Logging for RSA SecurID Authentication Manager 8.1 is enabled and being forwarded to a centralized logging/SIEM tool. The runtime audit logging level has been set to all values from error to success. What setting supports that capture and reporting for failed events from unknown users. It appears that logs are only produced for known accounts. If someone tries to login with an unknown account, or a generic 'root' or 'administrator' account, there is no record in the log for that event. How can this be enabled?
Please advise.
Not sure what your system has for all settings or what version and patch level.
If you truly are on 8.1 base image, you are a few years out of patches.
Recommend patch to latest version and revisit your settings.
Tested:
On 8.2 patch 1- I tested a bogus userid xsxsxsx on a windows 7 login
a) it correctly logs unknown user in the real time log in security console
b) I checked my syslog server and it correctly logs the failure
10-07-2016 16:41:29 10.101.99.151 Oct 7 16:41:34 edavis-vm151 2016-10-07 16:41:34,139, , audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler, ERROR, 3692590e9763650a328adbc1670c8bb4,c354087c9763650a08017390d4759e93,10.100.40.209,10.101.99.151,AUTH_PRINCIPAL_RESOLUTION,23008,FAIL,AUTH_RESOLUTION_FAILED_BY_ID_ALIAS,,,,,xsxsxsx,,,57d829279663650a1b5f1339486055fa,000000000000000000001000e0011000,10.100.40.209,uscsdavise3l1c.corp.emc.com,1,,,,,,,1,,,,,,,,
c) My logging settings are success
d) I will test root and administrator....same errors. if I don't have any userids
of whatever name is logging in, it correctly fires the log entry.