{"id":636,"date":"2018-06-05T16:58:30","date_gmt":"2018-06-05T04:58:30","guid":{"rendered":"http:\/\/deborahfitchett.com\/blog\/?p=636"},"modified":"2018-06-05T16:58:30","modified_gmt":"2018-06-05T04:58:30","slug":"analysing-logs-anzreg2018","status":"publish","type":"post","link":"https:\/\/deborahfitchett.com\/blog\/2018\/06\/analysing-logs-anzreg2018\/","title":{"rendered":"Analysing logs #anzreg2018"},"content":{"rendered":"<p><strong>How to work with EZproxy logs in Splunk. Why; how; who<\/strong><br \/>\nLinda Farrall, Monash University<\/p>\n<p>Monash uses EZproxy for all access either on\/off campus. Manage EZproxy themselves. Use logs for resource statistics and preventing unauthorised access. Splunk is a log-ingestion tool \u2013 could use anything.<\/p>\n<p>Notes can\u2019t rely just on country changes though this is important as people use VPNs a lot. Eg people in China especially appear elsewhere; and people often use US VPN to watch Netflix and then forget to turn it off. Similarly total downloads isn\u2019t very important as illegal downloads often happen a bit by bit.<\/p>\n<p>Number of events by sessionid can be an indicator; as can number of sessions per user. And then there\u2019s suspicious referrers eg SciHub! But some users do a search on SciHub because it\u2019s more user-friendly and then come to get the article legally through their EZproxy.<\/p>\n<p><a href=\"https:\/\/github.com\/prbutler\/EZProxy_IP_Blacklist\">https:\/\/github.com\/prbutler\/EZProxy_IP_Blacklist<\/a> &#8211; doesn\u2019t use this directly as doesn\u2019t want to encourage them to just move to another IP.<\/p>\n<p>A report of users who seem to be testing accounts with different databases.<\/p>\n<p>Splunk can send alerts based on queries. Also is doing work with machine learning so could theoretically identify \u2018normal\u2019 behaviour and alert for abnormal behaviour.<\/p>\n<p>But currently Monash does no automated blocking \u2013 investigates anything that looks unusual first.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Working with Tableau, Alma, Primo and Leganto<\/strong><br \/>\nSabrina Alvaro UNSW Megan Lee Monash University<\/p>\n<p>Tableau server: self-hosted or Tableau-hosted (these two give you more security options to make reports private), and public (free) version.<\/p>\n<p>Tableau desktop: similarly enterprise vs public.<\/p>\n<p>UNSW using self-hosted server and enterprise desktop, with 9 dashboards (or \u2018projects\u2019)<\/p>\n<p>For Alma\/Primo can\u2019t use Ex Libris web data connector so extract Analytics data manually but it may be a server version issue.<\/p>\n<p>Easy interface to create report and then share with link or embed code.<\/p>\n<p>UNSW\u00a0 still learning. Want to join sources together, identify correlations, capture user stories.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to work with EZproxy logs in Splunk. Why; how; who Linda Farrall, Monash University Monash uses EZproxy for all access either on\/off campus. Manage EZproxy themselves. Use logs for resource statistics and preventing unauthorised access. Splunk is a log-ingestion tool \u2013 could use anything. Notes can\u2019t rely just on country changes though this is [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[290,294,18,304,292],"_links":{"self":[{"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/posts\/636"}],"collection":[{"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/comments?post=636"}],"version-history":[{"count":1,"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/posts\/636\/revisions"}],"predecessor-version":[{"id":637,"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/posts\/636\/revisions\/637"}],"wp:attachment":[{"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/media?parent=636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/categories?post=636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deborahfitchett.com\/blog\/wp-json\/wp\/v2\/tags?post=636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}