An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the RSA_AUTH_MANAGER
ingestion label.
Configure RSA Authentication Manager
Sign in to the RSA Authentication Manager Security console using administrator credentials.
In the Setup menu, click System settings.
In the System settings window, in the Basic settings section, select Logging.
In the Select instance section, select the Primary instance type configured
in your environment, and then click Next to continue.
In the Configure settings section, configure the logs for the following sections that are displayed:
Log levels
Log data destination
Log data masking
In the Log levels section, configure the following logs:
Set Trace log to Fatal.
Set Administrative audit log to Success.
Set Runtime audit log to Success.
Set System log to Warning.
In the Log data destination section, for the following log level data, select
Save to internal database and remote syslog for the following hostname or IP address,
and then enter the IP address of Google Security Operations:
Administrative audit log data
Runtime audit log data
System log data
Syslog messages are transmitted over higher port number for UDP.
In the Log data masking section, in the Mask token serial number: number of digits of the token serial number to display field, enter the maximum value, which is equal to the number of digits that
appear in available tokens, such as 12.
This parser extracts fields from RSA Authentication Manager CSV logs, handling variations in the log format. It uses grok to initially parse the log lines, then leverages CSV filtering to extract individual fields, mapping them to standardized names like username, clientip, and operation_status for UDM compatibility.
UDM mapping table
Log Field
UDM Mapping
Logic
clientip
principal.asset.ip
The value of column8 from the raw log.
clientip
principal.ip
The value of column8 from the raw log.
column1
metadata.event_timestamp.seconds
Parsed from the time field (column1) in the raw log, using formats "yyyy-MM-dd HH:mm:ss" and "yyyy-MM-dd HH: mm:ss".
column12
security_result.action
Mapped based on the operation_status field (column12). Values "SUCCESS" and "ACCEPT" map to ALLOW, "FAIL", "REJECT", "DROP", "DENY", "NOT_ALLOWED" map to BLOCK, and other values map to UNKNOWN_ACTION.
column18
principal.user.userid
The value of column18 from the raw log.
column19
principal.user.first_name
The value of column19 from the raw log.
column20
principal.user.last_name
The value of column20 from the raw log.
column25
principal.hostname
The value of column25 from the raw log.
column26
principal.asset.hostname
The value of column26 from the raw log.
column27
metadata.product_name
The value of column27 from the raw log.
column3
target.administrative_domain
The value of column3 from the raw log.
column32
principal.user.group_identifiers
The value of column32 from the raw log.
column5
security_result.severity
Mapped based on the severity field (column5). Values "INFO", "INFORMATIONAL" map to INFORMATIONAL, "WARN", "WARNING" map to WARNING, "ERROR", "CRITICAL", "FATAL", "SEVERE", "EMERGENCY", "ALERT" map to ERROR, "NOTICE", "DEBUG", "TRACE" map to DEBUG, and other values map to UNKNOWN_SEVERITY.
column8
target.asset.ip
The value of column8 from the raw log.
column8
target.ip
The value of column8 from the raw log.
event_name
security_result.rule_name
The value of column10 from the raw log.
host_name
intermediary.hostname
Extracted from the <DATA> portion of the raw log using grok patterns.
process_data
principal.process.command_line
Extracted from the <DATA> portion of the raw log using grok patterns.
summary
security_result.summary
The value of column13 from the raw log.
