000032961 - Ensuring the hostname of an RSA Authentication Manager 8.1 instance is used in the local syslog

Document created by RSA Customer Support Employee on Feb 7, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032961
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.1 SP1
IssueChapter 14 of the RSA Authentication Manager 8.1 Administrator's Guide (Revision 1) provides administrators instructions for sending run time, administrative and system data to a local syslog server. By default, the syslog file uses localhost instead of the actual hostname of the Authentication Manager instance.  For example,
 
Apr 15 10:28:50 localhost 2016-04-15 10:28:50,627, , 
audit.runtime.com.rsa.ims.session.impl.SessionManagerImpl,
INFO, 0d4efecc2c1f3e0a1ef7914c16e61af3,35bd39232c1f3e0a08dd67a99d0e1f45,
10.46.44.140,10.62.31.44,
AUTHN_LOGOUT_EVENT,13001,SUCCESS,,1109504c2c1f3e0a1f582dc36b34768f-XCf8c3Ovcb6d,
000000000000000000001000d0021000,000000000000000000001000d0011000,
000000000000000000001000e0011000,
superadmin,Admin,Admin,,,,,,,,,,,,,,,,,,,,
ResolutionAn administrator can use the following steps to configure the Authentication Manager primary instance to write the actual hostname into the local syslog (/var/log/messages).
NOTE: A good practice would be for the administrator to use the Operations Console to perform a backup before making any changes to the Authentication Manager primary instance.
  1. Using an administrative account setup the log data destination for the Authentication Manager instance.
  2. Login to the Security Console and select Setup > System Settings.
  3. Under Basic Settings, select Logging.
  4. Select the primary or replica instance type and click Next.
  5. Set the Log Data Destination values for Administrative Audit, Runtime Audit and System to Save to internal database and local operating system SysLog.
  6. If desired, choose the option to Apply the above settings to the replica instance(s) upon save.
  7. When done, click Save.
  8. Logon to the SecurID Appliance via SSH or direct connection, using the rsaadmin account.
  9. Obtain the rsa_dba user password using the command rsautil manage-secrets.  You will be prompted to provide an Operations Console administrator name and password.
/opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password      
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.db.dba.password: AxcM8N6t3Ost9IaDG3AlZWRVgC8gIY

  1. Set up the Linux environment variables in preparation to enter the Authentication Manager database at the command line.  .Navigate to /opt/rsa/am/utils and use the command: . ./rsaenv. Note that the command syntax is dot space dot slash.
  2. To access the Authentication Manager database use the command: /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba. When prompted, enter the password for the rsa_dba userobtained in step 9.  For example:
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the rsa_dba user password received in step 9>
psql.bin (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
db=#

  1. Enter the following SQL statement to obtain the id for the Authentication Manager instance(s).
SELECT * FROM rsa_rep.ims_instance;

The example here shows three instances in the Authentication Manager deployment.  The focus for this example is the primary, noted as the initial primary instance.

db=# SELECT * FROM rsa_rep.ims_instance;
                id                | cpu_count |           description            | is_primary | deployed_state
----------------------------------+-----------+----------------------------------+------------+----------------
35bd39232c1f3e0a08dd67a99d0e1f45 |         1 | Initial primary instance.        | t          |
32798b862b1f3e0a08dc8a8af7205700 |         1 | inserted by attachment process   | f          | active
62b3aba82e1f3e0a08dcbb6db40dcaaa |         1 | inserted by attachment process   | f          | active
(3 rows)
db=#

  1. Enter the following SQL statements to show the current syslog configuration for admin, runtime and system:
SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.runtime.syslog_host';
SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.admin.syslog_host';
SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.system.syslog_host';

For example,

db=# SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.runtime.syslog_host';
                id                |           instance_id            |                 name                  |    value
----------------------------------+----------------------------------+---------------------------------------+-------------
27c298ad816e9d0b2491fe9f9d632967 | 62b3aba82e1f3e0a08dcbb6db40dcaaa | ims.logging.audit.runtime.syslog_host | localhost
b6374cba33037d560a87bd8348ff86a0 | 32798b862b1f3e0a08dc8a8af7205700 | ims.logging.audit.runtime.syslog_host | localhost
de0c6090e6178863640390436f90c968 | 35bd39232c1f3e0a08dd67a99d0e1f45 | ims.logging.audit.runtime.syslog_host | localhost
(3 rows)
db=# SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.admin.syslog_host';
                id                |           instance_id            |                name                 |   value
----------------------------------+----------------------------------+-------------------------------------+-----------
9a9b705ea046091b8da9dd10226ddb5f | 62b3aba82e1f3e0a08dcbb6db40dcaaa | ims.logging.audit.admin.syslog_host | localhost
2234885b148da22968e0e6ad5464c9b6 | 35bd39232c1f3e0a08dd67a99d0e1f45 | ims.logging.audit.admin.syslog_host | localhost
34748c46c5012ac58357605bc9c9d0ef | 32798b862b1f3e0a08dc8a8af7205700 | ims.logging.audit.admin.syslog_host | localhost
(3 rows)
db=# SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.system.syslog_host';                
                id                |           instance_id            |              name              |   value
----------------------------------+----------------------------------+--------------------------------+-----------
133cb52ef4eba85a8d586f641e8e6d09 | 62b3aba82e1f3e0a08dcbb6db40dcaaa | ims.logging.system.syslog_host | localhost
0b476abfe719181b1c6f79eef35affa2 | 35bd39232c1f3e0a08dd67a99d0e1f45 | ims.logging.system.syslog_host | localhost
62c12ee2bbfd2359f22058d09337c789 | 32798b862b1f3e0a08dc8a8af7205700 | ims.logging.system.syslog_host | localhost
(3 rows)

