Collect RSA Authentication Manager logs
This document describes how you can collect RSA Authentication Manager logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the RSA_AUTH_MANAGER
ingestion label.
Configure RSA Authentication Manager
- Sign in to the RSA Authentication Manager Security console using administrator credentials.
- In the Setup menu, click System settings.
- In the System settings window, in the Basic settings section, select Logging.
- In the Select instance section, select the Primary instance type configured in your environment, and then click Next to continue.
- In the Configure settings section, configure the logs for the following sections that are displayed:
- Log levels
- Log data destination
- Log data masking
- In the Log levels section, configure the following logs:
- Set Trace log to Fatal.
- Set Administrative audit log to Success.
- Set Runtime audit log to Success.
- Set System log to Warning.
In the Log data destination section, for the following log level data, select Save to internal database and remote syslog for the following hostname or IP address, and then enter the IP address of Google Security Operations:
- Administrative audit log data
- Runtime audit log data
- System log data
Syslog messages are transmitted over higher port number for UDP.
In the Log data masking section, in the Mask token serial number: number of digits of the token serial number to display field, enter the maximum value, which is equal to the number of digits that appear in available tokens, such as 12.
For more information, see Log data masking.
Click Save.
Configure Google Security Operations forwarder and syslog to ingest RSA Authentication Manager logs
- Select SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder name field, enter a unique name for the forwarder.
- Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a unique name for the collector.
- Select RSA as the Log type.
- Select Syslog as the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the connection protocol the collector will use to listen for syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser extracts fields from RSA Authentication Manager CSV logs, handling variations in the log format. It uses grok to initially parse the log lines, then leverages CSV filtering to extract individual fields, mapping them to standardized names like username
, clientip
, and operation_status
for UDM compatibility.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
clientip |
principal.asset.ip |
The value of column8 from the raw log. |
clientip |
principal.ip |
The value of column8 from the raw log. |
column1 |
metadata.event_timestamp.seconds |
Parsed from the time field (column1) in the raw log, using formats "yyyy-MM-dd HH:mm:ss" and "yyyy-MM-dd HH: mm:ss". |
column12 |
security_result.action |
Mapped based on the operation_status field (column12). Values "SUCCESS" and "ACCEPT" map to ALLOW, "FAIL", "REJECT", "DROP", "DENY", "NOT_ALLOWED" map to BLOCK, and other values map to UNKNOWN_ACTION. |
column18 |
principal.user.userid |
The value of column18 from the raw log. |
column19 |
principal.user.first_name |
The value of column19 from the raw log. |
column20 |
principal.user.last_name |
The value of column20 from the raw log. |
column25 |
principal.hostname |
The value of column25 from the raw log. |
column26 |
principal.asset.hostname |
The value of column26 from the raw log. |
column27 |
metadata.product_name |
The value of column27 from the raw log. |
column3 |
target.administrative_domain |
The value of column3 from the raw log. |
column32 |
principal.user.group_identifiers |
The value of column32 from the raw log. |
column5 |
security_result.severity |
Mapped based on the severity field (column5). Values "INFO", "INFORMATIONAL" map to INFORMATIONAL, "WARN", "WARNING" map to WARNING, "ERROR", "CRITICAL", "FATAL", "SEVERE", "EMERGENCY", "ALERT" map to ERROR, "NOTICE", "DEBUG", "TRACE" map to DEBUG, and other values map to UNKNOWN_SEVERITY. |
column8 |
target.asset.ip |
The value of column8 from the raw log. |
column8 |
target.ip |
The value of column8 from the raw log. |
event_name |
security_result.rule_name |
The value of column10 from the raw log. |
host_name |
intermediary.hostname |
Extracted from the <DATA> portion of the raw log using grok patterns. |
process_data |
principal.process.command_line |
Extracted from the <DATA> portion of the raw log using grok patterns. |
summary |
security_result.summary |
The value of column13 from the raw log. |
time_stamp |
metadata.event_timestamp.seconds |
Extracted from the <DATA> portion of the raw log using grok patterns. If not found, the timestamp is extracted from the timestamp field in the raw log. |
Changes
2024-03-13
- Modified the Grok pattern to parse the data in the header of the log.
2022-08-09
- Enhancement-Removed the dropped condition, handled and parsed the logs with appropriate GROK pattern.
2022-06-13
- Enhancement-Removed drop condition for logs with event_name = ACCESS_DIRECTORY.