I blogged about how we use ELK to monitor trends, especially abnormal ones, on ForgeRock Identity Stack.
"Login Failed Server Trend Live" - This tracks the user login failure events.
Just a few days ago, we observed that the number of Login Failed events had increased.
So, we zoomed in and found out there were many lines of the following errors:
"2016-05-17 00:09:00" "Login Failed|module_instance|Application" "Not Available" golfdigest 202.xx.xx.xx INFO o=xxx.sg AUTHENTICATION-268 "cn=dsameuser,ou=DSAME Users,o=xxx.sg" "Not Available" Application 202.xx.xx.xx"
I know if module_instance is Application, then this is not a user authentication. Most likely, it is a Policy Agent in action. By the way, every Policy Agent will need to authentication with OpenAM in order to pull the policies.
So based on the IP address (202.xx.xx.xx), we found out the owner of the application. Ah! This is a defunct site. The SSO administrator has already removed the Policy Agent "golfdigest" from OpenAM as part of the sunsetting process, but the network team has not disabled/removed the Policy Agent on the Apache web server yet.