RSA enVision^® Discussions

RSAAdmin · ‎2013-03-13

Hi there!

I'm trying to get logs from RSA ACE Server into Envision. I assumed that it would be fairly straightforward seeing as they are both owned by the same company but I was wrong! I can't find any documentation relating to this and the logging options in ACE Server do not allow me to point them to our Envision Server. Is there anything simple that I'm missing? Its driving me insane! Thanks for any help you may be able to provide.

Steve

RajKumar · ‎2013-03-13

The simplest method is to have the logs written to the windows eventlog and generate preshared key using IPSEC on the ACE server and the have the same imported to the RSA Envision Server(Locally IPSEC need to be configured) & this would resolve the issue.

RSAAdmin · ‎2013-03-13

Steve,

I believe it is fairly simple to integrate RSA ACE Server as per the configuration guide provided by RSA. I have ACE servers integrated via syslog. All the instructions are very clear.

If RSA ACE version is earlier than 7 then it may be possible using File Reader service.

If it is greater than 7, then syslog is also an option.

You can download the Configuration Instructions from RSA SCOL website to integrate if you did not which may not be true.

RSAAdmin · ‎2013-03-13

Am going to try the following...

To configure Syslog in a Windows environment, perform these steps on the primary and replica instances:

1. Configure Authentication Manager to send log messages to a local or remote Syslog server. Using a text editor, open the RSA_AM_HOME\utils\resources\ims.properties file for editing.

Replace the values shown in italics. The Syslog server name can be a local or remote host name or IP address

ims.logging.audit.admin.syslog_host = host_name
ims.logging.audit.admin.syslog_layout = %d, %X{clientIP}, %c, %p, %m%n
ims.logging.audit.admin.syslog_facility = 8
ims.logging.audit.admin.use_os_logger = false
ims.logging.audit.runtime.syslog_host = host_name
ims.logging.audit.runtime.syslog_layout = %d, %X{clientIP},%c, %p, %m%n
ims.logging.audit.runtime.syslog_facility = 8
ims.logging.audit.runtime.use_os_logger = false
ims.logging.system.syslog_host = host_name
ims.logging.system.syslog_layout = %d, %X{clientIP},%c, %p, %m%n
ims.logging.system.syslog_facility = 8
ims.logging.system.use_os_logger = false

Where:

host_name is the Syslog server name.

Change false to true to enable logging.
Save the file.

RSAAdmin · ‎2013-04-01

My system collects the ACE logs by File Reader. It's the ugliest way to collect anything, but it works. Go to the enVision Downloads section, and it should have the .pdf on how to set it up. Only real drawback is that it only sends the logs once an hour, so real-time alerting and reporting isn't feasible.

RSAAdmin · ‎2013-12-20

There is an event source integration guide from RSA which describes a number of different integration scenarios.

He is a word of warning before you attempt the integration:

Envision's out-of-the-box event parsers are designed for specific collection methods.

sometimes a parser for an event source wont fit the event source the way you might like - depending on the type of collector you use.

Although it is usually possible to collect data from an event source using a number of different collectors, the resulting log formats may not look identical. If you have a parser intended for one collection method then you need to make sure you are using the intended collection method.

I had an AuthManager 4.1SP4. I was successfully collecting data using SFTP and the FileReader.

The out-of-box parser for this version fo Auth Manager was designed for syslog collection!

RSA enVision® Discussions

RSA ACE Server Logs to Envision

RSA enVision^® Discussions