000033369 - How to forward syslog messages in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 20, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033369
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThe contents of /var/log/messages are not forwarded along with the application-level log streams. This means that a remote syslog aggregator or SIEM system will not see any logins to the operating system or attempts to use SU.
TasksEdit the syslog config file to enable forwarding.
You have to do this on each instance that you want to see the syslog -- these settings are not replicated.
  1. Log in as the rsaadmin via SSH.
  2. Run the command sudo su – to become the root user.
  3. Using a text editor, such as vi, edit /etc/syslog-ng/syslog-ng.conf.

    open up the syslog config file in vi
  4. Find the first mention of destination.

    find the line beginning with destination
  5. Uncomment this line and the next, and change the IP address to the IP of the syslog aggregator. Check the port as long as you're at it to make sure it's the one your aggregator is listening on.

    uncomment the destination line and the next one
  6. To save, press Esc then type :wq to exit.
  7. Restart the syslog service to make the changes take effect. I don't know why it uses syslog instead of syslog-ng.

    restart the syslog service
  8. You can test by logging out and back in, then checking the syslog aggregator to see if the login shows up. Note that it might be listed as an sshd event.