000030329 - How to configure RSA Authentication Manager 8.1 to send data to multiple remote syslog servers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Feb 21, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000030329
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition: 8.1 SP1 
IssueThe requirement is to send RSA Authentication Manager 8.1 runtime, administrative and system information to multiple remote syslog servers.
ResolutionThere are two parts to this solution.

Part 1



  1. From the Security Console of the RSA Authentication Manager 8.1 primary, navigate to Setup > System Settings.
  2. Under Basic Settings, click Logging.
  3. Select Primary as the instance type and click Next.
    1. Select the required Log Levels for Administrative Audit Log, Runtime Audit Log and System Log.
    2. For the Log Data Destination select Save to internal database and local operating system SysLog on the required Log Data options (Administrative Audit Log Data, Runtime Audit Log Data & System Log Data).
  4. When finished click Save.

User-added image



Part 2


This requires either SSH access or local console access to the operating system.

The proposed steps have not been officially qualified by RSA and must be tested prior to any production use.



  1. Logon to the Authentication Manager operating system with the rsaadmin account

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1. Elevate to root, entering the rsaadmin password when prompted for a password.


sudo su -


  1. Navigate to /etc/syslog-ng.


am81p:~ # cd /etc/syslog-ng


  1. Make a copy of the syslog-ng.conf file


am81p:/etc/syslog-ng # cp syslog-ng.conf syslog-ng.conf.ORIG


  1. Edit the syslog-ng.conf configuration file using an editor such as vi.
  2. Locate the comment # Enable this and adopt IP to send log messages to a log server
  3. Uncomment the following two lines:


#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };


  1. Change the IP address from 10.10.10.10 to be the IP address of the remote syslog server.  An example of what you are expecting to see is shown here:

The IP address of 192.168.100.100 is used only as an example for the IP address of a remote syslog server.




destination logserver { udp("192.168.100.100" port(514)); };
log { source(src); destination(logserver); };


  1. Use the following format to send the data to more than one remote syslog:


destination logserver {
udp("192.168.100.100" port(514));
udp("192.168.27.130" port(514));
udp("192.168.67.143" port(514));
};
log { source(src); destination(logserver); };


  1. Key in :wq! to save changes to the syslog-ng.conf configuration file.
  2. Restart the syslog daemon with the command /etc/init.d/syslog restart.  For example,


am81p:/etc/syslog-ng # /etc/init.d/syslog restart
Shutting down syslog services                                                                            done
Starting syslog services                                                                                 done
am81p:/etc/syslog-ng #


  1. Monitor the outgoing traffic to the remote syslog server to check the change has worked with the command


tcpdump -i eth0 -Z root -n -A -v "dst host n.n.n.n and dst port 514"


Where n.n.n.n represents the IP address of the remote syslog server (the same IP address used in the /etc/syslog-ng/syslog-ng.conf configuration file).

 

Making the change to the /etc/syslog-ng/syslog-ng.conf configuration file is a custom change and must be noted when writing up the a disaster recovery plan for all authentication manager instances deployed for production usage.

Notes

This configuration allows the Authentication Manager instance to push its data into the /var/log/messages file and all of the data being written to /var/log/messages is pushed out to the remote syslog servers. Further research will be required to filter outgoing data to the remote syslog servers.

Attachments

    Outcomes