All Apps and Add-ons

[RSA SecurID Application for Splunk] - CIM compliance?

mikaelbje
Motivator

Hi,

I stumbled upon the RSA SecurID app after a client requested getting logs from their RSA SecurID appliance and have a few questions:

  • is the RSA SecurID app still actively developed? I haven't seen any updates since July 6 2012 except for Splunk version compliance changes.
  • CIM compliance for this app - anyone working on this?

Regards,
Mikael

joshd
Builder

Hi Mikael,

I have not been able to put time into the app unfortunately but do hope to do so soon as I have recently retained access to newer RSA SecurID logs. However what I have done recently is build a TA for the RSA SecurID that is CIM compliant (the app is not). I'll post it on splunkbase shortly, feel free to contact me direct if you need it sooner.

Thanks,
Josh

mikaelbje
Motivator

Thanks for your quick reply.

I did a bit of testing myself. What I did was the following:

  • Enable syslog from the RSA server - Not sure why you didn't use syslog in the first place? Perhaps it wasn't available as a feature at the time or because the severity selection seems a bit weird since you can only specify one level of severity, not all?
  • Apply the transforms to the syslog sourcetype instead of SNMP since the regex did not match the SNMP data
  • Change the SNMP script to use SNMPv3 authPriv because SNMPv3 is the only option on this RSA server.
  • Had to unset LD_LIBRARY_PATH in the script too because it complained about missing libcrypto libraries on the Splunk Universal Forwardee

Does this sound like your findings?

I'll be waiting for the app on Splunkbase. Are you breaking it up into an App and Add-on for distributed environments?

0 Karma

joshd
Builder

Hi Mikael,

  1. Syslog logging was not an option for output at the time this application was built, so snmptrap's were the only good way short of putting a lightweight forwarder (UF didnt exist yet) directly on the appliance.
  2. Most likely the snmptrap format changed, but again, it was an older appliance therefore I have no method of testing against new ones.
  3. Again, old appliance, no snmpv3 at the time.
  4. UF wasnt a deployment option at the time, so cant speak for that.

So as you can tell, this was developed long before there were many options to make life easier 🙂

Since I do not have regular access to an appliance anymore, any changes you've made I would be most interested in reviewing for possible incorporation to an application update. The TA I wrote was only when I had short-term access to an appliance in the field but it did work off of syslog data.

Thanks,
Josh

0 Karma

mikaelbje
Motivator

Hi Josh,

I won't have access to the RSA server before Sep 2, but I'll report back then 🙂

Regards,
Mikael

0 Karma

joshd
Builder

Ok great, feel free to contact me directly -- josh _ discoveredintelligence % ca

_ = @
% = .

🙂

0 Karma

mikaelbje
Motivator

Thanks! Sent you an e-mail 🙂 I'd be glad if you could have a look at it when you have time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...