000017501 - How to send log messages to syslog system log RSA Authentication Manager 7.1?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017501
Applies ToRSA Authentication Manager 7.1
RSA Appliance 3.0
Syslog server
Kiwi syslog
IssueHow to send log messages to system log?
How to configure log messages to syslog server in RSA Authentication Manager 7.1.SP2?
How to configure log messages to syslog server in RSA Appliance 3.0?
How to send log messages to syslog server?

RSA Authentication messages can be configured to forward the logging messages to a system log server running on another machine using default port 514/udp. The syslog server can be running on Windows or UNIX. The RSA Authentication Manager log messages can not be written to Windows Event Viewer.

1. Apply the most recent cumulative hot fix on RSA Authentication Manager 7.1

2. Edit the file \RSA Security\RSA Authentication Manager\utils\resources\ims.properties.

ims.logging.audit.admin.syslog_host       = <host_name> < -------------  Change the value to syslog server name
ims.logging.audit.admin.syslog_layout     = %d, %X{clientIP}, %c, %p, %m%n
ims.logging.audit.admin.syslog_facility   = 8
ims.logging.audit.admin.use_os_logger     = false    <---- Change the value to true 
ims.logging.audit.runtime.syslog_host     = <host_name>         < -------------  Change the value to syslog server name
ims.logging.audit.runtime.syslog_layout   = %d, %X{clientIP}, %c, %p, %m%n
ims.logging.audit.runtime.syslog_facility = 8
ims.logging.audit.runtime.use_os_logger   = false       < ------- Change the value to true
ims.logging.system.syslog_host            = <host_name> < -------------  Change the value to syslog server name
ims.logging.system.syslog_layout          = %d, %X{clientIP}, %c, %p, %m%n
ims.logging.system.syslog_facility        = 8
ims.logging.system.use_os_logger          = false    < ------- Change the value to true

After applying the patch, in order to send log messages to syslog, edit the values in above file and change the value of the parameter ims.logging.system.use_os_logger to true.
By default, the patch installer will set the <host_name> to the full host name of the server where RSA Authentication Manager is installed. The value of the parameter ims.logging.system.syslog_host should be changed to hostname of syslog server. The cumulative patch needs to be applied to primary, replica, node, database and radius installations.

The syslog server should be configured syslog to accept log messages from RSA Authentication Manager. For example, on Linux, one can add
the following to /etc/syslog.conf (note:entries should be separated with tabs, not spaces):
# RSA Authentication Manager 7.1 log
user.*                                                  /var/log/rsa.log

On Linux, by default syslog does not receive messages from an application ( either running locally or from a remote machine). To change this, one needs to modify /etc/sysconfig/syslog and add "-r"
option to SYSLOGD_OPTIONS, as following:

The above should also be done with an RSA Appliance3.0

After the appropriate changes are made to the configuration files, the syslog

daemon needs to be restarted. This can be done by:
/etc/init.d/syslog restart 

On CentOS:

1. Edit /etc/rsyslog.conf file and add below lines:
   user.info    /var/log/rsa.log
   *.err;kern.debug;daemon.notice;mail.crit        /var/log/rsa.log

2. /etc/init.d/rsyslog restart 

or on Solaris:
svcadm restart svc:/system/system-log:default

On Solaris, check /etc/hosts  to see if/where loghost is set

A free syslog server such as Kiwi syslog server can be downloaded from http://www.kiwisyslog.com/ to test the above functionality.

Important note for AM7.1 on Windows
If RSA Authentication Manager 7.1 is running on Windows, only system audit events can be written to Event log. In the logging configuration page in the RSA Security consoleenable the check box to send system audit events to windows event log. If the option "send system audit events to Event viewer" is enabled, then those events cannot be sent to remote syslog host (for eg: Kiwi, or enVision). You can do one or the other (not both). The runtime audit logs, and admin audit logs cannot be forwarded to local system log or remote syslog server on Windows. After making changes, you need to stop and restart all RSA Services

If RSA Authentication Manager 7.1 is running on UNIX, such as Linux, Solaris, or Appliance 3.x, runtime audit logs, admin audit logs and system audit logs can be forwarded to local syslog or remote syslog server.

Another free syslog server can be downloaded from http://www.splunk.com/download?ac=adwords-syslog&_kk=free%20syslog%20server&gclid=CMjV5NeTppoCFQObFQodqSZY9A

WorkaroundRequires SP2 or above for Authentication Manager 7.1 and Appliance 3.0     Download here
NotesRSA Authentication Manager 7.1 / Log Data Destination  Use OS System Log    Send system messages to OS system log

Syslog messages cannot be sent to multiple log servers simultaneously.  If multiple hostnames are defined in the parameter "ims.logging.audit.admin.syslog_host      = <host_name>", messages will be sent to the first server in the list.  If that server is not available, syslog messages will be sent to the next server in the list.

NOTE: BE CAREFUL HOW YOU EDIT THIS FILE. extra spaces, hidden linefeeds...etc...may make the server unable to restart correctly.

It is important to be careful editing the ims.properties file...as it may appear to be fine but could cause issues. Reverting to a backup copy would be the first thing to test if any problems arise after a system restart.

Legacy Article IDa45806