Forgerock/Splunk Alerts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Forgerock/Splunk Alerts

Rife, Brandon
Hi All,

I want to be able to detect when a given IP/UserID fails to authenticate N times within a given time period, T.  We currently use a Splunk alert for this with a vendor other that Forgerock but we are deprecating that vendor in favor of Forgerock so I need comparable functionality.  This doesn’t have anything to do with account locking, it is more of an early warning that someone may be trying to hack their way into our application.

The Forgerock logs as currently configured, I am unable to find the information needed in a single place.  As an FYI, we authenticate via the OpenAM REST endpoint, not the OpenAM login page.  Any guidance or help is much appreciated regarding any intrinsic Forgerock functionality to fire such an alert or the possibility of configuring the OpenAM logs so that they could drive a Splunk query.


Brandon Rife
Developer | CLS - Alliance
Phone: 1 636 5400 x 63124
[hidden email]<mailto:[hidden email]>

We are the business behind business


NOTICE: This e-mail and any attachments is intended only for use by the addressee(s) named herein and may contain legally privileged, proprietary or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify me via reply email or at (800) 927-9800 and permanently delete the original copy and any copy of any e-mail, and any printout.

Visit the OpenAM forum at
OpenAM mailing list
[hidden email]

image001.png (13K) Download Attachment