This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
DavidWilson
Beginner
Beginner
‎2016-10-07 02:31 PM

RSA SecurID Auth Mgr 8.1 Logging of Failed Logins for unknowns

Logging for RSA SecurID Authentication Manager 8.1 is enabled and being forwarded to a centralized logging/SIEM tool.  The runtime audit logging level has been set to all values from error to success.  What setting supports that capture and reporting for failed events from unknown users.  It appears that logs are only produced for known accounts.  If someone tries to login with an unknown account, or a generic 'root' or 'administrator' account, there is no record in the log for that event.  How can this be enabled?

Please advise.

Labels (1)
Labels
0 Likes
Reply
4 Replies
EdwardDavis
Employee
Employee
‎2016-10-07 04:47 PM

Not sure what your system has for all settings or what version and patch level.

If you truly are on 8.1 base image, you are a few years out of patches.

Recommend patch to latest version and revisit your settings.

 

Tested:

On 8.2 patch 1- I tested a bogus userid xsxsxsx on a windows 7 login

 

a) it correctly logs unknown user in the real time log in security console

pastedImage_1.png

b) I checked my syslog server and it correctly logs the failure

 

10-07-2016 16:41:29 10.101.99.151 Oct  7 16:41:34 edavis-vm151 2016-10-07 16:41:34,139, , audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler, ERROR, 3692590e9763650a328adbc1670c8bb4,c354087c9763650a08017390d4759e93,10.100.40.209,10.101.99.151,AUTH_PRINCIPAL_RESOLUTION,23008,FAIL,AUTH_RESOLUTION_FAILED_BY_ID_ALIAS,,,,,xsxsxsx,,,57d829279663650a1b5f1339486055fa,000000000000000000001000e0011000,10.100.40.209,uscsdavise3l1c.corp.emc.com,1,,,,,,,1,,,,,,,,

 

c) My logging settings are success

pastedImage_3.png

 

d) I will test root and administrator....same errors. if I don't have any userids

of whatever name is logging in, it correctly fires the log entry.

0 Likes
Reply
DavidWilson
Beginner
Beginner
In response to EdwardDavis
‎2016-10-10 09:07 AM

Edward, much appreciate your response.  My AMs are running 8.1 SP1 P15.  My log settings are exactly the same as yours: Fatal, Success, Success, Success.

My identity source is the internal AM database.

The agents that should be reporting the failed logins are on both Windows 7 and apache web servers.

I have the "Authentication Monitor" running and the only items that get logged are failures and successes for account names that AM recognizes.  Random, unknown, undefined usernames such as the one you tried 'xsxsxsx', root, and administrator do not create an observable log entry.

Can you confirm that this is a new feature in 8.2 or further assist in troubleshooting?

Regards, David

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to DavidWilson
‎2016-10-11 09:02 AM

This is not new it has been this way for 20+ years. We see an incoming userid from a known agent, and we cannot find it in the database, we'll log it as unknown (somehow).

 

Test it on the self-service console....

 

try logging in there with unknown userid.

 

So here I have real time monitor running, and tried logging into self-service as a user tooty and a password. No dice and it logs fine. I have no user named 'tooty'

 

pastedImage_1.png

 

Here I am using a radius client, and username tooty, and it also logs correctly that the name is not recognized

 

pastedImage_2.png

 

 

 

Perhaps the bad names you are using are stopping at the agent and not getting sent to RSA server in the first place.

 

Use the test authentication feature of (whatever agent) and it will send the name to RSA server regardless of challenge settings or pre-processing logic you have on the agent itself.

0 Likes
Reply
DavidWilson
Beginner
Beginner
In response to EdwardDavis
‎2016-10-12 08:05 AM

Edward, once again, I appreciate your response and knowledgeable suggestions.  I was able to successfully receive Failed Logins from bogus accounts when using both the self-service portal on the server and by using the test authentication feature on the Win7 agent.  So, I concur with your conclusion that this is being stopped at the agent.  What's the best way to collect the information -- change the challenge processing in the agents to capture the failure on the AM appliance, or capture audit logs from each agent?  Although I would think that the RSA agent should be logging these failures to the Win7 application log.  I'll look into the agent docs.  Additional pointers or suggestions are appreciated.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.