000017542 - How to verify RSA Authentication Manager (AM) 8.1 is sending syslog data to a remote syslog server.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017542
Applies To

Use the RSA Authentication Manager (AM) 8.1 Security console - Setup - System Settings.  Then click on the Logging Link.  Select either Primary or Replica(s), [Next>].  Set Log Levels, then scroll down to Log Data Destination. 


There are 3 types of log data; Administrative Audit, Runtime Audit (includes Authentications), and System (includes system errors like failures to connect to remote LDAP Identity Source). 


There are also three ways to save log data, bottom choice is both Internal Database and remote Syslog at the following hostname or IP address.  [Save]


RSA Authentication Manager (AM) version 8.1, AM 8.1, AM 8.0, AM 8.X
Remote syslog, Remote syslogging, Remote syslogger, System log
 
IssueHow to verify RSA Authentication Manager (AM) 8.1 is sending syslog data to a remote syslog server.
Remote Syslog Server admin (e.g. ARCSite) says no RSA syslog data is coming to his syslog server, even though you as RSA AM Admin configured remote syslog to his server's IP address.
 
CauseFirewall blocking syslog UDP port 514 traffic.
 
Resolution

SSH to the Suse Linux operating system with the OS account (rsaadmin or whatever has been configured).


     sudo su -                     <to become root - same password>
     # service syslog status               <should showed as running>
     # ps -ef | grep syslog


     # tcpdump -i eth0 host <IP_syslog>           <screen should show RSA sending syslog packets to this syslog server on UDP port 514>

Legacy Article IDa66606

Attachments

    Outcomes