Security

Monitoring RSA/VPN

dlynum
Explorer

I'm using RSA's Authentication Manager for VPN access to our network. What's the best way to monitor the activity of my RSA server with Splunk. As for activity, I'm talking about vpn activity. Logins, logouts, failures, etc, etc. Anyone know of an RSA app for Splunk, or someone working to build one?

Thanks

Tags (2)
0 Karma

rogaz
New Member

joshd,

I'm in the same situation that dlynum and I wonder if you can help me in the "Pre-deployment Assumptions". I have a box with AM 7.1 and I've configured the SNMP approach in SO (CentOS 5). The AM is SNMP default configured (SNMP Adaptor Port: 8002; SNMP Community String: public; SNMP Trap Receivers: SplunkServerIP:161)

I need to know some tips to send the SNMP traps to the Splunk Server, first of all, then I guess to configure the Splunk Server to logging the SNMP traps in /var/log/snmptraps.log.

Any way, I glad any kind of information that you can send me back

Thanks

0 Karma

dlynum
Explorer

Josh,

Thanks for letting me know about your app. But I'm not using an appliance. I'm running RSA AM, on a linux box. Can your app be tweaked to work in my situation?

Thanks again

0 Karma

joshd
Builder

Great! If you need any more clarification or help with those "Pre-Deployment Assumptions" just let me know.

0 Karma

dlynum
Explorer

Thanks Josh. I'll try out your app and let you know if I have any issues with it.

0 Karma

joshd
Builder

No worries, it should work with your configuration as well. You would just need to make sure the "Pre-deployment Assumptions" mentioned in the app description are followed. Enable SNMP traps through AM and configure SNMP on the box if you want the "Network Activity" view to work properly. I just stated it's for the appliances because thats all I have to test against, but in theory it's a very vanilla app and there's nothing too specific about the host config since most of the configuration is done through the RSA software and not on the appliance. Let me know if you have any questions.

0 Karma

joshd
Builder

I've made my RSA SecurID app available on splunkbase now that should encompass most of what you are looking for... let me know if you have any questions.

http://splunk-base.splunk.com/apps/33495/splunk-for-rsa-securid-appliances

0 Karma

vlapeintuit
Explorer

you do not necessarily need an "app" to square this away for you. All you need is a couple scheduled searches configured to report.

ensure the RSA Auth Manager logs are a separate source type (it makes life easier).
create a couple saved searches. a quick and dirty example i use is:
sourcetype="RSA_AUTH_MGR" AND fail* | stats count by user,reason | where count >3
Make it a saved search running every 24 hours, email the results (condition if not null) daily.
This will output failed logins and reason if greater than 3 in a table, in the body of an email message.
You could also do a real time search if you want an immediate alert on failed logins.

Same stuff for the logins, etc. search for Authenticated | stats count by user, save the search to create a report every 24 hours, week, whatever.

Hope this helps.

0 Karma

dlynum
Explorer

Vlapeintuit,

Being new to splunk, how do I configure the RSA AM logs to be a separate source type?

Thaks

0 Karma

dlynum
Explorer

Thanks vlapeintuit. I'll give your recommendations a try.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...