Collect RSA SecurID Access logs
This document explains how to ingest RSA SecurID Access logs to Google Security Operations using the Bindplane agent.
RSA SecurID Access is a multi-factor authentication and identity assurance platform for enterprise access management. It generates audit logs covering user and system activity, authentication events, and token management. The parser extracts fields from RSA SecurID log entries and maps them to the Unified Data Model (UDM), capturing user identity, authentication results, session details, and security metadata.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later, or Linux host with
systemd - Network connectivity between the Bindplane agent and the RSA SecurID Access Identity Router or Authentication Manager appliance
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Privileged access to the RSA SecurID Access Cloud Administration Console or Security Console with administrator permissions
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietWait for the installation to complete.
Verify the installation by running:
sc query observiq-otel-collectorThe service should show as RUNNING.
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.shWait for the installation to complete.
Verify the installation by running:
sudo systemctl status observiq-otel-collectorThe service should show as active (running).
Additional installation resources
For additional installation options and troubleshooting, see the Bindplane agent installation guide.
Configure Bindplane agent to ingest syslog and send to Google SecOps
Locate the configuration file
Linux:
sudo nano /opt/observiq-otel-collector/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
Replace the entire contents of
config.yamlwith the following configuration:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/rsa_securid: compression: gzip creds_file_path: '/etc/bindplane-agent/ingestion-auth.json' customer_id: '<customer_id>' endpoint: malachiteingestion-pa.googleapis.com log_type: RSA_SECURID raw_log_field: body service: pipelines: logs/rsa_securid: receivers: - udplog exporters: - chronicle/rsa_securid
Configuration parameters
Replace the following placeholders:
Receiver configuration:
udplog: The receiver type based on protocol:udplogfor UDP syslogtcplogfor TCP syslogsyslogfor RFC 3164/5424 syslog
0.0.0.0: IP address to listen on:0.0.0.0to listen on all interfaces (recommended)- Specific IP address to listen on one interface
514: Port number to listen on (for example,514,1514,6514)
Exporter configuration:
<customer_id>: Customer ID from the earlier stepmalachiteingestion-pa.googleapis.com: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
- Adjust the
creds_file_pathdepending on the platform:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
Save the configuration file
- After editing, save the file:
- Linux: Press
Ctrl+O, thenEnter, thenCtrl+X - Windows: Click File > Save
- Linux: Press
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart observiq-otel-collectorVerify the service is running:
sudo systemctl status observiq-otel-collectorCheck logs for errors:
sudo journalctl -u observiq-otel-collector -f
To restart the Bindplane agent in Windows, choose one of the following options:
Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collectorServices console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Press
Configure RSA SecurID Access syslog forwarding
Configure audit logging in the Cloud Administration Console
- Sign in to the RSA SecurID Access Cloud Administration Console.
- Go to Platform > Audit Logging.
- Click Enabled.
- Under Output, select Send to syslog.
- In the Syslog Server field, enter the IP address of the Bindplane agent host (for example,
192.168.1.100). - In the Port field, enter
514(must match the Bindplane receiver port). - From the Protocol drop-down list, select UDP (must match the Bindplane receiver type).
- Under Event Types, select the events to log:
- User events: Sign-in attempts, profile changes, and other user activity.
- Include authorization requests: Authorization events for protected applications.
- System events: Backup, firewall rule changes, and other system activity.
- Include system error events: Error-level system events.
- Click Save.
Configure logging in RSA Authentication Manager Security Console
If you are also running RSA Authentication Manager (on-premise), configure logging to send authentication and audit events to syslog:
- Sign in to the RSA Authentication Manager Security Console.
- Go to Setup > System Settings > Logging.
- Select an instance (for example, Primary) and click Next.
- Set the log levels for the following logs:
- Administrative Audit Log: Administrative actions such as user creation, token assignment, and policy changes.
- Runtime Audit Log: Authentication events such as successful and failed authentication attempts.
- System Log: System-level events such as service start/stop and replication status.
- For the Log Data Destination, select Save to internal database and local operating system SysLog for each log type.
- Click Save.
Configure remote syslog forwarding from Authentication Manager
For RSA Authentication Manager 8.4 or later (uses rsyslog):
- SSH into the RSA Authentication Manager appliance.
Edit the remote syslog configuration file:
sudo vi /etc/rsyslog.d/remote.confAdd a line specifying the Bindplane agent as the remote syslog server:
*.* @BINDPLANE_AGENT_IP:514Restart the rsyslog service:
sudo systemctl restart rsyslog
For RSA Authentication Manager 8.1-8.3 (uses syslog-ng):
- SSH into the RSA Authentication Manager appliance.
