000032240 - Formatting for syslog data sent from RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Sep 6, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000032240
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.x
IssueAn administrator needs to know what data is sent to a remote syslog server from the RSA Authentication Manager.
Tasks

Creating a Report


  1. To create a report login to the Security Console.  
  2. Select Reporting > Reports > Add New.
  3. Select either the Authentication Activity, Administrator Activity or System Log Report template and then click Next.
  4. Enter only a Report Name (e. g., Authentication Activity).
  5. Click Save.

Running a Report


  1. From the Security Console select Reporting > Reports > Manage Existing.
  2. Click on the report name and select Run Report Job Now.
  3. In the Input Parameters Values, enter the relevant values.
  4. When done, click Run Report.
  5. Click Refresh List.  When the report disappears, click the Completed tab.
  6. Click on the report name and choose your viewing option (browser, CSV, XML or HTML).
ResolutionThere are three pieces of information that will allow an administrator to work out the data being sent to the remote syslog server.
  1. Review the RSA Authentication Manager 8.2 Troubleshooting Guide, which provides information on how to troubleshoot Authentication Manager 8.2 for commonly occurring error messages. These error messages are displayed in the SNMP traps or in the logs.
  2. RSA Authentication Manager has three tables that store runtime (authentication), administrative and system log data. The RSA Authentication Manager 8.2 Developer Guide, available in the extras.zip, provides the table structures for the runtime log table (IMS_LOG_AUDIT_RT), administration log table (IMS_LOG_AUDIT_ADM) and system log table (IMS_LOG_SYSTEM). 
  3. The Security Console provides three reporting templates called Authentication Activity (for runtime), Administrator Activity (for admin) and System Log Report (system) that report data from the three logging tables.
Notes

Headers for the Runtime (Authentication) Log (IMS_LOG_AUDIT_RT)


  • id
  • utc_log_time
  • local_log_time
  • instance_id
  • session_id
  • serial
  • signature_id
  • client_ip
  •  server_node_ip
  • component_key
  • log_level
  • action_key
  • action_id
  • action_result
  • result_key
  • actor_id
  •  actor_realm_id
  • actor_secdom_id
  • actor_idsrc_id
  • actor_login_uid
  • actor_fname
  • actor_lname
  • agent_id
  •  agent_secdom_id
  • agent_ip
  • agent_name
  • agent_type
  • authmethod_id
  • authmethod_name
  • policy_id
  • policy_expr
  •  arg1
  • arg2
  • arg3
  • arg4
  • arg5
  • arg6
  • arg7
  • arg8
  • arg9
  • arg10
  • more_args

Headers for the Administrative Log (IMS_LOG_AUDIT_ADM)


  • id
  • utc_log_time
  • local_log_time
  • instance_id
  • session_id
  • batch_id
  • serial
  • signature_id
  • client_ip
  • server_node_ip
  • component_keylog_level
  • action_keyaction_id
  • action_result
  • result_keyadmin_id
  • admin_idsrc_id
  • admin_secdom_id
  • admin_login_uid
  • admin_fnameadmin_lname
  • realm_id
  • obj1_typeobj1_id
  • obj1_idsrc_id
  • obj1_secdom_id
  • obj1_nameobj2_type 
  • obj2_id
  • obj2_idsrc_id
  • obj2_secdom_id
  • obj2_name
  • more_args

Headers for the System Log (IMS_LOG_SYSTEM)


  • id
  • utc_log_time
  • local_log_time
  • instance_id
  • session_id
  • batch_id
  • serial
  • signature_id
  • client_ip
  • server_node_ip
  • component_keylog_level
  • action_keyaction_id
  • action_result
  • result_keyadmin_id
  • admin_idsrc_id
  • admin_secdom_id
  • admin_login_uid
  • admin_fnameadmin_lname
  • realm_id
  • obj1_typeobj1_id
  • obj1_idsrc_id
  • obj1_secdom_id
  • obj1_nameobj2_type 
  • obj2_id
  • obj2_idsrc_id
  • obj2_secdom_id
  • obj2_name
  • more_args

Attachments

    Outcomes