Documentation Center
AlienVault® USM Anywhere™

RSA Authentication Manager

When you configure RSA Authentication Manager integration to send log data to USM Anywhere, you can use the RSA Authentication Manager plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor RSA
Device type Authentication
Connection type syslog
Vendor link https://www.emc.com/collateral/15-min-guide/h12276-am8-administrators-guide.pdf

Integrating RSA Authentication Manager

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To integrate RSA Authentication Manager to send log data to USM Anywhere in an MS Windows environment

  1. Log in to the system that hosts your RSA Security Console.
  2. Open the following file for editing based on your operating system:

    /Program Files/RSASecurity/RSAAuthenticationManager/utils/ resources/ims.properties

  3. Add the following entries to the ims.properties file:

    ims.logging.audit.admin.syslog_host = <IP address>

    ims.logging.audit.admin.use_os_logger = true

    ims.logging.audit.runtime.syslog_host = <IP address>

    ims.logging.audit.runtime.use_os_logger = true

    ims.logging.system.syslog_host = <IP address>

    ims.logging.system.use_os_logger = true

    Where <IP_address> is the IP address or host name of the USM Anywhere Sensor.

  4. Save the ims.properties files.
  5. Restart RSA services.

To integrate RSA Authentication Manager to send log data to USM Anywhere in a Linux environment

  1. Log in to the RSA Security Console command-line interface (CLI).
  2. Open the following file for editing based on your operating system:

    /usr/local/RSASecurity/RSAAuthenticationManager/utils/resources /ims.properties

  3. Add the following entries to the ims.properties file:

    ims.logging.audit.admin.syslog_host = <IP address> ims.logging.audit.admin.use_os_logger = true ims.logging.audit.runtime.syslog_host = <IP address> ims.logging.audit.runtime.use_os_logger = true ims.logging.system.syslog_host = <IP address> ims.logging.system.use_os_logger = true

    Where:

    <IP address> is the IP address of the USM Anywhere Sensor

  4. Save the ims.properties files.
  5. Open the following file for editing:

    /etc/syslog.conf

  6. Enter the following command to add the USM Anywhere Sensor as a syslog entry:

    *.* @<IP address>

    Where:

    <IP address> is the IP address of the USM Anywhere Sensor.

  7. Enter the following command to restart the syslog services for Linux.

    service syslog restart

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • account_name
  • authentication_type
  • event_description
  • event_name
  • event_outcome
  • event_severity
  • file_path
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • source_address
  • source_username
  • timestamp_occured

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://community.rsa.com/docs/DOC-36951