The highlighted lines show the id value from the rsa_rep.ims_instance table matching the instance_id which provides the required id value from the ims_config_value table for the next step.

  1. Use the Authentication Manager instance id shown by using the SQL statement in step 12 to lookup the instance_id from the data presented in step 13. The administrator needs to make a note of the corresponding id value.
  2. The configuration requires a change in the value column for the required data type (admin, runtime and system) based on the id that represents the Authentication Manager instance.   Use the following SQL statement to update the value from localhost to the short name of the Authentication Manager instance based on id.
UPDATE ims_config_value SET VALUE = '{hostname}' where id like '{id}';


  1. Substitute {hostname} with the shortname of the Authentication Manager instance (e. g., app81p) and {id} with the value found in steps 13 and 14.  In the example here, the primary Authentication Manager instance shortname is app81p:

db=# UPDATE ims_config_value SET VALUE = 'app81p' WHERE id LIKE 'de0c6090e6178863640390436f90c968';
UPDATE 1
db=# UPDATE ims_config_value SET VALUE = 'app81p' WHERE id LIKE '2234885b148da22968e0e6ad5464c9b6';
UPDATE 1
db=# update ims_config_value set value = 'app81p' where id like '0b476abfe719181b1c6f79eef35affa2';.
UPDATE 1
db-#

This shows updating value for ims.logging.audit.runtime.syslog_host, ims.logging.audit.admin.syslog_host and ims.logging.system.syslog_host, represented by the id values obtained above)

  1. Check the changes have taken place using the following SQL statements.
SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.runtime.syslog_host';
SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.admin.syslog_host';
SELECT * FROM ims_config_value WHERE NAME LIKE  'ims.logging.system.syslog_host';

As an example,

db=# SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.runtime.syslog_host';
                id                |           instance_id            |                 name                  |    value
----------------------------------+----------------------------------+---------------------------------------+-------------
27c298ad816e9d0b2491fe9f9d632967 | 62b3aba82e1f3e0a08dcbb6db40dcaaa | ims.logging.audit.runtime.syslog_host | localhost
b6374cba33037d560a87bd8348ff86a0 | 32798b862b1f3e0a08dc8a8af7205700 | ims.logging.audit.runtime.syslog_host | localhost
de0c6090e6178863640390436f90c968 | 35bd39232c1f3e0a08dd67a99d0e1f45 | ims.logging.audit.runtime.syslog_host | app81p
(3 rows)
db=# SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.runtime.syslog_host';
     
          id                |           instance_id            |                 name                  |    value
----------------------------------+----------------------------------+---------------------------------------+-------------
27c298ad816e9d0b2491fe9f9d632967 | 62b3aba82e1f3e0a08dcbb6db40dcaaa | ims.logging.audit.runtime.syslog_host | localhost
b6374cba33037d560a87bd8348ff86a0 | 32798b862b1f3e0a08dc8a8af7205700 | ims.logging.audit.runtime.syslog_host | localhost
de0c6090e6178863640390436f90c968 | 35bd39232c1f3e0a08dd67a99d0e1f45 | ims.logging.audit.runtime.syslog_host | app81p
(3 rows)
db=# SELECT * FROM ims_config_value WHERE NAME LIKE 'ims.logging.audit.runtime.syslog_host';
                id                |           instance_id            |                 name                  |    value
----------------------------------+----------------------------------+---------------------------------------+-------------
27c298ad816e9d0b2491fe9f9d632967 | 62b3aba82e1f3e0a08dcbb6db40dcaaa | ims.logging.audit.runtime.syslog_host | localhost
b6374cba33037d560a87bd8348ff86a0 | 32798b862b1f3e0a08dc8a8af7205700 | ims.logging.audit.runtime.syslog_host | localhost
de0c6090e6178863640390436f90c968 | 35bd39232c1f3e0a08dd67a99d0e1f45 | ims.logging.audit.runtime.syslog_host | app81p
(3 rows)
db=#

  1. Elevate to the root user with the command sudo su - root.
  2. Make a copy of the /etc/syslog-ng/syslog-ng.conf file.
sudo su - root
rsaadmin's password: <enter the operating system password>
cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.SAV

  1. Edit the /etc/syslog-ng/syslog-ng.conf file and locate the section starting with source src { and update the loopback IP address (127.0.0.1) with the resolvable IP address of the shortname of the Authentication Manager instance.  For example:
source src {
        #
        # include internal syslog-ng messages
        # note: the internal() source is required!
        #
        internal();
        #
        # the default log socket for local logging:
        #
        unix-dgram("/dev/log");
        #
        # uncomment to process log messages from network:
        #
        udp(ip("192.168.2.100") port(514));
};

