Technology Add-on for RSA SecurID: Why are some fi...

tmerry · ‎11-01-2015

To start - thanks for posting the RSA TA! I was about to create my own this weekend based on components of the neglected RSA App, but you did the bulk of the work for me. The installation was easy enough after making a few tweaks on the props.conf for our environment.

However, after looking at the field extractions, I'm noticing some field names that are inconsistent with the data that is coming from syslog. For instance, in transforms.conf under rsa_runtime_2, the agent_src_ip field is actually the hostname of the RSA agent and the agent_dest_ip is the IP address of the same agent. When I look at the transforms.conf for the RSA app, their naming seems more consistent with the data I'm seeing out of syslog. This is all on RSA Authentication Manager 8.1.

There are a few more examples of this, but before I dig too deep and make these adjustments in my copy of the TA, I wanted to see if others are noticing the same thing.

joshd · ‎11-02-2015

Yes the RSA app is in dire need of an update, but unfortunately time has not permitted this activity to commence. Christmas "holidays" may provide such a time though 🙂

Are you able to provide me with a sample of your syslog data (just replace any sensitive data with fictitious data)? It would be beneficial to compare the samples we have built the TA on against that which you have.

tmerry · ‎11-19-2015

I'd been trying to get around to sanitizing some logs, opening a case with RSA to get syslog field descriptions and sending along some of the tweaks I had made to the TA, but just noticed that Splunk released an add-on for RSA SecurID a few days ago. Going to give that a try and go from there.

Technology Add-on for RSA SecurID: Why are some field names inconsistent with the data coming from syslog?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes