Real-Time Monitoring Using Activity MonitorsReal-Time Monitoring Using Activity Monitors

You can use Activity Monitors to view RSA Authentication Manager activity, such as log entries, in real time. Each Activity Monitor opens in a separate browser window and displays a different type of information.

Monitor	Information Displayed
Authentication Activity	Which user is authenticating Source of the authentication request Server used for authentication
System Activity	Time of an activity Description of activity Whether the activity succeeded Server where the activity took place
Administration Activity	Changes such as when users are added or deleted.
Runtime Activity Monitor in the User Dashboard	Log entries for real-time authentication activity over the past seven days for one user Time of activity, result of activity, and description of activity

You can customize the information displayed. For example, you can use the Administration Activity Monitor to view the activity of a specific administrator, User ID, authentication agent, or security domain. You can run a command-line utility that restricts the events shown to only the activities that are within the scoped security domain of the administrator. For instructions, see Filter Activity Monitor Events Based on Administrator Scope of Authorization.

You can open multiple Activity Monitor windows at the same time. For example, you can simultaneously monitor a specific administrator, an entire user group, and an entire security domain.

You can pause the Activity Monitor and review specific log messages. When you resume monitoring, all log messages generated while the Activity Monitor was paused are added at the top of the Activity Monitor display.

If the number of new messages exceeds the number of messages selected for display, only the most recent are displayed. For example, if you configured the monitor to display 100 messages, but there are 150 new messages, only the 100 most recent are displayed.

You can also view a user’s authentication activity through the User Dashboard page in the Security Console. For more information, see User Dashboard.

View Messages in the Activity MonitorView Messages in the Activity Monitor

Activity Monitors let you view system activity, such as log entries, in real time. Use this procedure to view messages in the Activity Monitor to troubleshoot problems.

You can view real-time entries when an administrator clears PINs or provides emergency access to users on any primary or replica instance.

When the primary instance or replication is not available, only entries for the replica instance are displayed. When replication is restored, all of the recent runtime authentication log entries are replicated, and become available for viewing on the primary or any replica instance.

Procedure

1. In the Security Console, click Reporting > Real-time Activity Monitors, and select an available Activity Monitor.

2. Specify the criteria of the log messages that you want the Activity Monitor to display. Leave these fields blank to view all activity.

3. Click Start Monitor.

4. When a message displays that you want to view, click Pause Monitor.

5. Click the date and time of the message that you want to view.

Filter Activity Monitor Events Based on Administrator Scope of AuthorizationFilter Activity Monitor Events Based on Administrator Scope of Authorization

You can filter Authentication Activity Monitor events based on administrator scope of authorization. Administrators with restricted scope permissions, such as Help Desk Administrators, are able to view only those events that are within the scoped security domain of the administrator.

Procedure

1. Log on to the appliance using an SSH client.

2. Change directories:

   cd /opt/rsa/am/utils

3. Run one of the following commands:

   • To restrict logging to the scoped security domain of the Security Console administrator, type the following, and then press ENTER:

     ./rsautil store -a add_config auth_manager.activity_monitor.scope_security_domain true GLOBAL 500

   • To undo the change, type the following, and then press ENTER:

     ./rsautil store -a update_config auth_manager.activity_monitor.scope_security_domain false GLOBAL 500

4. When prompted, enter your Operations Console administrator User ID, and press ENTER.

5. When prompted, enter your Operations Console administrator password, and press ENTER.

6. Restart all Authentication Manager services on the primary instance and each replica instance:

   cd /opt/rsa/am/server

   ./rsaserv restart all