topic Re: Integrate Splunk with RSA in Deployment Architecture

Integrate Splunk with RSA

santisookgable — Tue, 27 Sep 2011 01:15:51 GMT

Customer already deploy RSA by sending syslog, snmp trap, WMI, and proprietary RSA agent to sent logs to RSA logger. How can we get those logs from RSA or can we tap before log inject to RSA.

Re: Integrate Splunk with RSA

joshd — Tue, 27 Sep 2011 18:37:04 GMT

What I've been doing is just getting the RSA to send snmptraps to my splunk server then have splunk monitor and index those events from the file, this will get you all the login/logout events, etc. I also incorporate a scripted input to snmpget specific values from the RSA. From there it's not too hard to write a regex or do field extractions to get the relevant data you need.

Here's a sample snmptrap from the RSA:

2011-09-27 11:42:36 rsa.local [UDP: [1.1.1.1]:18631]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (258755894) 29 days, 22:45:58.94       SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.2197.20.17     SNMPv2-SMI::enterprises.2197.20.16.5.0 = STRING: "INFO" SNMPv2-SMI::enterprises.2197.20.16.7.0 = STRING: "13002"        SNMPv2-SMI::enterprises.2197.20.16.6.0 = STRING: "Runtime event {ID: ab8d4ba064010a0a028e5a0170b5331e, time: Tue Sep 27 11:42:36 EDT 2011, client: 1.1.1.10, user: User [ID: 30842478345210b0a033433a28853f555, session ID: ab8d4c9c64345a0a028cb2e9fba30e5f-/bpgaUNcPy79, login name: John_Doe, first name: John, last name: Doe, security domain ID: 5c27c74364010a0a03763757bf63fd18, identity source ID: 307de6a864010a0a0342aca89e488d7e], action: AUTHN_LOGIN_EVENT, action id: 13002, result: SUCCESS, reason: AUTHN_METHOD_SUCCESS, agent: Agent [ID: 2c2e979b64010a0a02916426272037ec, name: server1.local, address: 1.1.1.10, type: 7, security domain ID: 000000000000000000001000e0011000], policy: Policy [method ID: 000000000000000000002000f1022000, policy ID: null, method name: SecurID_Native, policy expression: null], arguments: [AUTHN_LOGIN_EVENT, 5, 1, null, null, null, null, 3084c90864010a0a0286b13a3dc6c61f, 000111656726, null]}"      SNMPv2-SMI::enterprises.2197.20.16.8.0 = STRING: "AUTHN_METHOD_SUCCESS"

Re: Integrate Splunk with RSA

joshd — Wed, 02 Nov 2011 23:02:25 GMT

I just made my Splunk for RSA SecurID app available on splunkbase.. it may be of some use to you:

http://splunk-base.splunk.com/apps/33495/splunk-for-rsa-securid-appliances

Re: Integrate Splunk with RSA

santisookgable — Wed, 09 Nov 2011 01:03:06 GMT

Thank you for the comment and Splunk App. Let I discuss about RSA Logger integration with Splunk. SNMP trap from RSA usually be system event or correlation logs, but I want to integrated Splunk to get raw logs from RSA.
Can we export raw logs from RSA Log receiver to Splunk or can RSA log forwarder sent to Splunk and Splunk forward to RSA Log receiver.

Re: Integrate Splunk with RSA

joshd — Wed, 09 Nov 2011 15:46:21 GMT

The SNMP traps capture whatever you set the "Administrative/Runtime/System Audit Log Trap Level" to. If you set them all to Success then it will capture all actions initiated by all users, administrators and the device itself.

Is there more data you are looking for?

Depending on if you are running the appliance or AM is installed on your own standalone machine, you can configure a public key for the emcsrv account and use rsync to remotely grab data from the machine to pull down to Splunk for indexing and parsing. I never covered this approach in my app since it's bad security practice.

Re: Integrate Splunk with RSA

Jjza — Sat, 01 Dec 2012 07:37:12 GMT

Santisookgable, if I understand correctly, you have an Network environment being monitored and various logs are being sent through syslog and RSA agents to the RSA collector before they are then sent on to EnVision and you are wanting to intercept the logs on the collectors to have them forwarded on to as Splunk?

If so I am also looking for the same information. Please share whatever you might find out on this. Thanks.

Re: Integrate Splunk with RSA

topan — Wed, 10 Jul 2013 10:03:15 GMT

so how can RSA collector to send logs to splunk. i have configured splunk for receiver at some specific port but any idea how to config rsa for forwarder? any help will be greatly appreciated.

Re: Integrate Splunk with RSA

yhamza — Sun, 24 Aug 2014 10:51:35 GMT

lsdata is your friend, I managed to use it successfully to export Cisco ASA logs (intact), save them to a local file on the enVision appliance and then pull them from the Splunk server side via SMB file share. This involves batch jobs on both sides.

https://community.emc.com/thread/153234