000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers

Document created by RSA Customer Support Employee on Feb 21, 2019Last modified by RSA Customer Support Employee on Nov 12, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000037206
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 or later
IssueThe requirement is to send RSA Authentication Manager 8.4 data to multiple remote syslog servers.

Prior to Authentication Manager 8.4, article 000030329 - How to configure RSA Authentication Manager 8.1 to send data to multiple remote syslog servers detailed how to address this requirement.

Since RSA Authentication Manager 8.4, Authentication Manager updated its operating system to SUSE Linux Enterprise Server 12 SP4.  SLES 12 no longer uses syslog-ng for remote syslog server.

ResolutionWe have an rsyslog on RSA Authentication Manager 8.4 instead of syslog-ng. And we have a configuration file in /etc/rsyslog.d/remote.conf where you could define the syslog server(s) to which you want to connect. And we have /etc/rsylog.conf for rest of the configuration related to rsyslog.
  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another username may have been selected. Use that username to login.

  1. Changes the privileges of rsaadmin with the command

sudo su – root

  1. Enter the operating system password when prompted.
  2. Go to /etc/rsyslog.d/ and make a copy of the remote.conf file.
  3. Edit the remote.conf configuration file using an editor such as vi.
  4. Append the remote syslog servers with the format below in the following section of the /etc/rsyslog.d/remote.conf file:

*.* @

# ######### Sending Messages to Remote Hosts ##########

# Remote Logging using TCP for reliable delivery
# remote host is: name/ip:port, e.g., port optional
#*.* @@remote-host

# Remote Logging using UDP
# remote host is: name/ip:port, e.g., port optional
#*.* @remote-host
*.* @
*.* @

  1. Restart the syslog daemon and verify the status with the commands.

am84p:~ # rcsyslog restart
redirecting to systemctl restart syslog.service
am84p:~ # rcsyslog status
Usage: /sbin/rcsyslog {start|stop|status|try-restart|restart|force-reload|reload}
  rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-02-21 10:30:18 AEDT; 20s ago
     Docs: man:rsyslogd(8)
Main PID: 11447 (rsyslogd)
    Tasks: 6 (limit: 16384)
   CGroup: /system.slice/rsyslog.service
           └─11447 /usr/sbin/rsyslogd -n

  1. Configure Security Console Logging to send to localhost rsyslog setting
  2. Monitor the outgoing traffic to the remote syslog server with the commands:

  •     To monitor all traffic on port 514:

am84p:~ # tcpdump -nvv -i eth0 port 514

  •      To monitor more targeted traffic on port 514:

am84p:~ # tcpdump -nvv -i eth0 "dst host n.n.n.n and dst port 514"

Example output is shown below:

am84p:~ # tcpdump -nvv -i eth0 port 514
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:38:27.717034 IP (tos 0x0, ttl 64, id 20367, offset 0, flags [DF], proto UDP (17), length 182) > [bad udp cksum 0x54dc -> 0xe5d5!] SYSLOG, length: 154
        Facility auth (4), Severity notice (5)
        Msg: Feb 21 12:38:27 am84p sudo: rsaadmin : TTY=unknown ; PWD=/opt/rsa/am/server ; USER=root ; COMMAND=/opt/rsa/am/utils/bin/appliance/queryTimeSettings.sh
        0x0000:  3c33 373e 4665 6220 3231 2031 323a 3338
        0x0010:  3a32 3720 616d 3834 7020 7375 646f 3a20
        0x0020:  7273 6161 646d 696e 203a 2054 5459 3d75
        0x0030:  6e6b 6e6f 776e 203b 2050 5744 3d2f 6f70
        0x0040:  742f 7273 612f 616d 2f73 6572 7665 7220
        0x0050:  3b20 5553 4552 3d72 6f6f 7420 3b20 434f
        0x0060:  4d4d 414e 443d 2f6f 7074 2f72 7361 2f61
        0x0070:  6d2f 7574 696c 732f 6269 6e2f 6170 706c
        0x0080:  6961 6e63 652f 7175 6572 7954 696d 6553
        0x0090:  6574 7469 6e67 732e 7368

  1. Once done with the primary, please repeat steps 1 through 9 above on each replica server in your deployment.  Be sure to complete the tasks on one before moving to the other(s).