Formatting for syslog data sent from RSA Authentication Manager 8.x
2 years ago
Originally Published: 2015-12-17
Article Number
000067267
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.x
Issue
An administrator needs to know what data is sent to a remote syslog server from the RSA Authentication Manager.
Tasks

Creating a Report

  1. To create a report login to the Security Console.  
  2. Select Reporting > Reports > Add New.
  3. Select either the Authentication Activity, Administrator Activity or System Log Report template and then click Next.
  4. Enter only a Report Name (e. g., Authentication Activity).
  5. Click Save.

Running a Report

  1. From the ​Security Console select Reporting > Reports > Manage Existing.
  2. Click on the report name and select Run Report Job Now.
  3. In the Input Parameters Values, enter the relevant values.
  4. When done, click Run Report.
  5. Click Refresh List.  When the report disappears, click the Completed tab.
  6. Click on the report name and choose your viewing option (browser, CSV, XML or HTML).
Resolution
There are three pieces of information that will allow an administrator to work out the data being sent to the remote syslog server.
  1. Review the RSA Authentication Manager 8.2 Troubleshooting Guide, which provides information on how to troubleshoot Authentication Manager 8.2 for commonly occurring error messages. These error messages are displayed in the SNMP traps or in the logs.
  2. RSA Authentication Manager has three tables that store runtime (authentication), administrative and system log data. The RSA Authentication Manager 8.2 Developer Guide, available in the extras.zip, provides the table structures for the runtime log table (IMS_LOG_AUDIT_RT), administration log table (IMS_LOG_AUDIT_ADM) and system log table (IMS_LOG_SYSTEM). 
  3. The Security Console provides three reporting templates called Authentication Activity (for runtime), Administrator Activity (for admin) and System Log Report (system) that report data from the three logging tables.
Notes

Headers for the Runtime (Authentication) Log (IMS_LOG_AUDIT_RT)

  • id
  • utc_log_time
  • local_log_time
  • instance_id
  • session_id
  • serial
  • signature_id
  • client_ip
  •  server_node_ip
  • component_key
  • log_level
  • action_key
  • action_id
  • action_result
  • result_key
  • actor_id
  •  actor_realm_id
  • actor_secdom_id
  • actor_idsrc_id
  • actor_login_uid
  • actor_fname
  • actor_lname
  • agent_id
  •  agent_secdom_id
  • agent_ip
  • agent_name
  • agent_type
  • authmethod_id
  • authmethod_name
  • policy_id
  • policy_expr
  •  arg1
  • arg2
  • arg3
  • arg4
  • arg5
  • arg6
  • arg7
  • arg8
  • arg9
  • arg10
  • more_args

Headers for the Administrative Log (IMS_LOG_AUDIT_ADM)

  • id
  • utc_log_time
  • local_log_time
  • instance_id
  • session_id
  • batch_id
  • serial
  • signature_id
  • client_ip
  • server_node_ip
  • component_keylog_level
  • action_keyaction_id
  • action_result
  • result_keyadmin_id
  • admin_idsrc_id
  • admin_secdom_id
  • admin_login_uid
  • admin_fnameadmin_lname
  • realm_id
  • obj1_typeobj1_id
  • obj1_idsrc_id
  • obj1_secdom_id
  • obj1_nameobj2_type 
  • obj2_id
  • obj2_idsrc_id
  • obj2_secdom_id
  • obj2_name
  • more_args

Headers for the System Log (IMS_LOG_SYSTEM)

  • id
  • utc_log_time
  • local_log_time
  • instance_id
  • session_id
  • batch_id
  • serial
  • signature_id
  • client_ip
  • server_node_ip
  • component_keylog_level
  • action_keyaction_id
  • action_result
  • result_keyadmin_id
  • admin_idsrc_id
  • admin_secdom_id
  • admin_login_uid
  • admin_fnameadmin_lname
  • realm_id
  • obj1_typeobj1_id
  • obj1_idsrc_id
  • obj1_secdom_id
  • obj1_nameobj2_type 
  • obj2_id
  • obj2_idsrc_id
  • obj2_secdom_id
  • obj2_name
  • more_args

Related Articles

Trending Articles

Don't see what you're looking for?