Refine your search:

I'm using RSA's Authentication Manager for VPN access to our network. What's the best way to monitor the activity of my RSA server with Splunk. As for activity, I'm talking about vpn activity. Logins, logouts, failures, etc, etc. Anyone know of an RSA app for Splunk, or someone working to build one?

Thanks

asked 14 Oct '11, 15:39

dlynum's gravatar image

dlynum
3233
accept rate: 0%


4 Answers:

you do not necessarily need an "app" to square this away for you. All you need is a couple scheduled searches configured to report.

ensure the RSA Auth Manager logs are a separate source type (it makes life easier). create a couple saved searches. a quick and dirty example i use is: sourcetype="RSA_AUTH_MGR" AND fail* | stats count by user,reason | where count >3 Make it a saved search running every 24 hours, email the results (condition if not null) daily. This will output failed logins and reason if greater than 3 in a table, in the body of an email message. You could also do a real time search if you want an immediate alert on failed logins.

Same stuff for the logins, etc. search for Authenticated | stats count by user, save the search to create a report every 24 hours, week, whatever.

Hope this helps.

link

answered 14 Oct '11, 16:26

vlapeintuit's gravatar image

vlapeintuit
714
accept rate: 14%

Thanks vlapeintuit. I'll give your recommendations a try.

(14 Oct '11, 17:10) dlynum

Vlapeintuit,

Being new to splunk, how do I configure the RSA AM logs to be a separate source type?

Thaks

(19 Oct '11, 14:01) dlynum

I've made my RSA SecurID app available on splunkbase now that should encompass most of what you are looking for... let me know if you have any questions.

Splunk for RSA SecurID Appliances on Splunkbase

link

answered 02 Nov '11, 16:04

joshd's gravatar image

joshd
8642212
accept rate: 26%

Josh,

Thanks for letting me know about your app. But I'm not using an appliance. I'm running RSA AM, on a linux box. Can your app be tweaked to work in my situation?

Thanks again

link

answered 03 Nov '11, 09:52

dlynum's gravatar image

dlynum
3233
accept rate: 0%

No worries, it should work with your configuration as well. You would just need to make sure the "Pre-deployment Assumptions" mentioned in the app description are followed. Enable SNMP traps through AM and configure SNMP on the box if you want the "Network Activity" view to work properly. I just stated it's for the appliances because thats all I have to test against, but in theory it's a very vanilla app and there's nothing too specific about the host config since most of the configuration is done through the RSA software and not on the appliance. Let me know if you have any questions.

(03 Nov '11, 12:06) joshd

Thanks Josh. I'll try out your app and let you know if I have any issues with it.

(03 Nov '11, 12:15) dlynum

Great! If you need any more clarification or help with those "Pre-Deployment Assumptions" just let me know.

(03 Nov '11, 12:16) joshd

joshd,

I'm in the same situation that dlynum and I wonder if you can help me in the "Pre-deployment Assumptions". I have a box with AM 7.1 and I've configured the SNMP approach in SO (CentOS 5). The AM is SNMP default configured (SNMP Adaptor Port: 8002; SNMP Community String: public; SNMP Trap Receivers: SplunkServerIP:161)

I need to know some tips to send the SNMP traps to the Splunk Server, first of all, then I guess to configure the Splunk Server to logging the SNMP traps in /var/log/snmptraps.log.

Any way, I glad any kind of information that you can send me back

Thanks

link

answered 25 Mar '13, 07:10

rogaz's gravatar image

rogaz
111
accept rate: 0%

edited 26 Mar '13, 10:19

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×19
×6

Asked: 14 Oct '11, 15:39

Seen: 2,357 times

Last updated: 26 Mar '13, 10:19

Copyright © 2005-2014 Splunk Inc. All rights reserved.