Skip to main content

RSA SecurID

RSA SecurID is an MFA technology designed to increase security for network resources and help organizations maintain compliance.

RSA SecurID

This pack includes Cortex XSIAM content.

Configuration on Server Side

You need to configure RSA SecurID to forward Syslog messages.

In RSA Authentication Manager 8.4 there is rsyslog instead of syslog-ng.
In the configuration file in /etc/rsyslog.d/remote.conf you define the syslog server(s) to which you want to connect.
In /etc/rsylog.conf define the rest of the configuration related to rsyslog.

  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
  3. Change the privileges of rsaadmin to root.
  4. Enter the operating system password when prompted.
  5. Go to /etc/rsyslog.d/ and make a copy of the remote.conf file.
  6. Open the remote.conf configuration file in an editor such as vi.
  7. Append the remote syslog servers in the /etc/rsyslog.d/remote.conf file.
  8. Restart the syslog daemon and verify the status with the following commands:
   rcsyslog restart
   rcsyslog status
  1. Configure Security Console Logging to send to localhost 127.0.0.1, Link.
  2. Monitor the outgoing traffic to the remote syslog server with the commands:
    • To monitor all traffic
      <bash> tcpdump -nvv -i eth0 port 514
    • To monitor more targeted traffic on port 514:
      <bash> tcpdump -nvv -i eth0 "dst host n.n.n.n and dst port 514"
  3. When the configuration is completed on the primary server, repeat steps 1 through 9 on each replica server in your deployment. Be sure to complete the tasks on one server before moving to another server.

  • To configure RSA Authentication Manager 8.4 or later to send data to remote syslog servers, refer to the full documentation provided by RSA.

  • To configure RSA Authentication Manager 8.1, 8.2, 8.3 to send data to remote syslog servers, refer to the full documentation provided by RSA.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to SettingsConfigurationData BrokerBroker VMs.
  2. Go to the Apps column under the Brokers tab and add the Syslog Collector app for the relevant broker instance. If the app already exists, hover over it and click Configure.
  3. Click Add New for adding a new syslog data source.
  4. When configuring the new syslog data source, set the following values:
    | Parameter | Value
    | :--- | :---
    | Vendor | Enter RSA.
    | Product | Enter SecurID.

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedDecember 11, 2023
Last ReleaseJune 23, 2024
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.