Event Source Log Configuration Guide
RSA Authentication Manager and User
Credential Manager
Last Modified: Friday, March 13, 2015
Event Source Product Information:
Vendor:
RSA, The Security Division of EMCEvent Source: Authentication Manager, User Credential Manager
Versions: 5.2, 6.0, 6.1, 7.1 SP2, 7.1 SP4 Patch 3, Patch 6, 8.0, 8.1
RSA Product Information:
Supported On: Security Analytics 10.0 and later
Event Source Log Parser: rsaacesrv
Collection Method: Syslog
perform the following tasks:
I. Depending on your version of RSA Authentication Manager, perform one of the following tasks:
l Configure RSA Auth Manager 7.1 to Send Syslog, or l Configure RSA Auth Manager 8.x to Send Syslog
II. Configure Security Analytics for Syslog Collection
Configure RSA Authentication Manager 7.1 to Send
Syslog Formatted Messages
You can send Syslog formatted messages to the SA platform from RSA Authentication Manager 7.1 SP2 and later.
To configure RSA Authentication Manager to send Syslog:
1. Install RSA Authentication Manager 7.1 SP2 or newer.
Note:The patch contains a fix that is needed to send syslog format messages to the Security Analytics platform.
2. On each Authentication Manager server instance, edit the following lines in the RSA_home\utils\resources\ims.properties file so that they appear as follows:
l To send Admin audit events to the Security Analytics platform:
ims.logging.audit.admin.syslog_host = SA_LogDecoder_or_
RemoteLogCollector_host
ims.logging.audit.admin.use_os_logger = true
l To send Runtime audit events to theSecurity Analytics platform:
ims.logging.audit.runtime.syslog_host = SA_LogDecoder_or_
RemoteLogCollector_host
ims.logging.audit.runtime.use_os_logger = true
l To send System audit events to the Security Analytics platform:
ims.logging.audit.system.syslog_host = SA_LogDecoder_or_
RemoteLogCollector_host
ims.logging.audit.system.use_os_logger = true
3. To restart Authentication Manager 7.1, follow these steps:
a. Click Start > Administrator Tools > Computer Management > Services
and Applications > Services.
b. Select RSA Authentication Manager. c. Click Restart.
Configure RSA Authentication Manager 8.x to Send
Syslog Formatted Messages
To configure RSA Authentication Manager 8.0 to send Syslog:
1. Log on to the RSA Authentication Manager Security Console, and navigate to
Setup > System Settings.
2. In the Basic Settings section, select Logging.
3. Select the instance from which you want to collect logs, and click Next. 4. In the Log Levels section, complete the fields as follows:
Field Action
Administrative Audit Log
Select Success.
Runtime Audit Log Select Success.
System Log Select Warning.
5. In the Log Data Destination section, complete the fields as follows:
Field Action
Administrative Audit Log Data
Select Save to remote database and internal Syslog
at the following hostname or IP address, and enter
the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector.
Runtime Audit Log Data
Select Save to remote database and internal Syslog
at the following hostname or IP address, and enter
the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector.
System Log Data Select Save to remote database and internal Syslog
at the following hostname or IP address, and enter
the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector.
6. Click Save to save changes.
Configure Security Analytics for Syslog Collection
Note:You only need to configure Syslog collection the first time that you set up an event source that uses Syslog to send its output to Security Analytics.
You should configure either the Log Decoder or the Remote Log Collector for Syslog. You do not need to configure both.
To configure the Log Decoder for Syslog collection:
1. In the Security Analytics menu, select Administration > Services.
2. In the Services grid, select a Log Decoder, and from the Actions menu, choose
View > System.
3. Depending on the icon you see, do one of the following:
l If you see , click the icon to start capturing Syslog.
l If you see , you do not need to do anything; this Log Decoder is
already capturing Syslog.
4. Ensure that the parser for your event source is enabled. a. From the System pull-down menu, select Config.
b. In the Service Parsers Configuration panel, search for your event source. c. Ensure that the Config Value field for your event source is selected.
To configure the Remote Log Collector for Syslog collection:
1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Remote Log Collector, and from the Actions
menu, choose View > Config > Event Sources. 3. Select Syslog/Config from the drop-down menu.
The Event Categories panel displays the Syslog event sources that are configured, if any.
4. In the Event Categories panel toolbar, click
+
.The Available Event Source Types dialog is displayed.
Advanced parameters as necessary.
Click OK to accept your changes and close the dialog box.
Once you configure one or both syslog types, the Remote Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in Security Analytics.
Copyright © 2015 EMC Corporation. All Rights Reserved.
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go towww.rsa.com/legal/trademarks_list.pdf. Published in the USA.
