Monitoring RSA/VPN

dlynum · ‎10-14-2011

I'm using RSA's Authentication Manager for VPN access to our network. What's the best way to monitor the activity of my RSA server with Splunk. As for activity, I'm talking about vpn activity. Logins, logouts, failures, etc, etc. Anyone know of an RSA app for Splunk, or someone working to build one?

Thanks

rogaz · ‎03-25-2013

joshd,

I'm in the same situation that dlynum and I wonder if you can help me in the "Pre-deployment Assumptions". I have a box with AM 7.1 and I've configured the SNMP approach in SO (CentOS 5). The AM is SNMP default configured (SNMP Adaptor Port: 8002; SNMP Community String: public; SNMP Trap Receivers: SplunkServerIP:161)

I need to know some tips to send the SNMP traps to the Splunk Server, first of all, then I guess to configure the Splunk Server to logging the SNMP traps in /var/log/snmptraps.log.

Any way, I glad any kind of information that you can send me back

Thanks

dlynum · ‎11-03-2011

Josh,

Thanks for letting me know about your app. But I'm not using an appliance. I'm running RSA AM, on a linux box. Can your app be tweaked to work in my situation?

Thanks again

joshd · ‎11-03-2011

Great! If you need any more clarification or help with those "Pre-Deployment Assumptions" just let me know.

dlynum · ‎11-03-2011

Thanks Josh. I'll try out your app and let you know if I have any issues with it.

joshd · ‎11-03-2011

No worries, it should work with your configuration as well. You would just need to make sure the "Pre-deployment Assumptions" mentioned in the app description are followed. Enable SNMP traps through AM and configure SNMP on the box if you want the "Network Activity" view to work properly. I just stated it's for the appliances because thats all I have to test against, but in theory it's a very vanilla app and there's nothing too specific about the host config since most of the configuration is done through the RSA software and not on the appliance. Let me know if you have any questions.

joshd · ‎11-02-2011

I've made my RSA SecurID app available on splunkbase now that should encompass most of what you are looking for... let me know if you have any questions.

http://splunk-base.splunk.com/apps/33495/splunk-for-rsa-securid-appliances

vlapeintuit · ‎10-14-2011

you do not necessarily need an "app" to square this away for you. All you need is a couple scheduled searches configured to report.

ensure the RSA Auth Manager logs are a separate source type (it makes life easier).
create a couple saved searches. a quick and dirty example i use is:
sourcetype="RSA_AUTH_MGR" AND fail* | stats count by user,reason | where count >3
Make it a saved search running every 24 hours, email the results (condition if not null) daily.
This will output failed logins and reason if greater than 3 in a table, in the body of an email message.
You could also do a real time search if you want an immediate alert on failed logins.

Same stuff for the logins, etc. search for Authenticated | stats count by user, save the search to create a report every 24 hours, week, whatever.

Hope this helps.

dlynum · ‎10-19-2011

Vlapeintuit,

Being new to splunk, how do I configure the RSA AM logs to be a separate source type?

Thaks

dlynum · ‎10-14-2011

Thanks vlapeintuit. I'll give your recommendations a try.

Monitoring RSA/VPN

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)