Splunk® Supported Add-ons

Splunk Add-on for RSA SecurID

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs for the Splunk Add-on for RSA SecurID

The Splunk Add-on for RSA SecurID handles inputs through UDP. There are two ways to capture this data.

  • For production deployments send the logs to a Splunk Connect for Syslog instance.
  • Create a UDP input on a dedicated forwarder or single instance to capture the data sent on a unique port.

Note: If the timezones of RSA SecurID and forwarder are different, and the syslog sent from the RSA SecurID doesn't contain the timezone information, the timestamp of the events are not extracted correctly. You have to configure TZ settings in props.conf of this add-on on forwarder to ensure the timestamp is correctly extracted. See Configure props.conf in the Admin manual.

Monitor input

If you are using a syslog aggregator, install a forwarder on that machine and set up a monitor input to monitor the file or files that are generated. Set your source type to rsa:securid:syslog. The CIM mapping and dashboard panels are dependent on this source type.

See "Monitor files and directories" in the Getting Data In manual for information about setting up a monitor input.

UDP input

In the Splunk platform node handling data collection, configure a UDP input to listen on a unique port and make sure there are no port conflicts. Set your source type to rsa:securid:syslog. The CIM mapping and dashboard panels are dependent on this source type. As a best practice, use Splunk Connect for Syslog.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.

Validate data collection

Once you have configured the input, run this search to check that you are ingesting the data that you expect. The add-on converts the rsa:securid:syslog source type to rsa:securid:runtime:syslog, rsa:securid:admin:syslog, or rsa:securid:system:syslog according to the log file source.

sourcetype=rsa:securid:* | stats count by sourcetype

Last modified on 25 July, 2022
PREVIOUS
Set up the RSA Authentication Manager to produce syslog
  NEXT
Troubleshoot the Splunk Add-on for RSA SecurID

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters