All Apps and Add-ons

Splunk Add-on for RSA SecurID App: sourcetype settings

mooree
Path Finder

We've installed the Splunk Add-on for RSA SecurID App to our Cloud instance, ans we're feeding he events in from our RSA servers using a SYSlog aggregator running on a heavy forwarder.

the forwarder has the following in inputs.conf

[monitor://D:\Syslog-logs\rsa]
disabled = false
host_segment = 3
index = hays_active_directory
sourcetype = rsa:securid:syslog

we see the events into the cloud with this sourcetype, but none of the forms / fields / transforms on the cloud app seem to be working.

the App docs hint at setting the sourcetype based on the event type to one of three type s

"The add-on converts the rsa:securid:syslog source type to rsa:securid:runtime:syslog, rsa:securid:admin:syslog, or rsa:securid:system:syslog according to the log file source."

I don't see this happening. Do we have to configure how the RSA syslogs to help this happen, or capture the syslog messages differently?

0 Karma
1 Solution

mooree
Path Finder

sorry for taking so long - I've only just got around to installing on the HF. It seems to have done the trick... the records are getting the right source type, and hence the log entries are now getting properly parsed up.
Thanks!

View solution in original post

0 Karma

mooree
Path Finder

Yes - that was exactly what we ended up doing.

0 Karma

rajanala
Path Finder

So to clarify, was the Add-On installed on both the HF and the Search Heads ?

0 Karma

mooree
Path Finder

sorry for taking so long - I've only just got around to installing on the HF. It seems to have done the trick... the records are getting the right source type, and hence the log entries are now getting properly parsed up.
Thanks!

0 Karma

alemarzu
Motivator

Hi there @moore

Syslog format might be a possible problem, for me actually the Add-on was working fine. Check the transforms.conf to see if one of the regex from the rsa_securid_brach_* stanzas match any of your logs.

0 Karma

mooree
Path Finder

syslog looks OK - type_1 and type_2 match in regex101.com

here's a sample (i've masked IP, userids and servernames)

2017-09-08 14:57:47 User.Info 99.220.1.240 2017-09-08 14:57:47,701, , audit.admin.com.rsa.authmgr.internal.admin.principalmgt.impl.AMPrincipalAdministrationImpl, INFO, 19403756f001dc0a7cf063a0dc2891a9,94924becf001dc0a001b7418f802c658,99.104.16.235,99.221.1.240,UPDATE_AM_PRINCIPAL,20002,SUCCESS,,,,,,,,,,PRINCIPAL,511b7c049517be0a5d89ee28e32e5c69,f5fe44869517be0a078e4dc7f37ec085,000000000000000000001000e0011000,adm-xxxx,,,,,,

2017-09-08 14:57:48 User.Info 99.221.1.240 2017-09-08 14:57:48,064, , audit.runtime.com.rsa.authmgr.internal.oa.engine.OAProcessor, INFO, 2ee13f38f001dc0a05ccc2ed4a81ff1e,94924becf001dc0a001b7418f802c658,99.104.16.235,99.221.1.240,OA_DATA_DOWNLOAD,23016,SUCCESS,,,511b7c049517be0a5d89ee28e32e5c69,f5fe44869517be0a078e4dc7f37ec085,000000000000000000001000e0011000,adm-xxxx,masked,xxx,c25cc2579517be0a19f64e7a9a53db1c,000000000000000000001000e0011000,99.221.16.235,maskedxxxx1.emea.xxxx.loc,100,,,,,000249852704,,,,,,,,,,

and that matches what's in the raw data on splunk.
So how do I get the app to spot and transform the data?

0 Karma

alemarzu
Motivator

Have you install this add-on on your Indexer/Heavy Forwarder ?

0 Karma

mooree
Path Finder

Thanks for your help:

The app is installed on the Splunk Cloud platform. It's not installed on the HF. if i did, would it still forward the stuff to the cloud? Would they fight?

0 Karma

alemarzu
Motivator

They shouldnt. How did you set up your input into your HF ?

0 Karma

mooree
Path Finder

That's the inputs.conf in the OP. Sorry - I didn't make that clear.

[monitor://D:\Syslog-logs\rsa]
disabled = false
host_segment = 3
index = hays_active_directory
sourcetype = rsa:securid:syslog

0 Karma

alemarzu
Motivator

It seems okey to me. Try installing the add-on onto the HF and see what happens

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...