Field names for the Authentication Manager log files

May 14 01:41:27 localhost 2023-05-14 01:41:27,344, , audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, 
a6c436a2e2e266a219d3d0a5504eff4a,6ceed1b2e2e266a20801cd23efb75fbd,192.168.1.99,192.168.46.46,AUTHN_LOGIN_EVENT,13002,SUCCESS,
AUTHN_METHOD_SUCCESS,a636cfbbe2e266a219d365ddeee982a4-x6l+XQokVhIt,ce3d7b2be2e266a21974b6f5ce9ba2ca,000000000000000000001000d0011000,
000000000000000000001000e0011000,U328187,Ericka,Ryptography,2e0ca6e7e2e266a21bc6a77ef43a59e5,000000000000000000001000e0011000,
192.168.1.99,mn-sv2-jp-sped-c6-sm2.securitydynamics.com,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,
5,1,000000000000000000001000e0011000,SystemDomain,d83770c3e2e266a21b9dcacfc6c9cd78,SpED,2469ab36e2e266a21a69868bc4b6b808,xxxxxxxx2776,,

• You cannot glean the meaning of the information in the syslog based on the limited information contained in the knowledge article on formatting for syslog data sent from RSA Authentication Manager 8.x and the syslog data explained.xlsx file;
• You believe that you need to know this specific argument field in a specific use case, and
• You cannot figure out the information from the context.

Tasks 

• Creating a Report

1. To create a report login to the Security Console.  
2. Select Reporting > Reports > Add New.
3. Select either the Authentication Activity, Administrator Activity or System Log Report template.
4. Click Next.
5. Enter a name for this report (e. g., Authentication Activity).
6. Click Save.

• Running a Report

1. From the Security Console select Reporting > Reports > Manage Existing.
2. Click on the report name and select Run Report Job Now.
3. In the Input Parameters Values, enter the relevant values.
4. When done, click Run Report.
5. Click Refresh List.  
6. When the report disappears, click the Completed tab.
7. Click on the report name and choose your viewing option (i. e., browser, CSV, XML or HTML).

• Resolution    

1. RSA Authentication Manager has three tables that store runtime (authentication), administrative and system log data. The RSA Authentication Manager Developer Guide, available in the extras.zip, provides the table structures for the runtime log table (IMS_LOG_AUDIT_RT), administration log table (IMS_LOG_AUDIT_ADM) and system log table (IMS_LOG_SYSTEM). 
2. The Security Console provides three reporting templates called Authentication Activity (for runtime), Administrator Activity (for admin) and System Log Report (system) that report data from the three logging tables.

• Field 8: IP addresses for the agent or Client and Authentication Manager server that authenticated this transaction,
• Field 9: IP addresses for the agent or Client and Authentication Manager server that authenticated this transaction,
• Field 13: Column G = result key or reason: NS_MISMATCH_SERVER_HAS_BUT_AGENT_DOESNT
• Field 21 shows an agent ID or a Security Domain ID, but either way, that information is useless off of the Appliance, it is something Engineering might need if debugging a report or agent or privilege problem
• Field 22 with 000000000000000000000100e0011000 looks like Argument 4 from an Authentication activity report, which should translate into User identity source ID, either the Internal Database or an external LDAP Identity Source like Active Directory
• Field 23 is the same as field 8.  It looks like a client or agent IP address, but you could verify from an authentication activity report.
• Field 25 is Agent Type.  Many older types are not specifically called out in Authentication Manager 8.x because they are no longer needed.  Agent types are as follows: