1 RSA Security Analytics Event Source Log Configuration Guide RSA Authentication Manager and User Credential Manager Last Modified: Friday, March 13, 2015 Event Source Product Information: Vendor: RSA, The Security Division of EMC Event Source: Authentication Manager, User Credential Manager Versions: 5.2, 6.0, 6.1, 7.1 SP2, 7.1 SP4 Patch 3, Patch 6, 8.0, 8.1 RSA Product Information: Supported On: Security Analytics 10.0 and later Event Source Log Parser: rsaacesrv Collection Method: Syslog Event Source Class.Subclass: Security.Access Control
2 To configure RSA Authentication Manager to work with RSA Security Analytics, perform the following tasks: I. Depending on your version of RSA Authentication Manager, perform one of the following tasks: Configure RSA Auth Manager 7.1 to Send Syslog, or Configure RSA Auth Manager 8.x to Send Syslog II. Configure Security Analytics for Syslog Collection 2
3 Configure RSA Authentication Manager 7.1 to Send Syslog Formatted Messages You can send Syslog formatted messages to the SA platform from RSA Authentication Manager 7.1 SP2 and later. To configure RSA Authentication Manager to send Syslog: 1. Install RSA Authentication Manager 7.1 SP2 or newer. Note: The patch contains a fix that is needed to send syslog format messages to the Security Analytics platform. 2. On each Authentication Manager server instance, edit the following lines in the RSA_home\utils\resources\ims.properties file so that they appear as follows: To send Admin audit events to the Security Analytics platform: ims.logging.audit.admin.syslog_host = SA_LogDecoder_or_ RemoteLogCollector_host ims.logging.audit.admin.use_os_logger = true To send Runtime audit events to thesecurity Analytics platform: ims.logging.audit.runtime.syslog_host = SA_LogDecoder_or_ RemoteLogCollector_host ims.logging.audit.runtime.use_os_logger = true To send System audit events to the Security Analytics platform: ims.logging.audit.system.syslog_host = SA_LogDecoder_or_ RemoteLogCollector_host ims.logging.audit.system.use_os_logger = true 3. To restart Authentication Manager 7.1, follow these steps: a. Click Start > Administrator Tools > Computer Management > Services and Applications > Services. b. Select RSA Authentication Manager. c. Click Restart. 4. Enable the sending of logs to the OS system log as follows: a. In the Authentication Manager Security Console, click Setup > Instances. b. Right-click the server instance, and select Logging. c. In the Log Data Destination section, select Send system messages to OS system log. Configure RSA Authentication Manager 7.1 to Send Syslog Formatted Messages 3
4 Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages To configure RSA Authentication Manager 8.0 to send Syslog: 1. Log on to the RSA Authentication Manager Security Console, and navigate to Setup > System Settings. 2. In the Basic Settings section, select Logging. 3. Select the instance from which you want to collect logs, and click Next. 4. In the Log Levels section, complete the fields as follows: Field Administrative Audit Log Runtime Audit Log System Log Action Select Success. Select Success. Select Warning. 5. In the Log Data Destination section, complete the fields as follows: Field Administrative Audit Log Data Runtime Audit Log Data System Log Data Action Select Save to remote database and internal Syslog at the following hostname or IP address, and enter the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. Select Save to remote database and internal Syslog at the following hostname or IP address, and enter the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. Select Save to remote database and internal Syslog at the following hostname or IP address, and enter the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. 6. Click Save to save changes. 4 Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages
5 Configure Security Analytics for Syslog Collection Note: You only need to configure Syslog collection the first time that you set up an event source that uses Syslog to send its output to Security Analytics. You should configure either the Log Decoder or the Remote Log Collector for Syslog. You do not need to configure both. To configure the Log Decoder for Syslog collection: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Log Decoder, and from the Actions menu, choose View > System. 3. Depending on the icon you see, do one of the following: If you see, click the icon to start capturing Syslog. If you see, you do not need to do anything; this Log Decoder is already capturing Syslog. 4. Ensure that the parser for your event source is enabled. a. From the System pull-down menu, select Config. b. In the Service Parsers Configuration panel, search for your event source. c. Ensure that the Config Value field for your event source is selected. To configure the Remote Log Collector for Syslog collection: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Remote Log Collector, and from the Actions menu, choose View > Config > Event Sources. 3. Select Syslog/Config from the drop-down menu. The Event Categories panel displays the Syslog event sources that are configured, if any. 4. In the Event Categories panel toolbar, click +. The Available Event Source Types dialog is displayed. 5. Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization. 6. Select the new type in the Event Categories panel and click + in the Sources panel toolbar. The Add Source dialog is displayed. Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages 5
6 7. Enter 514 for the port, and select Enabled. Optionally, configure any of the Advanced parameters as necessary. Click OK to accept your changes and close the dialog box. Once you configure one or both syslog types, the Remote Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in Security Analytics. Copyright 2015 EMC Corporation. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to Published in the USA. 6 Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages
GO-Global Cloud 4.1 QUICK START SETTING UP A WINDOWS CLOUD SERVER AND HOST This guide provides instructions for setting up a cloud server and configuring a host so it can be accessed from the cloud server.
