000034837 - How to send System Messages/logs to a Remote Syslog Server, from your System in RSA Identity Management and Governance

Document created by RSA Customer Support Employee on Oct 19, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034837
Applies ToRSA Product Set: Identity Management and Governance
RSA Version/Condition: Any 
Platform: SUSE Linux Enterprise Server 11 (x86_64)
 
Issue
The goal of this KB Article is to provide instructions  on how to  configure Client syslog-ng.conf  to send log messages to a log server.
There is a scenario where our customers requiring to install rsyslog  for security auditing. The information in system logs can be used to detect hardware and software issues as well as application and system configuration errors. This information also plays an important role in security auditing and incident response. 
Resolution
This procedure describes how to configure syslog-ng.conf file on your server as a client,to send log messages to a Remote Log server.
1) Launch the  putty on Server and login with  user 'root'.  
2) cd to /etc/syslog-ng directory and  take a backup of  syslog-ng.conf file as syslog-ng.conf-ori
or with any other name.
 

acm-server:/etc/syslog-ng # cd /etc/syslog-ng
acm-server:/etc/syslog-ng # cp -p syslog-ng.conf syslog-ng.conf-ori

3) Edit the syslog-ng.conf configuration file using  ‘vi’ editor and search for the line below:
 

# Enable this and adopt IP to send log messages to a log server.

 
4)  Uncomment two lines below from this section :
 

#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };

5) Replace the IP address 10.10.10.10 to  the IP address of your Remote Syslog server.
 
For example : 
[ In our example here ,our Remote Syslog Server IP is : 192.168.10.1]
 

destination logserver { udp("192.168.10.1" port(514)); };
log { source(src); destination(logserver); };

6) Save the changes and Quit from VI Editor by typing :

:wq!

7) Make sure the syslog deamon is ON/Enabled on runlevel 3 and 5.
[ It needs to be enable on atleast runlvel 3. In the example below Syslog is ON on runlevel 2 , 3 and 5]
 

server-server:/etc/syslog-ng # chkconfig --list syslog
syslog                    0:off  1:off  2:on   3:on   4:off  5:on   6:off

8) Restart the syslog service with the command below :
 

acm-server:/etc/syslog-ng # service syslog restart
Shutting down syslog services                                                                                                                                                          done
Starting syslog services                                                                                                                                                               done

9) Monitor outgoing traffic to the remote syslog server and verify the changes work.
 

Attachments

    Outcomes