- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Integrate Splunk with RSA
Customer already deploy RSA by sending syslog, snmp trap, WMI, and proprietary RSA agent to sent logs to RSA logger. How can we get those logs from RSA or can we tap before log inject to RSA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lsdata is your friend, I managed to use it successfully to export Cisco ASA logs (intact), save them to a local file on the enVision appliance and then pull them from the Splunk server side via SMB file share. This involves batch jobs on both sides.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so how can RSA collector to send logs to splunk. i have configured splunk for receiver at some specific port but any idea how to config rsa for forwarder? any help will be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Santisookgable, if I understand correctly, you have an Network environment being monitored and various logs are being sent through syslog and RSA agents to the RSA collector before they are then sent on to EnVision and you are wanting to intercept the logs on the collectors to have them forwarded on to as Splunk?
If so I am also looking for the same information. Please share whatever you might find out on this. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the comment and Splunk App. Let I discuss about RSA Logger integration with Splunk. SNMP trap from RSA usually be system event or correlation logs, but I want to integrated Splunk to get raw logs from RSA.
Can we export raw logs from RSA Log receiver to Splunk or can RSA log forwarder sent to Splunk and Splunk forward to RSA Log receiver.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SNMP traps capture whatever you set the "Administrative/Runtime/System Audit Log Trap Level" to. If you set them all to Success then it will capture all actions initiated by all users, administrators and the device itself.
Is there more data you are looking for?
Depending on if you are running the appliance or AM is installed on your own standalone machine, you can configure a public key for the emcsrv account and use rsync to remotely grab data from the machine to pull down to Splunk for indexing and parsing. I never covered this approach in my app since it's bad security practice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just made my Splunk for RSA SecurID app available on splunkbase.. it may be of some use to you:
http://splunk-base.splunk.com/apps/33495/splunk-for-rsa-securid-appliances
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I've been doing is just getting the RSA to send snmptraps to my splunk server then have splunk monitor and index those events from the file, this will get you all the login/logout events, etc. I also incorporate a scripted input to snmpget specific values from the RSA. From there it's not too hard to write a regex or do field extractions to get the relevant data you need.
Here's a sample snmptrap from the RSA:
2011-09-27 11:42:36 rsa.local [UDP: [1.1.1.1]:18631]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (258755894) 29 days, 22:45:58.94 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.2197.20.17 SNMPv2-SMI::enterprises.2197.20.16.5.0 = STRING: "INFO" SNMPv2-SMI::enterprises.2197.20.16.7.0 = STRING: "13002" SNMPv2-SMI::enterprises.2197.20.16.6.0 = STRING: "Runtime event {ID: ab8d4ba064010a0a028e5a0170b5331e, time: Tue Sep 27 11:42:36 EDT 2011, client: 1.1.1.10, user: User [ID: 30842478345210b0a033433a28853f555, session ID: ab8d4c9c64345a0a028cb2e9fba30e5f-/bpgaUNcPy79, login name: John_Doe, first name: John, last name: Doe, security domain ID: 5c27c74364010a0a03763757bf63fd18, identity source ID: 307de6a864010a0a0342aca89e488d7e], action: AUTHN_LOGIN_EVENT, action id: 13002, result: SUCCESS, reason: AUTHN_METHOD_SUCCESS, agent: Agent [ID: 2c2e979b64010a0a02916426272037ec, name: server1.local, address: 1.1.1.10, type: 7, security domain ID: 000000000000000000001000e0011000], policy: Policy [method ID: 000000000000000000002000f1022000, policy ID: null, method name: SecurID_Native, policy expression: null], arguments: [AUTHN_LOGIN_EVENT, 5, 1, null, null, null, null, 3084c90864010a0a0286b13a3dc6c61f, 000111656726, null]}" SNMPv2-SMI::enterprises.2197.20.16.8.0 = STRING: "AUTHN_METHOD_SUCCESS"