Cloud Authentication Getting Started Guide Version 2.1.0.06 ii Copyright 2011 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
Deploying BitDefender Client Security and BitDefender Windows Server Solutions Quick Install Guide Copyright 2010 BitDefender; 1. Installation Overview Thank you for selecting BitDefender Business Solutions
END USER S GUIDE VeriSign PKI Client Government Edition v 1.5 End User s Guide VeriSign PKI Client Government Version 1.5 Administrator s Guide VeriSign PKI Client VeriSign, Inc. Government Copyright 2010
This release connector is deprecated. Use Kofax Capture and the appropriate Kofax Capture release script to release documents to a specific destination. KOFAX Front-Office Server 2.7 Configuration Guide
SolarWinds Migrating SolarWinds NPM Technical Reference Copyright 1995-2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified,
ARGUS Enterprise 10.6 5/29/2015 ARGUS Software An Altus Group Company for ARGUS Enterprise Version 10.6 5/29/2015 Published by: ARGUS Software, Inc. 3050 Post Oak Boulevard Suite 900 Houston, Texas 77056
Zimbra Import Wizard for Microsoft Outlook User Guide ZCS 7.1 March 2011 Legal Notices Copyright 2005-2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright
Acronis Backup & Recovery 11 Quick Start Guide Applies to the following editions: Advanced Server Virtual Edition Advanced Server SBS Edition Advanced Workstation Server for Linux Server for Windows Workstation
USER CONFERENCE 2011 SAN FRANCISCO APRIL 26 29 Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB Table of Contents UNIT 1: Lab description... 3 Pre-requisites:... 3 UNIT 2: Launching an instance on EC2...
VMware/Hyper-V Backup Plug-in User Guide COPYRIGHT No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying,
RSA Authentication Manager 8.1 Help Desk Administrator s Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
Configuration Guide Lepide Exchange Recovery Manager Lepide Software Private Limited, All Rights Reserved This User Guide and documentation is copyright of Lepide Software Private Limited, with all rights
Defender Group Policy Templates Installation and Configuration Guide Introduction Defender provides two Group Policy administrative templates that can be used to provide additional features and configuration
Contents Installation Overview... 2 How to Install Ad-Aware Management Server... 3 How to Deploy the Ad-Aware Security Solutions... 5 General Deployment Conditions... 5 Deploying Ad-Aware Management Agent...
1 HOTPin Integration Guide: DirectAccess Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; Celestix assumes no responsibility
Getting Started Guide Cloud Server powered by Mac OS X Getting Started Guide Page 1 Getting Started Guide: Cloud Server powered by Mac OS X Version 1.0 (02.16.10) Copyright 2010 GoDaddy.com Software, Inc.
NetBackup Backup, Archive, and Restore Getting Started Guide UNIX, Windows, and Linux Release 6.5 Veritas NetBackup Backup, Archive, and Restore Getting Started Guide Copyright 2007 Symantec Corporation.
Setup Guide Revision F Using McAfee SaaS Email Protection to Secure Exchange Online in Microsoft Office 365 Setting up Microsoft Office 365 Use this guide to configure Microsoft Office 365 and Microsoft
The Zenoss Enablement Series: MONITORING WINDOWS SERVERS WITH MICROSOFT WINDOWS ZENPACK AND WINRM Document Version P4 Zenoss, Inc. www.zenoss.com Zenoss, Inc. Copyright 2014 Zenoss, Inc., 11305 Four Points
User Guide BackupAssist User Guides explain how to create and modify backup jobs, create backups and perform restores. These steps are explained in more detail in a guide s respective whitepaper. Whitepapers