  1. Update the SUSE configuration with the command: SuSEconfig.  For example:
app81p:~ # SuSEconfig
Starting SuSEconfig, the SuSE Configuration Tool...
Running in full featured mode.
Reading /etc/sysconfig and updating the system...
Executing /sbin/conf.d/SuSEconfig.glib2...
Executing /sbin/conf.d/SuSEconfig.permissions...
/var/spool/uucp: unknown user uucp
Checking permissions and ownerships - using the permissions files
        /etc/permissions
        /etc/permissions.easy
        /etc/permissions.local
setting /etc/crontab to root:root 0644. (wrong permissions 0600)
Finished.

  1. Restart syslog services with the command: /etc/init.d/syslog restart.  For example:
app81p:~ # /etc/init.d/syslog restart
Shutting down syslog services                         done
Starting syslog services                              done

  1. Check the syslog listener is working on port 514 with the command netstat -nap | grep 514.  
  • An example of a logon event on the Security Console found in the local syslog (/var/log/messages) is shown below:
Apr 22 15:23:54 app81p 2016-04-22 15:23:54,617, , 
audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl,
INFO, aeae58cf2c1f3e0a1f4667ed0e53689b,35bd39232c1f3e0a08dd67a99d0e1f45,10.46.34.182,10.62.31.44,
AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,f1ebe80f2c1f3e0a1f36a3ec443e906f-3St2tB7//cP2,
000000000000000000001000d0021000,000000000000000000001000d0011000,
000000000000000000001000e0011000,superadmin,Admin,Admin,,,,,,
000000000000000000001000f0022000,RSA_Password,000000000000000000001000f0023001,
RSA_Password/LDAP_Password,,,,,,,,,,,

  • An example of a logout event on the Security Console found in the local syslog (/var/log/messages):
Apr 22 15:24:14 app81p 2016-04-22 15:24:14,939, , 
audit.runtime.com.rsa.ims.session.impl.SessionManagerImpl,
INFO, 69fcfac82c1f3e0a1f5be39f9557ac9b,35bd39232c1f3e0a08dd67a99d0e1f45,,10.62.31.44,
AUTHN_LOGOUT_EVENT,13001,SUCCESS,,f1ebe80f2c1f3e0a1f36a3ec443e906f-3St2tB7//cP2,
000000000000000000001000d0021000,000000000000000000001000d0011000,000000000000000000001000e0011000,
superadmin,Admin,Admin,,,,,,,,,,,,,,,,,,,,

Note:  Now the actual shortname of the Authentication Manager instance appears in the data instead of localhost.
Notes
db=# SELECT * FROM rsa_rep.IMS_INSTANCE_NODE;
id | instance_id | name | host | ip | product_patch | activation_time | last_upd ated_on ----------------------------------+----------------------------------+--------+---------------------+--------------+---------------+-------------------------+------------- ------------ 43dbd0751e02a8c01aa389a608c8d329 | 1666addb1e02a8c008016d234bd2b1d7 | am81p | am81p.vcloud.local | 192.168.2.30 | | 2016-06-17 11:30:23.332 | 2016-06-20 0 8:45:21.974 6b4a94581f02a8c01a7da293c61f4850 | 1055445d1f02a8c00801c4db3d79d286 | am81r1 | am81r1.vcloud.local | 192.168.2.31 | | 2016-06-10 08:41:21.987 | 2016-06-17 1 1:02:26.083 (2 rows)  

 



db=# SELECT * FROM RSA_REP.IMS_INSTANCE;
id | cpu_count | description | is_primary | deployed_state
----------------------------------+-----------+--------------------------------+------------+---------------- 1666addb1e02a8c008016d234bd2b1d7 | 1 | Initial primary instance. | t | 1055445d1f02a8c00801c4db3d79d286 | 1 | inserted by attachment process | f | active
(2 rows)


  • The instance_id column in the IMS_INSTANCE_NODE table is equivalent to the id column in the ims_instance table.  For example, the instance_id 1055445d1f02a8c00801c4db3d79d286 for host am81r1.vcloud.local is equivalent to the id column in ims_instance table
OR


  • Use the following query, which combines the fields of both instance_node and instance into one result:
db=# SELECT i.*, inode.host, inode.ip db-# FROM rsa_rep.ims_instance AS i db-# INNER JOIN rsa_rep.ims_instance_node inode ON (i.id = inode.instance_id);
id | cpu_count | description | is_primary | deployed_state | host | ip ----------------------------------+-----------+--------------------------------+------------+----------------+---------------------+-------------- 1666addb1e02a8c008016d234bd2b1d7 | 1 | Initial primary instance. | t | | am81p.vcloud.local | 192.168.2.30 1055445d1f02a8c00801c4db3d79d286 | 1 | inserted by attachment process | f | active | am81r1.vcloud.local | 192.168.2.31
(2 rows)




Attachments

    Outcomes