000033369 - Forward syslog messages in RSA Authentication Manager 8.0 through 8.3

Document created by RSA Customer Support Employee on Jun 20, 2016Last modified by RSA Customer Support on Jan 6, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033369
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0 - 8.3
IssueThe contents of /var/log/messages are not forwarded along with the application-level log streams. This means that a remote syslog aggregator or SIEM system will not see any logins to the operating system or attempts to use SU.
ResolutionTo resolve this issue, edit the syslog config file on each RSA Authentication Manager primary and replica on each instance that you want to see the syslog to enable forwarding.  These settings are not replicated.
  1. Log in as the rsaadmin via SSH.

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan  6 14:05:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am

  1. Run the command sudo su – to become the root user.
  2. Using a text editor, such as vi, edit /etc/syslog-ng/syslog-ng.conf:

rsaadmin@am8p:~> sudo su -
rsaadmin's password: <enter operating system password>
am8p:~ # vi /etc/syslog-ng//syslog-ng.conf

  1. Find the first mention of destination.

#destination newscrit   { file("/var/log/news/news.crit"
#                              owner(news) group(news)); };
#log { source(src); filter(f_newscrit); destination(newscrit); };


  1. This brings you to the following line in bold below:

# Enable this and adopt IP to send log messages to a log server.
#destination logserver { udp("" port(514)); };
#log { source(src); destination(logserver); };

  1. Uncomment this line and the next, and change the IP address to the IP of the syslog aggregator. Check the port as well to ensure itis the one your aggregator is listening on.

destination logserver { udp("" port(514)); };
log { source(src); destination(logserver); };

  1. To save, press Esc then :wq! to exit.
  2. Restart the syslog service to make the changes take effect. I don't know why it uses syslog instead of syslog-ng.

am8p:~ # /etc/init.d/syslog restart
Shutting down syslog services                       done
Starting syslog services                            done

  1. Test by logging out and back in, then checking the syslog aggregator to see if the login shows up. Note that it might be listed as an sshd event.

This  article is version specific and applies to older versions of RSA Authentication Manager that still use syslog-ng, and not newer versions using rsyslog.