2 Replies Latest reply on Sep 11, 2013 6:00 PM by nicole pauls

    LEM Logging RSA Authentication Manager on Windows

    thefish

      Hello

       

      I'd like to log the RSA AM runtime logs on windows (we want to log auth success/failure with time). In LEM, I can add RSA Authentication Manager, but it seems to be *nix focussed, defaulting to /var/log/messages. Is anyone logging this, and can anyone help with getting around a few things?:

       

      * The file seems to be rotated daily, c:\program files\rsa security\rsa authentication manager\server\audit_runtime_{YYYY-mm-dd_counter}.log - can I change the log file in lem to c:\program files\rsa security\rsa authentication manager\server\audit_runtime* ?

      * I'm not sure the log format is the same as this connector is expecting - is there any way to change the parsing or roll-your-own-parser?

       

      Thanks!

        • Re: LEM Logging RSA Authentication Manager on Windows
          Mark Roberts

          Did you ever get this sorted?

           

          SW - is this something that can be done in the way described by thefish?

          • Re: LEM Logging RSA Authentication Manager on Windows
            nicole pauls

            The current RSA Auth Manager connector IS expecting syslog data. I'm assuming previous customers were either using an appliance that syslogs, or syslogged from the app to a syslog server. It's pretty unlikely it'll work against flat files.

             

            We have two other connectors for RSA ACE/SecurID, but they are either via a) syslog, or b) Windows Event log. Have you checked the event log to see if there's AM events there by chance?

             

            Or, perhaps AM supports syslogging audit events natively to a third party source by chance?

             

            Last case is that we'll have to look at these logs separately, because our connectors either have to be configured to monitor for date-based file rotation, or they point at a static file. The AM connector points at a static file, so even if it matches, you'd have to reconfigure it daily which is no good either.