Similar to my previous post, this situation also required some information to be
extracted from RSA logs. However, in this case getting the information was a
bit tricky as the RSA does not send this information via syslog.
The solution? 1. Enable SNMP traps on the RSA Devices
2. Configure the net-snmp on the splunk server to accept traps
3. Write these traps to a file
4. Pass the file to splunk for parsing
The solution? 1. Enable SNMP traps on the RSA Devices
2. Configure the net-snmp on the splunk server to accept traps
3. Write these traps to a file
4. Pass the file to splunk for parsing
However, just as in the previous case, splunk did not
have fields readily available for the information I required.
Once again, let’s see how we can grab information pertaining to a successful and a failed logon.
Once again, let’s see how we can grab information pertaining to a successful and a failed logon.
Success Login
May 6 10:30:55 securitynik_splunk snmptrapd[26393]: 2014-05-06 10:30:55 rsa.securitynik.lab [UDP: [10.0.0.100]:28359->[10.0.0.101]]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (33482396) 3 days, 21:00:23.96#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.2197.20.17#011SNMPv2-SMI::enterprises.2197.20.16.5.0 = STRING: "INFO"#011SNMPv2-SMI::enterprises.2197.20.16.7.0 = STRING: "13002"#011SNMPv2-SMI::enterprises.2197.20.16.6.0 = STRING: "Runtime event {ID: d1f31bbc218d56d002aa2982137555bc, time: Tue May 06 10:32:21 EDT 2014, client: 10.0.0.105, user: User [ID: e2d286571c8d56d0038cd0df39806550, session ID: m1f31b9c218d56d002a72ceff4eb5ca9-/+a27ZXrOmot, login name: securitynik_User, first name: Securitynik, last name: User, security domain ID: 000000000000000000001000f0000000, identity source ID: a320d7851c8d72d00301c794b31ffb91], action: AUTHN_LOGIN_EVENT, action id: 13002, result: SUCCESS, reason: AUTHN_METHOD_SUCCESS, agent: Agent [ID: 2d2262b71c8d56d00278bfbc91c76a1f, name: ssl.securitynik.lab, address: 10.0.0.105, type: 7, security domain ID: 000000000000000000001000f0000000], policy: Policy [method ID: 000000000000000000002000f1022000, policy ID: null, method name: SecurID_Native, policy expression: null], arguments: [AUTHN_LOGIN_EVENT, 5, 1, 000000000000000000001000f0000000, SystemDomain, 54cbfb3b1c8d56d00311a45c28bf4ffa, MySupport, c22e788d1c8d56d004a7814e36292e88, 000120606698, null]}"#011SNMPv2-SMI::enterprises.2197.20.16.8.0 = STRING: "AUTHN_METHOD_SUCCESS"
Failed Login
May 5 23:04:07 securitynik_splunk snmptrapd[26393]: 2014-05-05 23:04:07 rsa.securitynik.lab [UDP: [10.0.0.100]:28359->[10.0.0.101]]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (29361399) 3 days, 9:33:33.99#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.2197.20.17#011SNMPv2-SMI::enterprises.2197.20.16.5.0 = STRING: "ERROR"#011SNMPv2-SMI::enterprises.2197.20.16.7.0 = STRING: "13002"#011SNMPv2-SMI::enterprises.2197.20.16.6.0 = STRING: "Runtime event {ID: cf7e4b49218d56d00315ad670cf0d21a, time: Mon May 05 23:05:31 EDT 2014, client: 10.0.0.105, user: User [ID: 1c2258421e1d56d002f4d515cd8205de, session ID: cf7e4a49218d56d0029331e0f5b572f7-LbKGZLawB+Ov, login name: securitynik_User, first name: Securitynik, last name: User, security domain ID: 000000000000000000001000f0000000, identity source ID: a320d7851c8d72d00301c794b31ffb91], action: AUTHN_LOGIN_EVENT, action id: 13002, result: FAIL, reason: AUTHN_METHOD_FAILED, agent: Agent [ID: 2d2262b71c8d56d00278bfbc91c76a1f, name: ssl.securitynik.lab, address: 10.0.0.105, type: 7, security domain ID: 000000000000000000001000f0000000], policy: Policy [method ID: 000000000000000000002000f1022000, policy ID: null, method name: SecurID_Native, policy expression: null], arguments: [AUTHN_LOGIN_EVENT, 5, 1, 000000000000000000001000f0000000, SystemDomain, 5565f5c51c8d56d002d33ad1a1043d2c, SecurityNik-Group, null, null, null]}"#011SNMPv2-SMI::enterprises.2197.20.16.8.0 = STRING: "AUTHN_METHOD_FAILED"
What I needed that splunk did not have readily defined?
SecureID Server
Client IP
User ID:
login name:
First Name
Last Name
action
reason
How do we extract this? Let’s do it the “rex” way in splunk. Let’s begin with the successful logons.
RSA - Successful Authentication
"10.0.0.100" AUTHN_LOGIN_EVENT
AUTHN_METHOD_SUCCESS | rex field=_raw "\[UDP:
\[(?<rsa_server>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\].*
client:\s(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}), user: User
\[ID:\s(?<user_id>[a-zA-Z0-9]\w+),.* login
name:\s(?<login_name>.*), first name:\s(?<first_name>.*), last
name:\s(?<last_name>[a-zA-Z0-9]\w+),.* action:\s(?<action>\w+),.*
reason:\s(?<reason>\w+),.*
address:\s(?<address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by _time, rsa_server, client_ip,
address, user_id, login_name, first_name, last_name, action, reason | dedup
login_name | sort count | reverse
The result!
rsa_server client_ip address user_id login_name first_name last_name action reason count
rsa.securitynik.lab 10.0.0.105 10.0.0.105 e2d286571c8d56d0038cd0df39806550 securitynik_user Securitynik User AUTHN_LOGIN_EVENT AUTHN_METHOD_SUCCESS 3
And now for the failed logons
RSA - Failed Authentication
"10.0.0.100" AUTHN_LOGIN_EVENT
AUTHN_METHOD_FAILED | rex field=_raw "\[UDP: \[(?<rsa_server>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\].*
client:\s(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}), user: User
\[ID:\s(?<user_id>[a-zA-Z0-9]\w+),.* login
name:\s(?<login_name>.*), first name:\s(?<first_name>.*), last name:\s(?<last_name>[a-zA-Z0-9]\w+),.*
action:\s(?<action>\w+),.* reason:\s(?<reason>\w+),.*
address:\s(?<address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by _time, rsa_server, client_ip,
address, user_id, login_name, first_name, last_name, action, reason | dedup
login_name | sort count | reverse
The result!
rsa_server client_ip address user_id login_name first_name last_name action reason count
rsa.securitynik.lab 10.0.0.105 10.0.0.105 1c2258421e1d56d002f4d515cd8205de securitynik_user
Securitynikt User AUTHN_LOGIN_EVENT AUTHN_METHOD_FAILED 2
With a little effort and time, it seems you can do
almost anything you wish with the data which resides in splunk.
Generally the method of extracting the data was similar to the one which was done for the Juniper logs. It’s just in this case, what I wanted was more scattered and thus needed a bit more work. However, the concept remains the same for extracting the data.
Generally the method of extracting the data was similar to the one which was done for the Juniper logs. It’s just in this case, what I wanted was more scattered and thus needed a bit more work. However, the concept remains the same for extracting the data.
Happy Splunking!
Additional Readings:
http://www.autohotkey.com/docs/misc/RegEx-QuickRef.htm
http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/Rex
http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/Rex
No comments:
Post a Comment