Collect RSA Authentication Manager logs

Supported in:

This document describes how you can collect RSA Authentication Manager logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the RSA_AUTH_MANAGER ingestion label.

Configure RSA Authentication Manager

  1. Sign in to the RSA Authentication Manager Security console using administrator credentials.
  2. In the Setup menu, click System settings.
  3. In the System settings window, in the Basic settings section, select Logging.
  4. In the Select instance section, select the Primary instance type configured in your environment, and then click Next to continue.
  5. In the Configure settings section, configure the logs for the following sections that are displayed:
    • Log levels
    • Log data destination
    • Log data masking
  6. In the Log levels section, configure the following logs:
    • Set Trace log to Fatal.
    • Set Administrative audit log to Success.
    • Set Runtime audit log to Success.
    • Set System log to Warning.

  7. In the Log data destination section, for the following log level data, select Save to internal database and remote syslog for the following hostname or IP address, and then enter the IP address of Google Security Operations:

    • Administrative audit log data
    • Runtime audit log data
    • System log data

    Syslog messages are transmitted over higher port number for UDP.

  8. In the Log data masking section, in the Mask token serial number: number of digits of the token serial number to display field, enter the maximum value, which is equal to the number of digits that appear in available tokens, such as 12.

    For more information, see Log data masking.

  9. Click Save.

Configure Google Security Operations forwarder and syslog to ingest RSA Authentication Manager logs

  1. Select SIEM Settings > Forwarders.
  2. Click Add new forwarder.
  3. In the Forwarder name field, enter a unique name for the forwarder.
  4. Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, type a unique name for the collector.
  6. Select RSA as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following mandatory input parameters:
    • Protocol: specify the connection protocol the collector will use to listen for syslog data.
    • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from RSA Authentication Manager CSV logs, handling variations in the log format. It uses grok to initially parse the log lines, then leverages CSV filtering to extract individual fields, mapping them to standardized names like username, clientip, and operation_status for UDM compatibility.

UDM mapping table

Log Field UDM Mapping Logic
clientip principal.asset.ip The value of column8 from the raw log.
clientip principal.ip The value of column8 from the raw log.
column1 metadata.event_timestamp.seconds Parsed from the time field (column1) in the raw log, using formats "yyyy-MM-dd HH:mm:ss" and "yyyy-MM-dd HH: mm:ss".
column12 security_result.action Mapped based on the operation_status field (column12). Values "SUCCESS" and "ACCEPT" map to ALLOW, "FAIL", "REJECT", "DROP", "DENY", "NOT_ALLOWED" map to BLOCK, and other values map to UNKNOWN_ACTION.
column18 principal.user.userid The value of column18 from the raw log.
column19 principal.user.first_name The value of column19 from the raw log.
column20 principal.user.last_name The value of column20 from the raw log.
column25 principal.hostname The value of column25 from the raw log.
column26 principal.asset.hostname The value of column26 from the raw log.
column27 metadata.product_name The value of column27 from the raw log.
column3 target.administrative_domain The value of column3 from the raw log.
column32 principal.user.group_identifiers The value of column32 from the raw log.
column5 security_result.severity Mapped based on the severity field (column5). Values "INFO", "INFORMATIONAL" map to INFORMATIONAL, "WARN", "WARNING" map to WARNING, "ERROR", "CRITICAL", "FATAL", "SEVERE", "EMERGENCY", "ALERT" map to ERROR, "NOTICE", "DEBUG", "TRACE" map to DEBUG, and other values map to UNKNOWN_SEVERITY.
column8 target.asset.ip The value of column8 from the raw log.
column8 target.ip The value of column8 from the raw log.
event_name security_result.rule_name The value of column10 from the raw log.
host_name intermediary.hostname Extracted from the <DATA> portion of the raw log using grok patterns.
process_data principal.process.command_line Extracted from the <DATA> portion of the raw log using grok patterns.
summary security_result.summary The value of column13 from the raw log.
time_stamp metadata.event_timestamp.seconds Extracted from the <DATA> portion of the raw log using grok patterns. If not found, the timestamp is extracted from the timestamp field in the raw log.

Changes

2024-03-13

  • Modified the Grok pattern to parse the data in the header of the log.

2022-08-09

  • Enhancement-Removed the dropped condition, handled and parsed the logs with appropriate GROK pattern.

2022-06-13

  • Enhancement-Removed drop condition for logs with event_name = ACCESS_DIRECTORY.