Skip to content

Splunk Connect for Syslog

RSA SecureID

Splunk Connect for Syslog

Home
Getting Started
Getting Started
Architectural Considerations
Configuration
Development
Destinations
Sources
Sources
- Read First
- Basic Onboarding
  Basic Onboarding
- Known Vendors
  Known Vendors
  - AVI
    AVI
    
    Common
  - Alcatel
    Alcatel
    
    Switch
  - Alsid
    Alsid
    
    Alsid
  - Arista
    Arista
    
    EOS
  - Aruba
    Aruba
    
    Access Points
    
    Clearpass
  - Avaya
    Avaya
    
    SIP Manager
  - BeyondTrust
    BeyondTrust
    
    Secure Remote Access (Bomgar)
  - Broadcom
    Broadcom
    
    Brightmail
    
    Symantec DLP
    
    Symantec Endpoint Protection (SEPM)
    
    ProxySG/ASG
    
    SSL Visibility Appliance
  - Brocade
    Brocade
    
    Switch
  - Buffalo
    Buffalo
    
    Terastation
  - Checkpoint
    Checkpoint
    
    Firewall OS
    
    Log Exporter (Syslog)
    
    Log Exporter (Splunk)
  - Cisco
    Cisco
    
    Application Control Engine (ACE)
    
    Cisco Access Control System (ACS)
    
    ASA/FTD (Firepower)
    
    Email Security Appliance (ESA)
    
    Cisco Integrated Management Controller (IMC)
    
    Cisco Networking (IOS and Compatible)
    
    Cisco ise
    
    Cisco meraki
    
    TelePresence Video Communication Server (TVCS)
    
    Unified Communications Manager (UCM)
    
    Unified Computing System (UCS)
    
    Web Security Appliance (WSA)
  - Citrix
    Citrix
    
    Netscaler ADC/SDX
  - Cohesity
    Cohesity
    
    Cluster
  - CyberArk
    CyberArk
    
    Vendor - CyberArk
    
    PTA
  - Cylance
    Cylance
    
    Protect
  - Dell
    Dell
    
    CMC (VRTX)
    
    EMC Powerswitch N Series
    
    iDrac
    
    RSA SecureID RSA SecureID
    Table of contents
    
    Key facts
    
    Links
    
    Sourcetypes
    
    Sourcetype and Index Configuration
    
    Parser Configuration
  - F5
    F5
    
    BigIP
  - FireEye
    FireEye
    
    CMS
    
    eMPS
    
    etp
    
    hx
  - Forcepoint
    Forcepoint
    
    Email Security
    
    Webprotect (Websense)
  - Fortinet
    Fortinet
    
    Fortios
    
    FortiWeb
  - GitHub
    GitHub
    
    Enterprise Server
  - HAProxy
    HAProxy
    
    HAProxy
  - HPe
    HPe
    
    ILO (4+)
    
    Jedirect
    
    Procurve Switch
  - IBM
    IBM
    
    Data power
  - ISC
    ISC
    
    bind
    
    dhcpd
  - Imperva
    Imperva
    
    Incapsula
    
    On-Premises WAF (SecureSphere WAF)
  - InfoBlox
    InfoBlox
    
    NIOS
  - Juniper
    Juniper
    
    JunOS
    
    Netscreen
  - McAfee
    McAfee
    
    EPO
    
    Network Security Platform
    
    Wg
  - Microfocus
    Microfocus
    
    Arcsight Internal Agent
    
    Arcsight Microsoft Windows (CEF)
  - Microsoft
    Microsoft
    
    Cloud App Security (MCAS)
  - Mikrotik
    Mikrotik
    
    RouterOS
  - NetApp
    NetApp
    
    OnTap
  - Netmotion
    Netmotion
    
    Reporting
  - Novell
    Novell
    
    NetIQ
  - Ossec
    Ossec
    
    Ossec
  - PaloaltoNetworks
    PaloaltoNetworks
    
    Cortext
    
    panos
    
    Traps
  - Pfsense
    Pfsense
    
    Firewall
  - Polycom
    Polycom
    
    RPRM
  - Proofpoint
    Proofpoint
    
    Proofpoint Protection Server
  - Pulse
    Pulse
    
    Pulse
  - PureStorage
    PureStorage
    
    Array
  - Qumulo
    Qumulo
    
    Storage
  - Radware
    Radware
    
    DefensePro
  - Raritan
    Raritan
    
    DSX
  - Ricoh
    Ricoh
    
    MFP
  - Schneider
    Schneider
    
    APC Power systems
  - Solace
    Solace
    
    EventBroker
  - Sophos
    Sophos
    
    Web Appliance
  - Spectracom
    Spectracom
    
    NTP Appliance
  - Splunk
    Splunk
    
    Splunk Connect for Syslog (SC4S)
  - Tanium
    Tanium
    
    Platform
  - Tenable
    Tenable
    
    ad
    
    nnm
  - Thycotic
    Thycotic
    
    Secret Server
  - Tintri
    Tintri
    
    Syslog
  - Trend
    Trend
    
    Deep Security
  - Ubiquiti
    Ubiquiti
    
    Unifi
  - VMWare
    VMWare
    
    Carbon Black Protection
    
    Horizon View
    
    Index
  - Varonis
    Varonis
    
    DatAdvantage
  - Vectra
    Vectra
    
    Cognito
  - Wallix
    Wallix
    
    Bastion
  - Zscaler
    Zscaler
    
    LSS
    
    NSS
  - syslog-ng
    syslog-ng
    
    loggen
Performance
Troubleshooting
Troubleshooting
- SC4S Startup and Validation
- SC4S Logging and Troubleshooting Resources
Upgrading SC4S
SC4S FAQ

RSA SecureID¶

Key facts¶

Requires vendor product by source configuration
Legacy BSD Format default port 514

Links¶

Ref	Link
Splunk Add-on	https://splunkbase.splunk.com/app/2958/
Product Manual	http://docs.splunk.com/Documentation/AddOns/latest/RSASecurID/About

Sourcetypes¶

sourcetype	notes
rsa:securid:syslog	Catchall; used if a more specific source type can not be identified
rsa:securid:admin:syslog	None
rsa:securid:runtime:syslog	None
nix:syslog	None

Sourcetype and Index Configuration¶

key	sourcetype	index	notes
dell_rsa_secureid	all	netauth	none
dell_rsa_secureid	nix:syslog	osnix	uses os_nix key of not configured bye host/ip/port

Parser Configuration¶

#/opt/sc4s/local/app-parsers/app-vps-dell_rsa_secureid.conf
#File name provided is a suggestion it must be globally unique

application app-vps-test-dell_rsa_secureid[sc4s-vps] {
    filter { 
        host("test_rsasecureid*" type(glob))
    };  
    parser { 
        p_set_netsource_fields(
            vendor('dell')
            product('rsa_secureid')
        ); 
    };   
};