UpPrevious Next
Sheriff CSMâ„¢
RSA SecurID Access Identity Router (IDR)
When you configure RSA SecurID Access Identity Router to send log data to Sheriff CSM, you can use the RSA SecurID Access Identity Router (IDR) plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
Plugin Information
Device | Details |
Vendor | RSA |
Device Type | Router |
Connection Type | Syslog |
Data Source Name | Rsa-securid-idr |
Data Source ID | 1856 |
Integrating RSA SecurID Access Identity Router
Before you configure the RSA SecurID IDR integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).
To configure RSA SecurID IDR to send Syslog messages to Sheriff CSM
- Log in to RSA through Via Access using Super Administrator credentials.
-
On the Via Access dashboard, click Platform > Auditing.
-
On the Audit Logging screen, select Send to syslog in the Output Type field.
-
In the Syslog Configuration section, enter the IP address of Sheriff CSM in the Server field.
-
Set the following options:
- For Log user events, check Include authorization requests.
- For Log system events, check Include system error events.
-
Click Save to save your changes, and return to the Dashboard.
-
On the Dashboard, click Publish Changes.
- Log in to the Sheriff CSM shell.
-
Add the following rsyslog rule replacing 127.0.0.1 with the IP Address of the RSA device:
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
:fromhost, isequal, "127.0.0.1" /var/log/rsa-securid-idr.log
& stop
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
Plugin Enablement
For plugin enablement information, see
Enable Plugins.
Additional Resources and Troubleshooting
https://community.rsa.com/docs/DOC-40001
For troubleshooting, refer to the vendor documentation:
https://community.rsa.com/docs/DOC-63212