Transcription

How to work with EZproxy logs in Splunk – a live demonstrationLinda Farrell: Anonymised dashboardAccess from more than one country in the last 7 daysTotal downloads by users in the last 24 hoursSuspicious referrers in the last 7 daysAlertsExtra reports1. Introduction At Monash University all access, on campus and off campus, is through EZproxy.Monash uses EZproxy logs to gather access statistics and to identify compromised accounts.The process after detection of a compromised account:o Identify.o Block account in EZproxy user.txt.o Inform IT security.o IT security communicates with user (education).o Account password is reset.o Unblock when completed by IT security.The procedure for excessive downloads:o Block account in EZproxy user.txt.o Email user (phone staff member where possible).o Unblock when satisfactory reply is received via email.o If email response raises a concern of a compromised account, compromised accountprocedure is followed.Monash library started using Splunk in August 2017. This document contains a few ofMonash’s reports and dashboard panels.Success with Splunko In 2016 and 2017 each: 25 days of loss of access due to compromised accounts andexcessive downloads. In 2018: 0 days of loss of access due to compromised accountsand excessive downloads.o IEEE has detected 17 incidents of Sci-Hub activity through Monash in 2017, only 4 sofar in 2018. IEEE reports that they have seen an increase at other institutionsworldwide.

2. Anonymised dashboard

3. Access from more than one country in the last 7 days4. Total downloads for the last 24 hours5. Suspicious referrers in the last 7 daysThis query uses the referrers as recorded by Paul Butler:https://github.com/prbutler/EZProxy IP Blacklist

6. AlertsAlerts can be set up by using any Splunk query or report. At Monash one such alert is set upto send an email when IEEE’s activity tracker is detected in the logs. The alert will soon beenhanced to call a script which will add the line of code to the user.txt to automatically blockthe account. Other alerts in use at Monash are available on request.7. Other reportsOther reports used by the team to further investigate issues arising from the dashboard: URLs accessed by a specific user Top downloads from more than one country

Number of sessions by user Number of events by session id