000039453 - How to modify syslog date format on RSA Authentication manager 8.4 and up

Document created by RSA Customer Support Employee on Dec 8, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039453
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.4, 8.5
IssueThe date format in 8.4 is (2020-11-11T13:56:34+00:00) and want to change the date format to older format (Nov 11 14:02:08 RFC3164).
CauseThe date format in 8.4 is the new default format (2020-11-11T13:56:34+00:00 RFC5424 "The New Format"). If you want to change to old format (Nov 11 14:02:08 RFC3164 "The Old Format"), it can be done by updating the rsyslog config file.

The original BSD format (RFC3164). Is used by AM 8.3. RSA Authentication manager 8.4 uses “new” format (RFC5424). 
ResolutionUncomment/update the following line from rsyslog.conf file located at /etc, save the file and restart rsyslog service.

#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

    Note that during Quick Setup another username may have been selected. Use that username to login.

  3. Changes the privileges of rsaadmin with the command

sudo su – root

  1. Enter the operating system password when prompted.
  2. Go to /etc and make a copy of the rsyslog.conf file.
  3. Edit the rsyslog.conf configuration file using an editor such as vi.
  4. Uncomment the line $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat and save.

# Use rsyslog native, rfc5424 conform log format as default
# ($ActionFileDefaultTemplate RSYSLOG_FileFormat).
# To change a single file to use obsolete BSD syslog format
# (rfc 3164, no high-precision timestamps), set the variable
# bellow or append ";RSYSLOG_FileFormat" to the filename.
# See
#   http://www.rsyslog.com/doc/rsyslog_conf_templates.html
# for more information.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$PreserveFQDN on

  1. Restart the syslog daemon and verify the status with the commands.

bharath:/etc # rcsyslog restart
redirecting to systemctl restart syslog.service
bharath:/etc # rcsyslog status
Usage: /sbin/rcsyslog {start|stop|status|try-restart|restart|force-reload|reload}
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-11-11 15:05:22 UTC; 41s ago
     Docs: man:rsyslogd(8)
  Process: 10537 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1713 ExecStartPre=/usr/sbin/rsyslog-service-prepare (code=exited, status=0/SUCCESS)
Main PID: 1719 (rsyslogd)
    Tasks: 6 (limit: 16384)
   CGroup: /system.slice/rsyslog.service
           └─1719 /usr/sbin/rsyslogd -n
bharath:/etc #

Syslog now logs the messages as per old format Nov 11 14:02:08 rather 2020-11-11T13:56:34+00:00