Article Number
000001221
Applies To
RSA Product Set: Security Analytics
SA Product/Service Type: Event Source Monitoring
RSA Version/Condition: 10.x
Platform: CentOS
O/S Version: EL6
Issue
What "Source Type" to use when configuring Event Source Monitoring in RSA Security Analytics.
Which Source Type should I use when configuring Event Source Monitoring in Security Analytics?
How do I know what to enter for the Source Type when setting up Event Source Monitoring in SA?
Cause
If you wish to monitor a syslog event source, you do not have to use "syslog" as the Source Type. You need to use the name of the event source itself, otherwise you will not get any notification.
Resolution
As an example, if you are sending syslog messages from a SecurID server to Security Analytics and you want to receive a notification when the SecurID server stops sending messages
to Security Analytics (within a specified threshold) then you have to use rsaacesrv as the source type.
In order to check the correct Source Type:
From SA UI --> Administration --> Devices --> LogDecoder --> View --> Stats --> Log Stats
Here you have a list of the Event Source Types.
Image description
Notes
For additional information, refer to the RSA Security Analytics documentation entitled
Configure Event Monitoring.