|Applies To||RSA Authentication Manager 7.1|
RSA Appliance 3.0
|Issue||How to send log messages to system log?|
How to configure log messages to syslog server in RSA Authentication Manager 7.1.SP2?
How to configure log messages to syslog server in RSA Appliance 3.0?
How to send log messages to syslog server?
RSA Authentication messages can be configured to forward the logging messages to a system log server running on another machine using default port 514/udp. The syslog server can be running on Windows or UNIX. The RSA Authentication Manager log messages can not be written to Windows Event Viewer.
1. Apply the most recent cumulative hot fix on RSA Authentication Manager 7.1
2. Edit the file \RSA Security\RSA Authentication Manager\utils\resources\ims.properties.
ims.logging.audit.admin.syslog_host = <host_name> < ------------- Change the value to syslog server name
The syslog server should be configured syslog to accept log messages from RSA Authentication Manager. For example, on Linux, one can add
The above should also be done with an RSA Appliance3.0
1. Edit /etc/rsyslog.conf file and add below lines:
2. /etc/init.d/rsyslog restart
or on Solaris:
On Solaris, check /etc/hosts to see if/where loghost is set
A free syslog server such as Kiwi syslog server can be downloaded from http://www.kiwisyslog.com/ to test the above functionality.
Important note for AM7.1 on Windows:
If RSA Authentication Manager 7.1 is running on UNIX, such as Linux, Solaris, or Appliance 3.x, runtime audit logs, admin audit logs and system audit logs can be forwarded to local syslog or remote syslog server.
Another free syslog server can be downloaded from http://www.splunk.com/download?ac=adwords-syslog&_kk=free%20syslog%20server&gclid=CMjV5NeTppoCFQObFQodqSZY9A
|Workaround||Requires SP2 or above for Authentication Manager 7.1 and Appliance 3.0 Download here|
|Notes||RSA Authentication Manager 7.1 / Log Data Destination Use OS System Log Send system messages to OS system log|
Syslog messages cannot be sent to multiple log servers simultaneously. If multiple hostnames are defined in the parameter "ims.logging.audit.admin.syslog_host = <host_name>", messages will be sent to the first server in the list. If that server is not available, syslog messages will be sent to the next server in the list.
NOTE: BE CAREFUL HOW YOU EDIT THIS FILE. extra spaces, hidden linefeeds...etc...may make the server unable to restart correctly.
It is important to be careful editing the ims.properties file...as it may appear to be fine but could cause issues. Reverting to a backup copy would be the first thing to test if any problems arise after a system restart.
|Legacy Article ID||a45806|