System monitoring

OneSpan Authentication Server supports application-level system monitoring with SNMP. This allows you to monitor OneSpan Authentication Server processing to provide notifications when specific events occur.

System monitoring is performed based on OneSpan Authentication Server audit messages and their content, and creates an alert when specified messages appear. These alerts or targets are sent via text messages, emails, or SNMP traps.

Use the OneSpan Authentication Server configuration interfaces to enable and configure system monitoring:

  • To enable and configure system monitoring in the OneSpan Authentication Server Configuration Utility, use the Monitoring tab.

    Switch to the Audit tab of the Configuration Utility and make sure Audit Alerts is selected. System monitoring will not work unless audit alerts are enabled.

  • To enable and configure system monitoring in the Administration Web Interface, use the SYSTEM > Server Configuration > System Monitoring tab.

If you enable system monitoring via the Configuration Utility, OneSpan Authentication Server needs to be restarted—the system automatically enforces this operation. If you enable system monitoring via the Administration Web Interface, OneSpan Authentication Server does not need to be restarted.

Event filters help you to monitor critical events as they occur, rather than search through an extensive list of audit logs to locate potentially critical system events.

Event filters

System monitoring requires filters to specify which OneSpan Authentication Server events and audit messages should be monitored.

Filter details must include the following:

  • Name
  • Target, specifying which notification method is to be used
  • Audit message type to monitor
  • Specific field
  • Condition
  • Value for the specified field

A filter defines a match criteria that must be met to trigger a notification. To define a filter, specify which level of audit message to monitor and assign a target. Messages may be further filtered by specifying a field of the audit message and a value. System monitoring will notify you when that field of an audit message contains the specified value.

The fields listed in the filter are monitored from the vdsAuditMsg table, which stores audit messages.

It is possible to assign multiple filters to a target. In that case, the target notification will only be triggered if the match criteria of all assigned filters are met.

Notification targets

System monitoring requires one or more targets to be defined to specify the output format.

The available target formats are:

  • SMS
  • Emails
  • SNMP traps

Table: Target requirements lists the different required information for each target.

Table: Target requirements
Target Required information
SNMP
  • Target name
  • SNMP type – Inform, TRAP, TRAPv2c
  • Host IP address
  • Security name for SNMPv3
  • Authentication protocol type
  • Authentication secret
  • Privacy type
  • Privacy secret
SMS
  • Target name
  • Mobile phone number
Email
  • Target name
  • Source email address
  • Target email address
  • Subject line

When you configure SNMP targets, make sure to set both the authentication type AND the privacy type for a complete trap configuration in the OneSpan Authentication Server Configuration Utility. You cannot set a privacy type without setting an authentication type.

Only the following combinations for SNMP communication are valid:

  • Without authentication type and privacy type (both set to None).
  • With authentication type, but without privacy type.
  • With authentication type and privacy type.

Best practices: System monitoring with SNMP/SMS/email targets

If you are using OneSpan Authentication Server system monitoring, we recommend to define targets for the following OneSpan Authentication Server events:

  • OneSpan Authentication Server errors. For these type of events, you should define an audit filter that extracts all error audit messages.
  • Locked authenticator users. For these type of events, you should define a filter that extracts all audit messages with the audit code 'W-011003'.
  • Failed administrative logons. For these type of events, you should define a filter that extracts all audit messages with the audit code 'F-004001'.
  • Replication failures. For these type of events, you should define a filter that extracts all audit messages with the audit codes 'F-003001' or 'F-003002'.