RSA authentication manager event source is being created under the Universal Event collector

  • 7017772
  • 23-Jun-2016
  • 23-Jun-2016

Environment

NetIQ Sentinel 7.x Sentinel Control Center

Situation

The RSA event source is being created under the Universal Event collector. We can move the event source under the right collector but it will simply be recreated under the Universal event collector.  

Resolution

To receive data from an RSA device and have it properly parsed by the RSA Authentication Manager collector follow these steps.


1. go to the Sentinel control center\event source management console

2. Create a dedicated ESS (event source server) port for the RSA device. Right click the collector manager icon\add event source server. 

Note: The ESS will be customized so only the RSA event sources can use it.  

3. If the RSA device has to be configured with a low port E.g.UDP 514 then a forwarding firewall rule on the Sentinel box is needed to direct 514 to lets say 1514.  Below is an example of iptables rules that tell your RSA devices (first two entries) to forward to port 1514 while the third entry forwards all other traffic from 514 to a diffent port. The third entry is in case you have devices that need to be forwarded to a high port but cannot use the customized ESS port. 

DNAT       udp  --  10.67.5.49           0.0.0.0/0           udp dpt:514 to:10.67.8.42:1514
DNAT       udp  --  10.67.5.60           0.0.0.0/0           udp dpt:514 to:10.67.8.42:1514
REDIRECT   udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:514 redir ports 1515

4. If your RSA device can be configured to send from a high port than disregard step 3.   

5. Once the ESS (Event Source Server) has been created go into 2 different tabs and make the customizations. 

6. Message handling tab: Change to radio button "simple mode"

7. auto-configuration tab: change default policy to "deny" from the drop down selection.  

8. In the event source management console add an RSA collector and connector and make sure the RSA connector is associated with the dedicated ESS port. 

9. Confirm that the RSA event source is configured to send syslog data to the Sentinel box IP address.

10. Open a connector raw data tap and see if the data is flowing.

11. If data is flowing then next see if you can view it in the search window and if it is getting parsed correctly.

Cause

When data is received by Sentinel and it is not recognized as a supported event source, the event source object is created under the Universal Event collector. Due to the formatting of the RSA incoming data we are not able to use a unique matching rule that would route RSA events based on their AppID to the correct collector (RSA Authentication Manager).