RSA SecurID Auth Mgr 8.1 Logging of Failed Logins for unknowns
Logging for RSA SecurID Authentication Manager 8.1 is enabled and being forwarded to a centralized logging/SIEM tool. The runtime audit logging level has been set to all values from error to success. What setting supports that capture and reporting for failed events from unknown users. It appears that logs are only produced for known accounts. If someone tries to login with an unknown account, or a generic 'root' or 'administrator' account, there is no record in the log for that event. How can this be enabled?
- Auth Agent
- Auth Manager
- Authentication Agent
- Authentication Manager
- centralized logging
- Community Thread
- failed events
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- unknown users
Not sure what your system has for all settings or what version and patch level.
If you truly are on 8.1 base image, you are a few years out of patches.
Recommend patch to latest version and revisit your settings.
On 8.2 patch 1- I tested a bogus userid xsxsxsx on a windows 7 login
a) it correctly logs unknown user in the real time log in security console
b) I checked my syslog server and it correctly logs the failure
10-07-2016 16:41:29 10.101.99.151 Oct 7 16:41:34 edavis-vm151 2016-10-07 16:41:34,139, , audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler, ERROR, 3692590e9763650a328adbc1670c8bb4,c354087c9763650a08017390d4759e93,10.100.40.209,10.101.99.151,AUTH_PRINCIPAL_RESOLUTION,23008,FAIL,AUTH_RESOLUTION_FAILED_BY_ID_ALIAS,,,,,xsxsxsx,,,57d829279663650a1b5f1339486055fa,000000000000000000001000e0011000,10.100.40.209,uscsdavise3l1c.corp.emc.com,1,,,,,,,1,,,,,,,,
c) My logging settings are success
d) I will test root and administrator....same errors. if I don't have any userids
of whatever name is logging in, it correctly fires the log entry.
Edward, much appreciate your response. My AMs are running 8.1 SP1 P15. My log settings are exactly the same as yours: Fatal, Success, Success, Success.
My identity source is the internal AM database.
The agents that should be reporting the failed logins are on both Windows 7 and apache web servers.
I have the "Authentication Monitor" running and the only items that get logged are failures and successes for account names that AM recognizes. Random, unknown, undefined usernames such as the one you tried 'xsxsxsx', root, and administrator do not create an observable log entry.
Can you confirm that this is a new feature in 8.2 or further assist in troubleshooting?
This is not new it has been this way for 20+ years. We see an incoming userid from a known agent, and we cannot find it in the database, we'll log it as unknown (somehow).
Test it on the self-service console....
try logging in there with unknown userid.
So here I have real time monitor running, and tried logging into self-service as a user tooty and a password. No dice and it logs fine. I have no user named 'tooty'
Here I am using a radius client, and username tooty, and it also logs correctly that the name is not recognized
Perhaps the bad names you are using are stopping at the agent and not getting sent to RSA server in the first place.
Use the test authentication feature of (whatever agent) and it will send the name to RSA server regardless of challenge settings or pre-processing logic you have on the agent itself.
Edward, once again, I appreciate your response and knowledgeable suggestions. I was able to successfully receive Failed Logins from bogus accounts when using both the self-service portal on the server and by using the test authentication feature on the Win7 agent. So, I concur with your conclusion that this is being stopped at the agent. What's the best way to collect the information -- change the challenge processing in the agents to capture the failure on the AM appliance, or capture audit logs from each agent? Although I would think that the RSA agent should be logging these failures to the Win7 application log. I'll look into the agent docs. Additional pointers or suggestions are appreciated.