Source types for the Splunk Add-on for RSA SecurID

The Splunk Add-on for RSA SecurID provides the index-time and search-time knowledge for the runtime audit logs, admin audit logs, and system logs.

Source type	Description	Event Type	CIM data models
`rsa:securid:admin:syslog`	RSA SecurID admin audit log, which records administrative actions, such as adding and editing users. This category does not include system-level failures of administrative actions, which are captured in the system log.	`rsa_securid_syslog_admin_principal_events`	Change - Account
		`rsa_securid_syslog_admin_token_events`	Change - Audit
		`rsa_securid_syslog_admin_all_changes_events`	Change
		`rsa_securid_syslog_admin_email_events`	Email
		`rsa_securid_syslog_admin_alerts_events`	Alerts
		`rsa_securid_syslog_admin_authentication_events`	Authentication
		`rsa_securid_syslog_admin_privileged_authentication_events`	Authentication - Privileged
`rsa:securid:runtime:syslog`	RSA SecurID runtime audit log, which records any runtime activity, such as authentication and authorization of users.	`rsa_securid_syslog_authentication_event`	Authentication
		`rsa_securid_syslog_runtime_change_event`	Change - Audit
		`rsa_securid_syslog_runtime_principal_events`	Change - Account
		`rsa_securid_syslog_runtime_all_changes_events`	Change
`rsa:securid:system:syslog`	RSA SecurID system log, which records system-level messages such as "Server started" and "Connection manager lost DB connection." This category includes system-level failures of administrative actions.	`rsa_securid_syslog_system_all_changes_events`	Change
		`rsa_securid_syslog_system_principal_events`	Change - Account
		`rsa_securid_syslog_system_email_event`	Email
		`rsa_securid_syslog_system_alerts_event`	Alerts
		`rsa_securid_syslog_system_endpoint_filesystem_event`	Endpoint - Filesystem

Related answers from Splunk Community

Source types for the Splunk Add-on for RSA SecurID

Comments

Was this topic useful?