Need help building an RSA SecurID / Ace Server query
May 22, 2008 9:44 AM   Subscribe

Need help building an RSA SecurID / Ace Server query

We are moving our SecurID Ace Server infrastructure from Windows servers onto RSA Appliances.

Part of the migration includes removing agents that are no longer in use. However, we have no idea of what agents are no longer in use. None of the pre-built reports are able to give us this information.

I emailed RSA and here is what they wrote back:

I don't have great news for you, in terms of an easy query. Many of the database tables have fields for dates. For example, the table SDToken has a field dateLastLogin that shows when this token was last used. The Table SDClient has information on the agent hosts, including some date fields, but none of them are related to the last time of use.

Unfortunately, this means the only way to get information on the date of use for agents is to go through the logs, which is a little inconvenient to do with SQL queries. If a particular agent host hadn't been used in the checked time period (or ever), it won't show up with this kind of query.

One of my colleagues came up with information about a query with the fields that you are looking for. Some of the information you need will be kept in these tables and fields:
SDLogEntry.iLogEntryNum unique number for each line in the log
SDLogEntry.chClientName the name of the agent host
SDLogEntry.chLogin the user who logged in
SDLogEntry.iMessageNum which event happened, if it is 1011 from SDLogMessage.iMessageNum, this means passcode accepted, a good basic thing to check for use of an agent
SDLogMessage.iIncedentSearchCount the number of records to look back in the log, 1 will probably be fine

You can build a query using ARG01 to enter the agent host name
It can prompt for an agent host name, and return 'passcode accepted' events for that agent host from the sdlog database. If you have a large number of Agent Hosts, potentially you can also have the query look at SDClient.iClientNum and SDClient.chName to cycle through all of the agent hosts in the database, instead of manually going through them.

Unfortunately, I cannot go through these in more detail, as building the queries is a PSO function.

One option to the SQL queries is to either dump the logs, or archive them without deleting, and use a third-party tool to look for the last instances of use. If a particular agent host hadn't been used in the checked time period, it won't show up in the logs with this method either.

Can anyone help in building a query that will allow me to find out when when the last time an agent was used?

Thank you.
posted by twistedmetal to Computers & Internet (1 answer total) 1 user marked this as a favorite
Could you proxy the server through an intermediate NAC, ACS will let you run reports on what is still in use...
posted by iamabot at 7:24 PM on May 22, 2008

« Older What places in Northern Virginia and Maryland will...   |   Eat Food, but which leaves, and how? Newer »
This thread is closed to new comments.