All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Technology Add-on for RSA SecurID: Why are some field names inconsistent with the data coming from syslog?

tmerry
Explorer
‎11-01-2015 08:33 PM

To start - thanks for posting the RSA TA! I was about to create my own this weekend based on components of the neglected RSA App, but you did the bulk of the work for me. The installation was easy enough after making a few tweaks on the props.conf for our environment.

However, after looking at the field extractions, I'm noticing some field names that are inconsistent with the data that is coming from syslog. For instance, in transforms.conf under rsa_runtime_2, the agent_src_ip field is actually the hostname of the RSA agent and the agent_dest_ip is the IP address of the same agent. When I look at the transforms.conf for the RSA app, their naming seems more consistent with the data I'm seeing out of syslog. This is all on RSA Authentication Manager 8.1.

There are a few more examples of this, but before I dig too deep and make these adjustments in my copy of the TA, I wanted to see if others are noticing the same thing.

0 Karma
Reply

joshd
Builder
‎11-02-2015 09:19 AM

Yes the RSA app is in dire need of an update, but unfortunately time has not permitted this activity to commence. Christmas "holidays" may provide such a time though 🙂

Are you able to provide me with a sample of your syslog data (just replace any sensitive data with fictitious data)? It would be beneficial to compare the samples we have built the TA on against that which you have.

0 Karma
Reply

tmerry
Explorer
‎11-19-2015 08:42 PM

I'd been trying to get around to sanitizing some logs, opening a case with RSA to get syslog field descriptions and sending along some of the tweaks I had made to the TA, but just noticed that Splunk released an add-on for RSA SecurID a few days ago. Going to give that a try and go from there.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...