Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk Add-on for RSA SecurID App: sourcetype ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've installed the Splunk Add-on for RSA SecurID App to our Cloud instance, ans we're feeding he events in from our RSA servers using a SYSlog aggregator running on a heavy forwarder.
the forwarder has the following in inputs.conf
[monitor://D:\Syslog-logs\rsa]
disabled = false
host_segment = 3
index = hays_active_directory
sourcetype = rsa:securid:syslog
we see the events into the cloud with this sourcetype, but none of the forms / fields / transforms on the cloud app seem to be working.
the App docs hint at setting the sourcetype based on the event type to one of three type s
"The add-on converts the rsa:securid:syslog source type to rsa:securid:runtime:syslog, rsa:securid:admin:syslog, or rsa:securid:system:syslog according to the log file source."
I don't see this happening. Do we have to configure how the RSA syslogs to help this happen, or capture the syslog messages differently?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry for taking so long - I've only just got around to installing on the HF. It seems to have done the trick... the records are getting the right source type, and hence the log entries are now getting properly parsed up.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes - that was exactly what we ended up doing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So to clarify, was the Add-On installed on both the HF and the Search Heads ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry for taking so long - I've only just got around to installing on the HF. It seems to have done the trick... the records are getting the right source type, and hence the log entries are now getting properly parsed up.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there @moore
Syslog format might be a possible problem, for me actually the Add-on was working fine. Check the transforms.conf to see if one of the regex from the rsa_securid_brach_* stanzas match any of your logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
syslog looks OK - type_1 and type_2 match in regex101.com
here's a sample (i've masked IP, userids and servernames)
2017-09-08 14:57:47 User.Info 99.220.1.240 2017-09-08 14:57:47,701, , audit.admin.com.rsa.authmgr.internal.admin.principalmgt.impl.AMPrincipalAdministrationImpl, INFO, 19403756f001dc0a7cf063a0dc2891a9,94924becf001dc0a001b7418f802c658,99.104.16.235,99.221.1.240,UPDATE_AM_PRINCIPAL,20002,SUCCESS,,,,,,,,,,PRINCIPAL,511b7c049517be0a5d89ee28e32e5c69,f5fe44869517be0a078e4dc7f37ec085,000000000000000000001000e0011000,adm-xxxx,,,,,,
2017-09-08 14:57:48 User.Info 99.221.1.240 2017-09-08 14:57:48,064, , audit.runtime.com.rsa.authmgr.internal.oa.engine.OAProcessor, INFO, 2ee13f38f001dc0a05ccc2ed4a81ff1e,94924becf001dc0a001b7418f802c658,99.104.16.235,99.221.1.240,OA_DATA_DOWNLOAD,23016,SUCCESS,,,511b7c049517be0a5d89ee28e32e5c69,f5fe44869517be0a078e4dc7f37ec085,000000000000000000001000e0011000,adm-xxxx,masked,xxx,c25cc2579517be0a19f64e7a9a53db1c,000000000000000000001000e0011000,99.221.16.235,maskedxxxx1.emea.xxxx.loc,100,,,,,000249852704,,,,,,,,,,
and that matches what's in the raw data on splunk.
So how do I get the app to spot and transform the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you install this add-on on your Indexer/Heavy Forwarder ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help:
The app is installed on the Splunk Cloud platform. It's not installed on the HF. if i did, would it still forward the stuff to the cloud? Would they fight?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They shouldnt. How did you set up your input into your HF ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's the inputs.conf in the OP. Sorry - I didn't make that clear.
[monitor://D:\Syslog-logs\rsa]
disabled = false
host_segment = 3
index = hays_active_directory
sourcetype = rsa:securid:syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems okey to me. Try installing the add-on onto the HF and see what happens
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