time_stamp
metadata.event_timestamp.seconds
Extracted from the <DATA> portion of the raw log using grok patterns. If not found, the timestamp is extracted from the timestamp field in the raw log.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document details the process of collecting RSA Authentication Manager logs using a Google Security Operations forwarder, supporting ingestion through the \u003ccode\u003eRSA_AUTH_MANAGER\u003c/code\u003e parser label.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration steps for RSA Authentication Manager include adjusting log levels, setting data destinations to a remote syslog, and masking sensitive token serial numbers.\u003c/p\u003e\n"],["\u003cp\u003eSetting up a Google Security Operations forwarder involves creating a new forwarder, adding a collector configured for RSA logs via syslog, and specifying necessary connection parameters like protocol, address, and port.\u003c/p\u003e\n"],["\u003cp\u003eThe parser extracts fields from RSA Authentication Manager logs using grok patterns and CSV filtering, mapping them to UDM format fields like \u003ccode\u003eusername\u003c/code\u003e, \u003ccode\u003eclientip\u003c/code\u003e, and \u003ccode\u003eoperation_status\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM mapping table outlines how specific log fields from RSA Authentication Manager are transformed into UDM fields within Google Security Operations, including data like timestamps, severity, and user details.\u003c/p\u003e\n"]]],[],null,["# Collect RSA Authentication Manager logs\n=======================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document describes how you can collect RSA Authentication Manager logs by using a Google Security Operations forwarder.\n\nFor more information, see [Data ingestion to Google Security Operations](/chronicle/docs/data-ingestion-flow).\n\nAn ingestion label identifies the parser which normalizes raw log data to structured\nUDM format. The information in this document applies to the parser with the `RSA_AUTH_MANAGER`\ningestion label.\n\nConfigure RSA Authentication Manager\n------------------------------------\n\n1. Sign in to the **RSA Authentication Manager Security** console using administrator credentials.\n2. In the **Setup** menu, click **System settings**.\n3. In the **System settings** window, in the **Basic settings** section, select **Logging**.\n4. In the **Select instance** section, select the **Primary** instance type configured in your environment, and then click **Next** to continue.\n5. In the **Configure settings** section, configure the logs for the following sections that are displayed:\n - **Log levels**\n - **Log data destination**\n - **Log data masking**\n6. In the **Log levels** section, configure the following logs:\n - Set **Trace log** to **Fatal**.\n - Set **Administrative audit log** to **Success**.\n - Set **Runtime audit log** to **Success**.\n - Set **System log** to **Warning**.\n7. In the **Log data destination** section, for the following log level data, select\n **Save to internal database and remote syslog for the following hostname or IP address**,\n and then enter the IP address of Google Security Operations:\n\n - **Administrative audit log data**\n - **Runtime audit log data**\n - **System log data**\n\n Syslog messages are transmitted over higher port number for UDP.\n8. In the **Log data masking** section, in the **Mask token serial number: number of digits of the token serial number to display** field, enter the maximum value, which is equal to the number of digits that\n appear in available tokens, such as 12.\n\n For more information, see [Log data masking](https://community.rsa.com/s/article/Mask-Token-Serial-Numbers-in-Logs-4b7e844c).\n9. Click **Save**.\n\nConfigure Google Security Operations forwarder and syslog to ingest RSA Authentication Manager logs\n---------------------------------------------------------------------------------------------------\n\n1. Select **SIEM Settings** \\\u003e **Forwarders**.\n2. Click **Add new forwarder**.\n3. In the **Forwarder name** field, enter a unique name for the forwarder.\n4. Click **Submit** and then click **Confirm** . The forwarder is added and the **Add collector configuration** window appears.\n5. In the **Collector name** field, type a unique name for the collector.\n6. Select **RSA** as the **Log type**.\n7. Select **Syslog** as the **Collector type**.\n8. Configure the following mandatory input parameters:\n - **Protocol**: specify the connection protocol the collector will use to listen for syslog data.\n - **Address**: specify the target IP address or hostname where the collector resides and listens for syslog data.\n - **Port**: specify the target port where the collector resides and listens for syslog data.\n9. Click **Submit**.\n\nFor more information about Google Security Operations forwarders, see [Google Security Operations forwarders documentation](/chronicle/docs/install/forwarder-management-configurations). For information about requirements for each forwarder type, see [Forwarder configuration by type](/chronicle/docs/install/forwarder-management-api). If you encounter issues when you create forwarders, contact [Google Security Operations support](/chronicle/docs/support).\n\nField mapping reference\n-----------------------\n\nThis parser extracts fields from RSA Authentication Manager CSV logs, handling variations in the log format. It uses grok to initially parse the log lines, then leverages CSV filtering to extract individual fields, mapping them to standardized names like `username`, `clientip`, and `operation_status` for UDM compatibility.\n\nUDM mapping table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]