Configure inputs for the Splunk Add-on for RSA SecurID CAS
You can configure RSA SecurID inputs using Splunk Web or configuration files.
Configure RSA SecurID inputs using Splunk Web
- In the Splunk Add-on for RSA SecurID CAS, open the Inputs tab then click Create New Input.
- In the RSA SecurID Account field, provide the account used to get the data in. This account should exist in
$SPLUNK_HOME/etc/apps/Splunk_TA_rsa_securid_cas/local/splunk_ta_rsa_securid_cas_account.conf
file. - In the Interval field, specify the number of seconds to wait before the Splunk platform runs the command again.The default value for user activity and admin activity log is one hour and for high risk users it is 24 hours.
- Specify the index in which to store events.
- in the Query Start Date field, enter the date that the add-on should begin collecting data. The format is YYYY-MM-DDThh:mm:ss.000z
- in the Cloud Administration API field provide the endpoint to fetch data for
adminlog
,riskuser
orusereventlog
. The default endpoint isadminlog
.
Configure RSA SecurID inputs in inputs.conf
To configure inputs manually in inputs.conf
, create stanzas using the following parameters and add them to $SPLUNK_HOME/etc/apps/Splunk_TA_rsa_securid_cas/local/inputs.conf
. Create the file or path if it does not exist.
- Edit
inputs.conf
.[cloud_administration_api://<name>] account_name = <string> interval = <integer> index = <string> endpoint = <string> startTimeAfter = < YYYY-MM-DDThh:mm:ss.000z>
- Restart the Splunk platform.
PREVIOUS Install the Splunk Add-on for RSA SecurID CAS |
NEXT Troubleshoot the Splunk Add-on for RSA SecurID CAS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!