Edit the syslog-ng configuration file:
sudo vi /etc/syslog-ng/syslog-ng.confLocate the comment about enabling IP to send log messages to a log server and change the IP address to the IP address of the Bindplane agent host.
Restart the syslog-ng service:
sudo /etc/init.d/syslog restart
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| column23, column24, column22, column26, column27, column28 | additional.fields | Merged with key-value pairs from specified columns |
| extensions.auth.mechanism | Set to "USERNAME_PASSWORD" | |
| extensions.auth.type | Set to "MACHINE" | |
| description | metadata.description | Value copied directly |
| action, username1, srcUser, has_principal, has_target, has_user | metadata.event_type | Set to USER_LOGOUT if action closed, USER_LOGIN if opened or expired password, USER_UNCATEGORIZED otherwise, then to USER_LOGIN if has_principal and has_target and has_user, NETWORK_CONNECTION if has_principal and has_target, STATUS_UPDATE if has_principal |
| audit_section, column4, application | metadata.product_event_type | Value from audit_section if in tokenmgt or authn, else from column4 if csv, else from application |
| column2, column6 | metadata.product_log_id | Value from column2 if in tokenmgt/authn, else from column6 |
| description | metadata.product_version | Extracted from description using grok pattern |
| column10, column14 | network.session_id | Value from column10 if in tokenmgt or authn, else from column14 |
| column20, column24, hostname | principal.asset.hostname | Value from column20 if in tokenmgt, else from column24 if in else csv, else from hostname |
| column4, column5, column8 | principal.asset.ip | Value from column4 if in tokenmgt, else from column5 if in authn, else from column8 |
| column20, column24, hostname | principal.hostname | Value from column20 if in tokenmgt, else from column24 if in else csv, else from hostname |
| column4, column5, column8 | principal.ip | Value from column4 if in tokenmgt, else from column5 if in authn, else from column8 |
| principal.platform | Set to "LINUX" | |
| process_id | principal.process.pid | Value copied directly |
| column12, column13, column11, column15, column16, column17 | principal.resource.attribute.labels | Merged with labels from specified columns |
| column16, column15, column19 | principal.user.first_name | Value from column16 if in tokenmgt, else from column15 if in authn, else from column19 |
| column17, column16, column20 | principal.user.last_name | Value from column17 if in tokenmgt, else from column16 if in authn, else from column20 |
| column16, column17, column15, column19, column20 | principal.user.user_display_name | Concatenated from first and last name fields |
| column15, column14, column18, srcUser, username | principal.user.userid | Value from column15 if in tokenmgt, else from column14 if in authn, else from column18 if in else csv, else from srcUser if sudo, else from username |
| column8, column12 | security_result.action | Set to ALLOW if column8 or column12 is SUCCESS, else BLOCK |
| column8, column12 | security_result.category_details | Value from column8 if in tokenmgt/authn, else from column12 |
| column20 | security_result.detection_fields | Merged with detection field from column20 |
| column6, column10 | security_result.rule_name | Value from column6 if in tokenmgt/authn, else from column10 |
| column1, column5 | security_result.severity | Set to HIGH if error/warning/ERROR, CRITICAL if critical, MEDIUM if notice, LOW if information/info/INFO |
| column1, column5 | security_result.severity_details | Value copied directly |
| column18, column9, column13 | security_result.summary | Value from column18 if in tokenmgt, else from column9 if in authn, else from column13 |
| application | target.application | Value copied directly |
| hostname | target.asset.hostname | Value copied directly |
| column5, column4, column9 | target.asset.ip | Value from column5 if in tokenmgt, else from column4 if in authn, else from column9 |
| hostname | target.hostname | Value copied directly |
| column5, column4, column9 | target.ip | Value from column5 if in tokenmgt, else from column4 if in authn, else from column9 |
| command | target.process.command_line | Value copied directly |
| PWD | target.process.file.full_path | Value copied directly |
| pid | target.process.pid | Value copied directly |
| column11 | target.resource.product_object_id | Value copied directly |
| description | target.url | Extracted from description using grok pattern |
| column27, username1, username | target.user.userid | Value from column27 if in tokenmgt, else from username1 if sudo, else from username |
| metadata.product_name | Set to "RSA SECURID" | |
| metadata.vendor_name | Set to "RSA" |
Need more help? Get answers from Community members and Google SecOps professionals.