I'm using RSA's Authentication Manager for VPN access to our network. What's the best way to monitor the activity of my RSA server with Splunk. As for activity, I'm talking about vpn activity. Logins, logouts, failures, etc, etc. Anyone know of an RSA app for Splunk, or someone working to build one?
you do not necessarily need an "app" to square this away for you. All you need is a couple scheduled searches configured to report.
ensure the RSA Auth Manager logs are a separate source type (it makes life easier).
create a couple saved searches. a quick and dirty example i use is:
sourcetype="RSAAUTHMGR" AND fail* | stats count by user,reason | where count >3
Make it a saved search running every 24 hours, email the results (condition if not null) daily.
This will output failed logins and reason if greater than 3 in a table, in the body of an email message.
You could also do a real time search if you want an immediate alert on failed logins.
Same stuff for the logins, etc. search for Authenticated | stats count by user, save the search to create a report every 24 hours, week, whatever.
Hope this helps.
I've made my RSA SecurID app available on splunkbase now that should encompass most of what you are looking for... let me know if you have any questions.
Thanks for letting me know about your app. But I'm not using an appliance. I'm running RSA AM, on a linux box. Can your app be tweaked to work in my situation?
No worries, it should work with your configuration as well. You would just need to make sure the "Pre-deployment Assumptions" mentioned in the app description are followed. Enable SNMP traps through AM and configure SNMP on the box if you want the "Network Activity" view to work properly. I just stated it's for the appliances because thats all I have to test against, but in theory it's a very vanilla app and there's nothing too specific about the host config since most of the configuration is done through the RSA software and not on the appliance. Let me know if you have any questions.
I'm in the same situation that dlynum and I wonder if you can help me in the "Pre-deployment Assumptions". I have a box with AM 7.1 and I've configured the SNMP approach in SO (CentOS 5). The AM is SNMP default configured (SNMP Adaptor Port: 8002; SNMP Community String: public; SNMP Trap Receivers: SplunkServerIP:161)
I need to know some tips to send the SNMP traps to the Splunk Server, first of all, then I guess to configure the Splunk Server to logging the SNMP traps in /var/log/snmptraps.log.
Any way, I glad any kind of information that you can send me back