Thanks for your quick reply.

I did a bit of testing myself. What I did was the following:

• Enable syslog from the RSA server - Not sure why you didn't use syslog in the first place? Perhaps it wasn't available as a feature at the time or because the severity selection seems a bit weird since you can only specify one level of severity, not all?
• Apply the transforms to the syslog sourcetype instead of SNMP since the regex did not match the SNMP data
• Change the SNMP script to use SNMPv3 authPriv because SNMPv3 is the only option on this RSA server.
  
• Had to unset LD_LIBRARY_PATH in the script too because it complained about missing libcrypto libraries on the Splunk Universal Forwardee

Does this sound like your findings?

I'll be waiting for the app on Splunkbase. Are you breaking it up into an App and Add-on for distributed environments?

Hi Mikael,

1. Syslog logging was not an option for output at the time this application was built, so snmptrap's were the only good way short of putting a lightweight forwarder (UF didnt exist yet) directly on the appliance.
2. Most likely the snmptrap format changed, but again, it was an older appliance therefore I have no method of testing against new ones.
3. Again, old appliance, no snmpv3 at the time.
4. UF wasnt a deployment option at the time, so cant speak for that.

So as you can tell, this was developed long before there were many options to make life easier 🙂

Since I do not have regular access to an appliance anymore, any changes you've made I would be most interested in reviewing for possible incorporation to an application update. The TA I wrote was only when I had short-term access to an appliance in the field but it did work off of syslog data.

Thanks,
Josh

Hi Josh,

I won't have access to the RSA server before Sep 2, but I'll report back then 🙂

Regards,
Mikael

Ok great, feel free to contact me directly -- josh _ discoveredintelligence % ca

_ = @
% = .

🙂

Thanks! Sent you an e-mail 🙂 I'd be glad if you could have a look at it when you have time.