All Apps and Add-ons

[RSA SecurID Application for Splunk] - CIM compliance?

Motivator

Hi,

I stumbled upon the RSA SecurID app after a client requested getting logs from their RSA SecurID appliance and have a few questions:

  • is the RSA SecurID app still actively developed? I haven't seen any updates since July 6 2012 except for Splunk version compliance changes.
  • CIM compliance for this app - anyone working on this?

Regards,
Mikael

SplunkTrust
SplunkTrust

Hi Mikael,

I have not been able to put time into the app unfortunately but do hope to do so soon as I have recently retained access to newer RSA SecurID logs. However what I have done recently is build a TA for the RSA SecurID that is CIM compliant (the app is not). I'll post it on splunkbase shortly, feel free to contact me direct if you need it sooner.

Thanks,
Josh

Motivator

Thanks for your quick reply.

I did a bit of testing myself. What I did was the following:

  • Enable syslog from the RSA server - Not sure why you didn't use syslog in the first place? Perhaps it wasn't available as a feature at the time or because the severity selection seems a bit weird since you can only specify one level of severity, not all?
  • Apply the transforms to the syslog sourcetype instead of SNMP since the regex did not match the SNMP data
  • Change the SNMP script to use SNMPv3 authPriv because SNMPv3 is the only option on this RSA server.
  • Had to unset LD_LIBRARY_PATH in the script too because it complained about missing libcrypto libraries on the Splunk Universal Forwardee

Does this sound like your findings?

I'll be waiting for the app on Splunkbase. Are you breaking it up into an App and Add-on for distributed environments?

0 Karma

SplunkTrust
SplunkTrust

Hi Mikael,

  1. Syslog logging was not an option for output at the time this application was built, so snmptrap's were the only good way short of putting a lightweight forwarder (UF didnt exist yet) directly on the appliance.
  2. Most likely the snmptrap format changed, but again, it was an older appliance therefore I have no method of testing against new ones.
  3. Again, old appliance, no snmpv3 at the time.
  4. UF wasnt a deployment option at the time, so cant speak for that.

So as you can tell, this was developed long before there were many options to make life easier 🙂

Since I do not have regular access to an appliance anymore, any changes you've made I would be most interested in reviewing for possible incorporation to an application update. The TA I wrote was only when I had short-term access to an appliance in the field but it did work off of syslog data.

Thanks,
Josh

0 Karma

Motivator

Hi Josh,

I won't have access to the RSA server before Sep 2, but I'll report back then 🙂

Regards,
Mikael

0 Karma

SplunkTrust
SplunkTrust

Ok great, feel free to contact me directly -- josh _ discoveredintelligence % ca

_ = @
% = .

🙂

0 Karma

Motivator

Thanks! Sent you an e-mail 🙂 I'd be glad if you could have a look at it when you have time.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!