Configure inputs for the Splunk Add-on for RSA SecurID

The Splunk Add-on for RSA SecurID handles inputs through UDP. There are two ways to capture this data.

• For production deployments send the logs to a Splunk Connect for Syslog instance.

• Create a UDP input on a dedicated forwarder or single instance to capture the data sent on a unique port.

Note: If the timezones of RSA SecurID and forwarder are different, and the syslog sent from the RSA SecurID doesn't contain the timezone information, the timestamp of the events are not extracted correctly. You have to configure TZ settings in props.conf of this add-on on forwarder to ensure the timestamp is correctly extracted. See Configure props.conf in the Admin manual.

Monitor input

If you are using a syslog aggregator, install a forwarder on that machine and set up a monitor input to monitor the file or files that are generated. Set your source type to rsa:securid:syslog. The CIM mapping and dashboard panels are dependent on this source type.

See "Monitor files and directories" in the Getting Data In manual for information about setting up a monitor input.

UDP input

In the Splunk platform node handling data collection, configure a UDP input to listen on a unique port and make sure there are no port conflicts. Set your source type to rsa:securid:syslog. The CIM mapping and dashboard panels are dependent on this source type. As a best practice, use Splunk Connect for Syslog.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.

Validate data collection

Once you have configured the input, run this search to check that you are ingesting the data that you expect. The add-on converts the rsa:securid:syslog source type to rsa:securid:runtime:syslog, rsa:securid:admin:syslog, or rsa:securid:system:syslog according to the log file source.

sourcetype=rsa:securid:* | stats count by sourcetype