This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
TIFFANYIRELAND1
Beginner
Beginner
‎2018-01-30 11:21 AM

Authentication log request

One of our AM Primary consoles is posting continuous error messages in the Authentication Monitor 1-2x per minute.

 

Activity Key: Authentication Log Request

Description: Log request received from agent “Primary Console Address” with IP address “x.x.x.x” in security domain “SystemDomain”

Reason: Syntax Error

User ID: SYSTEM

 

I searched and found this page, and it shows the same error, but I don't think it helps us: https://community.rsa.com/docs/DOC-46250 

Labels (1)
Labels
0 Likes
Reply
6 Replies
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2018-01-31 11:18 AM

What do you know about the agent from which these events are being received? If this agent is not a legitimate agent, I would recommend you remove it from your Authentication Manager configuration. AM will simply discard the "log request" protocol from an unknown agent.

 

If the agent is a well-known agent, I would check if some automated process is attempting to send data to the login interface at the agent. The "syntax error" log is generated by agents after experiencing some number of authentication attempts with passcode data that the agent identifies as not possibly being a passcode. For example, a passcode longer than 16 character or containing unsupported characters.

 

I would login to the agent generating the log event, enable verbose agent logging (or network-level data capture with something like "Wireshark"), and examine those logs for additional clues as to the source of the problem. Even if you do simply remove the agent, I would probably investigate the IP address, what is running it,and the system from which the network traffic is being sent.

Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to PiersB
‎2018-01-31 11:49 AM

Great suggestions,  Piers Bowness‌.  Thanks for jumping in.

 

Regards,

Erica

0 Likes
Reply
TIFFANYIRELAND1
Beginner
Beginner
In response to PiersB
‎2018-01-31 11:59 AM

The agent is itself - the Primary RSA AM Console.  It's saying the log request is from itself.

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2018-02-01 08:10 AM

What version and patch level ? Could be a minor bug that was remedied.

Reply
TIFFANYIRELAND1
Beginner
Beginner
In response to EdwardDavis
‎2018-02-01 08:53 AM

AM 8.2 SP 1 P 06

0 Likes
Reply
TIFFANYIRELAND1
Beginner
Beginner
‎2018-03-07 11:55 AM

I checked the daily log under /opt/rsa/am/radius, and was able to see that the error was related to another host than the one the error was reporting in the Auth Monitor.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.