000030329 - How to Configure RSA Authentication Manager 8.1 to Send Data to Multiple Remote SysLogs

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030329
Applies To
RSA Product SetSecurID
RSA Product/Service TypeRSA Authentication Manager
RSA Version/Condition8.1 SP1
PlatformSUSE Enterprise Linux
Platform (Other) 
O/S Version11 SP3
Product Name 
Product DescriptionSecurID Appliance
IssueThe requirement is to send RSA Authentication Manager 8.1 runtime, administrative and system information to multiple remote syslog servers.
ResolutionThere are two parts to this solution.
Use the RSA Authentication Manager 8.1 primary instance Security Console > Setup > System Settings > click Logging in Basic Settings > select Primary as the Instance type and click Next
  • select the require Log Levels for Administrative Audit Log, Runtime Audit Log and System Log 
  • for the Log Data Destination select 'Save to internal database and local operating system SysLog' on the required Log Data options (Administrative Audit Log Data, Runtime Audit Log Data & System Log Data)
..when finshed click Save
User-added image
This requires either SSH access or local console access to the operating system.
The proposed steps have not been officially qualified by RSA and must be tested prior to any production use:
1.Logon to the authentication manager operating system with the rsaadmin account
2.Changes the privileges of rsaadmin with the command
sudo su – root

   Enter the rsaadmin password when prompted for a password.
3.Navigate to the /etc/syslog-ng folder and make a copy of the syslog-ng.conf file
am81p:~ # cd /etc/syslog-ng
am81p:/etc/syslog-ng # cp syslog-ng.conf syslog-ng.conf.ORIG
am81p:/etc/syslog-ng #

4.Edit the syslog-ng.conf configuration file using an editor such as ‘vi’
   Locate the comment # Enable this and adopt IP to send log messages to a log server.
   Uncomment two lines
#destination logserver { udp("" port(514)); };
#log { source(src); destination(logserver); };

   Change the IP address to be the IP address of the remote syslog server
   An example of what you are expecting to see:
destination logserver { udp("" port(514)); };
log { source(src); destination(logserver); };

   Use the following format to send the data to more than one remote SysLog:
destination logserver {
udp("" port(514));
udp("" port(514));
udp("" port(514));
log { source(src); destination(logserver); };

   Save the changes to the syslog-ng.conf configuration file
   NOTE: I have used for the IP address of a remote syslog server in my example
5.Restart the syslog daemon with the command
/etc/init.d/syslog restart

am81p:/etc/syslog-ng # /etc/init.d/syslog restart
Shutting down syslog services                                                                            done
Starting syslog services                                                                                 done
am81p:/etc/syslog-ng #

6.Monitor the outgoing traffic to the remote syslog server to check the change has worked with the command
tcpdump -i eth0 -Z root -n -A -v "dst host n.n.n.n and dst port 514"

   Where n.n.n.n represents the IP address of the remote syslog server (the same IP address used in the /etc/syslog-ng/syslog-ng.conf configuration file).

Making the change to the /etc/syslog-ng/syslog-ng.conf configuration file is a custom change and must be noted when writing up the a disaster recovery plan for all authentication manager instances deployed for production usage.
NotesIMPORTANT NOTE: This configuration allows the authentication manager instance to push its data into the /var/log/messages file and all of the data being written to /var/log/messages is pushed out to the remote syslog servers. Further research will be required to filter outgoing data to the remote syslog servers.