000030329 - How to configure RSA Authentication Manager 8.1, 8.2, 8.3 to send data to multiple remote syslog servers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Dec 16, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000030329
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition: 8.1, 8.2, 8.3
IssueThe requirement is to send RSA Authentication Manager runtime, administrative and system information to multiple remote syslog servers.
ResolutionThere are two parts to this solution.

Part 1

  1. From the Security Console of the RSA Authentication Manager primary, navigate to Setup > System Settings.
  2. Under Basic Settings, click Logging.
  3. Select Primary as the instance type and click Next.
    1. Select the required Log Levels for Administrative Audit Log, Runtime Audit Log and System Log.
    2. For the Log Data Destination select Save to internal database and local operating system SysLog on the required Log Data options (Administrative Audit Log Data, Runtime Audit Log Data & System Log Data).
  4. When finished click Save.

User-added image

Part 2

This requires either SSH access or local console access to the operating system.

The proposed steps have not been officially qualified by RSA and must be tested prior to any production use.

  1. Logon to the Authentication Manager operating system with the rsaadmin account

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Elevate to root, entering the rsaadmin password when prompted for a password.

sudo su -

  1. Navigate to /etc/syslog-ng.

am81p:~ # cd /etc/syslog-ng

  1. Make a copy of the syslog-ng.conf file

am81p:/etc/syslog-ng # cp syslog-ng.conf syslog-ng.conf.ORIG

  1. Edit the syslog-ng.conf configuration file using an editor such as vi.
  2. Locate the comment # Enable this and adopt IP to send log messages to a log server
  3. Uncomment the following two lines:

#destination logserver { udp("" port(514)); };
#log { source(src); destination(logserver); };

  1. Change the IP address from to be the IP address of the remote syslog server.  An example of what you are expecting to see is shown here:

The IP address of is used only as an example for the IP address of a remote syslog server.

destination logserver { udp("" port(514)); };
log { source(src); destination(logserver); };

  1. Use the following format to send the data to more than one remote syslog:

destination logserver {
udp("" port(514));
udp("" port(514));
udp("" port(514));
log { source(src); destination(logserver); };

  1. Key in :wq! to save changes to the syslog-ng.conf configuration file.
  2. Restart the syslog daemon with the command /etc/init.d/syslog restart.  For example,

am81p:/etc/syslog-ng # /etc/init.d/syslog restart
Shutting down syslog services                                                                            done
Starting syslog services                                                                                 done
am81p:/etc/syslog-ng #

  1. Monitor the outgoing traffic to the remote syslog server to check the change has worked with the command

tcpdump -i eth0 -Z root -n -A -v "dst host n.n.n.n and dst port 514"

Where n.n.n.n represents the IP address of the remote syslog server (the same IP address used in the /etc/syslog-ng/syslog-ng.conf configuration file).


Making the change to the /etc/syslog-ng/syslog-ng.conf configuration file is a custom change and must be noted when writing up the a disaster recovery plan for all authentication manager instances deployed for production usage.


This configuration allows the Authentication Manager instance to push its data into the /var/log/messages file and all of the data being written to /var/log/messages is pushed out to the remote syslog servers. Further research will be required to filter outgoing data to the remote syslog servers.

For Authentication Manager v8.4 or later, check the following article:
How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers