How to work with EZproxy logs in Splunk. Why; how; who
Linda Farrall, Monash University
Monash uses EZproxy for all access either on/off campus. Manage EZproxy themselves. Use logs for resource statistics and preventing unauthorised access. Splunk is a log-ingestion tool – could use anything.
Notes can’t rely just on country changes though this is important as people use VPNs a lot. Eg people in China especially appear elsewhere; and people often use US VPN to watch Netflix and then forget to turn it off. Similarly total downloads isn’t very important as illegal downloads often happen a bit by bit.
Number of events by sessionid can be an indicator; as can number of sessions per user. And then there’s suspicious referrers eg SciHub! But some users do a search on SciHub because it’s more user-friendly and then come to get the article legally through their EZproxy.
https://github.com/prbutler/EZProxy_IP_Blacklist – doesn’t use this directly as doesn’t want to encourage them to just move to another IP.
A report of users who seem to be testing accounts with different databases.
Splunk can send alerts based on queries. Also is doing work with machine learning so could theoretically identify ‘normal’ behaviour and alert for abnormal behaviour.
But currently Monash does no automated blocking – investigates anything that looks unusual first.
Working with Tableau, Alma, Primo and Leganto
Sabrina Alvaro UNSW Megan Lee Monash University
Tableau server: self-hosted or Tableau-hosted (these two give you more security options to make reports private), and public (free) version.
Tableau desktop: similarly enterprise vs public.
UNSW using self-hosted server and enterprise desktop, with 9 dashboards (or ‘projects’)
For Alma/Primo can’t use Ex Libris web data connector so extract Analytics data manually but it may be a server version issue.
Easy interface to create report and then share with link or embed code.
UNSW still learning. Want to join sources together, identify correlations, capture user stories.