Deployment Architecture

Integrate Splunk with RSA

santisookgable
New Member

Customer already deploy RSA by sending syslog, snmp trap, WMI, and proprietary RSA agent to sent logs to RSA logger. How can we get those logs from RSA or can we tap before log inject to RSA.

Tags (1)
0 Karma

yhamza
New Member

lsdata is your friend, I managed to use it successfully to export Cisco ASA logs (intact), save them to a local file on the enVision appliance and then pull them from the Splunk server side via SMB file share. This involves batch jobs on both sides.

https://community.emc.com/thread/153234

0 Karma

topan
New Member

so how can RSA collector to send logs to splunk. i have configured splunk for receiver at some specific port but any idea how to config rsa for forwarder? any help will be greatly appreciated.

0 Karma

Jjza
New Member

Santisookgable, if I understand correctly, you have an Network environment being monitored and various logs are being sent through syslog and RSA agents to the RSA collector before they are then sent on to EnVision and you are wanting to intercept the logs on the collectors to have them forwarded on to as Splunk?

If so I am also looking for the same information. Please share whatever you might find out on this. Thanks.

0 Karma

santisookgable
New Member

Thank you for the comment and Splunk App. Let I discuss about RSA Logger integration with Splunk. SNMP trap from RSA usually be system event or correlation logs, but I want to integrated Splunk to get raw logs from RSA.
Can we export raw logs from RSA Log receiver to Splunk or can RSA log forwarder sent to Splunk and Splunk forward to RSA Log receiver.

0 Karma

joshd
Builder

The SNMP traps capture whatever you set the "Administrative/Runtime/System Audit Log Trap Level" to. If you set them all to Success then it will capture all actions initiated by all users, administrators and the device itself.

Is there more data you are looking for?

Depending on if you are running the appliance or AM is installed on your own standalone machine, you can configure a public key for the emcsrv account and use rsync to remotely grab data from the machine to pull down to Splunk for indexing and parsing. I never covered this approach in my app since it's bad security practice.

0 Karma

joshd
Builder

I just made my Splunk for RSA SecurID app available on splunkbase.. it may be of some use to you:

http://splunk-base.splunk.com/apps/33495/splunk-for-rsa-securid-appliances

0 Karma

joshd
Builder

What I've been doing is just getting the RSA to send snmptraps to my splunk server then have splunk monitor and index those events from the file, this will get you all the login/logout events, etc. I also incorporate a scripted input to snmpget specific values from the RSA. From there it's not too hard to write a regex or do field extractions to get the relevant data you need.

Here's a sample snmptrap from the RSA:

2011-09-27 11:42:36 rsa.local [UDP: [1.1.1.1]:18631]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (258755894) 29 days, 22:45:58.94       SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.2197.20.17     SNMPv2-SMI::enterprises.2197.20.16.5.0 = STRING: "INFO" SNMPv2-SMI::enterprises.2197.20.16.7.0 = STRING: "13002"        SNMPv2-SMI::enterprises.2197.20.16.6.0 = STRING: "Runtime event {ID: ab8d4ba064010a0a028e5a0170b5331e, time: Tue Sep 27 11:42:36 EDT 2011, client: 1.1.1.10, user: User [ID: 30842478345210b0a033433a28853f555, session ID: ab8d4c9c64345a0a028cb2e9fba30e5f-/bpgaUNcPy79, login name: John_Doe, first name: John, last name: Doe, security domain ID: 5c27c74364010a0a03763757bf63fd18, identity source ID: 307de6a864010a0a0342aca89e488d7e], action: AUTHN_LOGIN_EVENT, action id: 13002, result: SUCCESS, reason: AUTHN_METHOD_SUCCESS, agent: Agent [ID: 2c2e979b64010a0a02916426272037ec, name: server1.local, address: 1.1.1.10, type: 7, security domain ID: 000000000000000000001000e0011000], policy: Policy [method ID: 000000000000000000002000f1022000, policy ID: null, method name: SecurID_Native, policy expression: null], arguments: [AUTHN_LOGIN_EVENT, 5, 1, null, null, null, null, 3084c90864010a0a0286b13a3dc6c61f, 000111656726, null]}"      SNMPv2-SMI::enterprises.2197.20.16.8.0 = STRING: "AUTHN_METHOD_SUCCESS"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...