Collect RSA Authentication Manager logs

This document describes how you can collect RSA Authentication Manager logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations .

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the RSA_AUTH_MANAGER ingestion label.

Configure RSA Authentication Manager

1. Sign in to the RSA Authentication Manager Securityconsole using administrator credentials.
2. In the Setupmenu, click System settings.
3. In the System settingswindow, in the Basic settingssection, select Logging.
4. In the Select instancesection, select the Primaryinstance type configured in your environment, and then click Nextto continue.
5. In the Configure settingssection, configure the logs for the following sections that are displayed:
   • Log levels
   • Log data destination
   • Log data masking
6. In the Log levelssection, configure the following logs:
   • Set Trace logto Fatal.
   • Set Administrative audit logto Success.
   • Set Runtime audit logto Success.
   • Set System logto Warning.

7. In the Log data destinationsection, for the following log level data, select Save to internal database and remote syslog for the following hostname or IP address, and then enter the IP address of Google Security Operations:

   • Administrative audit log data
   • Runtime audit log data
   • System log data

   Syslog messages are transmitted over higher port number for UDP.

8. In the Log data maskingsection, in the Mask token serial number: number of digits of the token serial number to displayfield, enter the maximum value, which is equal to the number of digits that appear in available tokens, such as 12.

   For more information, see Log data masking .

9. Click Save.

Configure Google Security Operations forwarder and syslog to ingest RSA Authentication Manager logs

1. Select SIEM Settings > Forwarders.
2. Click Add new forwarder.
3. In the Forwarder namefield, enter a unique name for the forwarder.
4. Click Submitand then click Confirm. The forwarder is added and the Add collector configurationwindow appears.
5. In the Collector namefield, type a unique name for the collector.
6. Select RSAas the Log type.
7. Select Syslogas the Collector type.
8. Configure the following mandatory input parameters:
   • Protocol: specify the connection protocol the collector will use to listen for syslog data.
   • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
   • Port: specify the target port where the collector resides and listens for syslog data.
9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation . For information about requirements for each forwarder type, see Forwarder configuration by type . If you encounter issues when you create forwarders, contact Google Security Operations support .

Field mapping reference

This parser extracts fields from RSA Authentication Manager CSV logs, handling variations in the log format. It uses grok to initially parse the log lines, then leverages CSV filtering to extract individual fields, mapping them to standardized names like username , clientip , and operation_status for UDM compatibility.

UDM mapping table

Log Field	UDM Mapping	Logic
clientip	principal.asset.ip	The value of column8 from the raw log.
clientip	principal.ip	The value of column8 from the raw log.
column1	metadata.event_timestamp.seconds	Parsed from the time field (column1) in the raw log, using formats "yyyy-MM-dd HH:mm:ss" and "yyyy-MM-dd HH: mm:ss".
column12	security_result.action	Mapped based on the operation_status field (column12). Values "SUCCESS" and "ACCEPT" map to ALLOW, "FAIL", "REJECT", "DROP", "DENY", "NOT_ALLOWED" map to BLOCK, and other values map to UNKNOWN_ACTION.
column18	principal.user.userid	The value of column18 from the raw log.
column19	principal.user.first_name	The value of column19 from the raw log.
column20	principal.user.last_name	The value of column20 from the raw log.
column25	principal.hostname	The value of column25 from the raw log.
column26	principal.asset.hostname	The value of column26 from the raw log.
column27	metadata.product_name	The value of column27 from the raw log.
column3	target.administrative_domain	The value of column3 from the raw log.
column32	principal.user.group_identifiers	The value of column32 from the raw log.
column5	security_result.severity	Mapped based on the severity field (column5). Values "INFO", "INFORMATIONAL" map to INFORMATIONAL, "WARN", "WARNING" map to WARNING, "ERROR", "CRITICAL", "FATAL", "SEVERE", "EMERGENCY", "ALERT" map to ERROR, "NOTICE", "DEBUG", "TRACE" map to DEBUG, and other values map to UNKNOWN_SEVERITY.
column8	target.asset.ip	The value of column8 from the raw log.
column8	target.ip	The value of column8 from the raw log.
event_name	security_result.rule_name	The value of column10 from the raw log.
host_name	intermediary.hostname	Extracted from the <DATA> portion of the raw log using grok patterns.
process_data	principal.process.command_line	Extracted from the <DATA> portion of the raw log using grok patterns.
summary	security_result.summary	The value of column13 from the raw log.
time_stamp	metadata.event_timestamp.seconds	Extracted from the <DATA> portion of the raw log using grok patterns. If not found, the timestamp is extracted from the timestamp field in the raw log.

Need more help? Get answers from Community members and Google SecOps professionals.