Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionRSA SecurID Appliance application for Splunk
This application was designed to give users usable data surrounding the activity taking place on their RSA SecurID appliances. This application will work with both the RSA SecurID Appliance 130 and 230 models. Pre-deployment Assumptions:
Application Configuration:Scripted Inputs: For the "Network Activity" view to properly work there is a scripted input that needs to be configured. This scripted input uses the snmpget command to retrieve specific values from the device. If you have multiple devices then you need to configure multiple scripted inputs. Follow these steps: 1. Copy the sample inputs.conf file from $SPLUNK_HOME/etc/apps/RSASecurID/default/inputs.conf to your local folder, just so no changes are overwritten if the application is updated. 2. Edit the inputs.conf file and change the script stanza to reflect your device configuration: [script://$SPLUNK_HOME/etc/apps/RSASecurID/bin/getSnmpData.sh public 1.1.1.1] Change "public" to be the community name configured on your appliance that has read access. Change "1.1.1.1" to be the IP Address of your appliance. Change "disabled = 1" to "disabled = 0" to enable the scripted input. 3. If you have multiple appliances, just copy/paste the [script://] stanza for as many appliances as you have and configure the appropriate values as mentioned above. Monitored Inputs: There is an example [monitor://] stanza in the inputs.conf file. Configure this for the proper location of the file that your SNMP traps are being logged to. If the SNMP traps are already being indexed by Splunk then this can be ignored. Reports in this Application:Summary View:
User Activity View:
Network Activity View:
TODO:
Versions and Release Notes
Version 1.0 (current version - updated Nov 02, 2011)
|
I would be interested in seeing the updated app (and hope you get it Splunk supported).
My question is would be it be possible to use a Universal forwarder on our RSA servers (they are VM's, not actual appliances) instead of setting up SNMP traps to get that information into our central Splunk Indexer?
Thank you in advance.
Thanks for your feedback. I'm always interested to see how people are using this app, since I just created it on a whim after the RSA breach a year ago. If you have any ideas, etc.. that you'd like to see please let me know!
I hope to have the updated app out in the coming weeks, just need to find time to finalize some ideas.
The ideal situation would be to have a forwarder on the appliance/server but unfortunately I do not have a dummy one I can test with currently. I have another idea on how to get that data out which I'm hoping to formulate into my next release of the app.
Just checking to see if this app is still supported or current? When I search for it under the Splunk find more Apps section, it no longer shows up.
This app is not a Splunk supported application, it was independently development by myself. Is there something specific I can assist with? I have made some changes/updates to the app but have not yet found the time to cleanse them and upload here.
