSOclientIP AS src_ip
FIELDALIAS-src = SSOclientIP AS src
##field name is 'u'
FIELDALIAS-user = SSOprincipalName AS user
FIELDALIAS-url = SSOrelyingPartyID AS url
FIELDALIAS-SSOrelayingPartyID = SSOrelyingPartyID AS SSOrelayingPartyID
[idp-warning]
EXTRACT-log_level,process,pid = ^(?:[^ \n]* ){3}(?P<log_level>\w+)\s+\[(?P<process>[^\]:]+)\:(?<pid>\d+)\]
EXTRACT-src_ip = \] \- (?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
EXTRACT-user,vendor_action = Login by '(?P<user>\S+)'\s+(?P<vendor_action>.+)
EXTRACT-signature = \.\d{1,3}\s\-\s(?P<signature>[^:]+)\:
Transforms.conf:
[REPORT-idp-audit]
DELIMS = "|"
FIELDS = "SSOclientIP","SSOauditEventTime","SSOrequestBinding","SSOrequestId","SSOrelyingPartyID","SSOmessageProfileId","SSOassertingPartyId","SSOresponseBinding","SSOresponseId","SSOprincipalName","SSOauthNMethod","SSOreleasedAttributeID","SSOnameIdentifier","SSOassertionID"
[REPORT-idp-process-fields]
DELIMS = "|"
FIELDS = "event_headers","SSOrequestBinding","SSOrequestId","SSOrelayingPartyID","SSOmessageProfileId","SSOassertingPartyId","SSOresponseBinding","SSOresponseId","SSOprincipalName","SSOauthNMethod","SSOreleasedAttributeID","SSOnameIdentifier","SSOassertionID"
And apparently /local/props.conf
[idp-audit]
MAX_TIMESTAMP_LOOKAHEAD=28
SHOULD_LINEMERGE=false
disabled=false
TIME_FORMAT=%Y%m%dT%H%M%SZ
TIME_PREFIX=\|
TZ=America/New_York
TRUNCATE=99999
FIELDALIAS-src_ip = Client_IP AS src_ip
FIELDALIAS-src = Client_IP AS src
FIELDALIAS-user = Username AS user
[idp-process]
LINE_BREAKER = ([\n\r]+)\d{4}-\d{1,2}-\d{1,2}\s\d+:\d+:\d+
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3Q
TZ=America/New_York
MAX_TIMESTAMP_LOOKAHEAD=28
SHOULD_LINEMERGE=false
disabled=false
TRUNCATE=99999
EXTRACT-src_ip = \|(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\|
EXTRACT-message = (\]\s-\s)(?P<message>[a-zA-Z0-9:?\s.\(\):\/=%&]+)([\n\r]+)
EXTRACT-reason= --(?P<potential_reason>[a-zA-Z0-9:?\s\(\):\/=%&]+\S)\s+at
EXTRACT-examples = \s+at\s+(?P<example_of__reason>[a-zA-Z0-9:?\s\(\):\/=%&.]+)\s
[idp-warning]
LINE_BREAKER = ([\n\r]+)\d{4}-\d{1,2}-\d{1,2}\s\d+:\d+:\d+
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3Q
TZ=America/New_York
MAX_TIMESTAMP_LOOKAHEAD=28
SHOULD_LINEMERGE=false
disabled=false
TRUNCATE=99999
EXTRACT-src_ip = \|(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\|
EXTRACT-message = (\]\s-\s)(?P<message>[a-zA-Z0-9:?\s.\(\):\/=%&]+)([\n\r]+)
EXTRACT-reason= --(?P<potential_reason>[a-zA-Z0-9:?\s\(\):\/=%&]+\S)\s+at
EXTRACT-examples = \s+at\s+(?P<example_of_reason>[a-zA-Z0-9:?\s\(\):\/=%&.]+)\s
And local/transforms.conf
[REPORT-idp-audit]
DELIMS = "|"
FIELDS = "Timestamp","Client_IP","Inbound_binding","Inbound_message_ID","Service_provider_name","Profile_ID","Identity_provider_name","Outbound_binding","Outbound_message_ID","Username","AuthenticationContext","Attributes","NameID_value"
#FIELDS = "timestamp","SSOclientIP","SSOauditEventTime","SSOrequestBinding","SSOrequestId","SSOrelyingPartyID","SSOmessageProfileId","SSOassertingPartyId","SSOresponseBinding","SSOresponseId","SSOprincipalName","SSOauthNMethod","SSOrelease
dAttributeID","SSOnameIdentifier","SSOassertionID"
[REPORT-idp-process-fields]
DELIMS = "|"
FIELDS = event_headers,SSOclientIP,SSOrequestBinding,SSOrequestId,SSOrelayingPartyID,SSOmessageProfileId,SSOassertingPartyId,SSOresponseBinding,SSOresponseId,SSOprincipalName,SSOauthNMethod,SSOreleasedAttributeID,SSOnameIdentifier,SSOasser
tionID,field15,field16,url,uri_path,field19,signature,vendor_action,http_user_agent,field23
... View more