|Applies To||RSA Product Set: Adaptive Authentication (OnPrem)|
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
|Resolution||How to see the plain text for user names in Audit logs:|
Audit logs have the username hashed with SHA-1 algorithm which is a one way method.
You can remove the hashing for the Audit log user IDs here:
Uncheck this field and the values should be now plain text from the time you save to the future entries.
The entries should look like this after the change:
2018-03-27 09:54:12,021 -0700 |  | [0ff7-:065234cf161:53ece7c6-] | [test | dummy | 16 | 127.0.0.1 | S4SxW/9u5XlhUklaIw5F49fpR9k= | RISK_ANALYSIS | fef7-:065234cf161:53ece7c6-_TRX | fef7-:065234cf161:53ece7c6-_TRX | SESSION_SIGNIN | [&FORENSIC_EVENT_TYPE=SESSION_SIGNIN&FORENSIC_SCORE=1000&POLICY_OUTCOME=ALLOW]]
How to decrypt the hashed names:
We don’t decrypt the names. There is no way of decrypting SHA-1 since it is a one way encryption method. What we do to find the information for the users, is to encrypt the plain value again and look for it in the logs.
For example, to look for the activity in the audit logs of a user with ID “test” we hash the value using an online tool like http://passwordsgenerator.net/sha1-hash-generator/:
Then look in the logs for the hashed value: A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 (hashed string for 'test').
All log entries using that hash are related to that user.