000036464 - How to configure RSA Authentication Manager to send log messages to a local file for an audit trail

Document created by RSA Customer Support Employee on Jun 28, 2018Last modified by RSA Customer Support Employee on Jun 28, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036464
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.x
IssueThis article outlines on how to configure all instances of RSA Authentication Manager to send log messages to a local file to maintain an audit trail of all logon requests and operations performed using the Security Console.

 
TasksDownload and install an SSH client for connecting remotely to the RSA Authentication Manager server for accessing the operating system.

Enable SSH to log on to the appliance operating system using Secure Shell (SSH)

Steps



  1. In the Operations Console, navigate to Administration > Operating System Access.
  2. In the SSH Settings section, select the checkbox for each NIC on which SSH needs to be enabled and click Save.
  3. On the primary instance, log on to the appliance via SSH with the user name rsaadmin and the operating system password.
  4. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.


login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter OS password>
Last login: Wed Jun 20 07:02:13 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils/
rsaadmin@am82p:/opt/rsa/am/utils
Resolution

Administrative Logs



  1. Using the user name of rsaadmin and the operating system password, login to the primary server via SSH, as described above.  
  2. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.


login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter OS password>
Last login: Wed Jun 20 07:02:13 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils/
rsaadmin@am82p:/opt/rsa/am/utils>


  1. To configure administrative logs from RSA Authentication Manager to log messages to a local file, type the command ./rsautil store -a config_all ims.logging.audit.admin.datastore database,file
  2. When prompted, type the Operations Console administrator user name and password.


rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a config_all ims.logging.audit.admin.datastore database,file
Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/b6e88ac0-926a-4851-8e76-648f3a51595e7410652829394293332.sql:149: NOTICE:Changed the value of configuration
parameter 'ims.logging.audit.admin.datastore' from 'database' to 'database,file' for all instances.
config_all
------------
(1 row)

 


Runtime Logs



Runtime logs are logs of your users' authentication activity and show successful and failed authentication attempts.



  1. Using the user name of rsaadmin and the operating system password, login to the primary server via SSH, as described above.  
  2. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.
  3. To configure RSA Authentication Manager to log runtime log messages to a local file, use the command ./rsautil store -a config_all ims.logging.audit.runtime.datastore database,file.
  4. When prompted, type the Operations Console administrator user name and password.


rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a config_all ims.logging.audit.runtime.datastore database,file
Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/f5823a48-2a9c-45cf-9e20-91a2214de4bf2460283098139289642.sql:149: NOTICE: Changed the value of configuration
parameter 'ims.logging.audit.runtime.datastore' from 'database' to 'database,file' for all instances.
config_all
------------
(1 row)

 


System Logs



  1. Using the user name of rsaadmin and the operating system password, login to the primary server via SSH, as described above.  
  2. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.
  3. To configure system logs for RSA Authentication Manager to log messages to a local file, use the command ./rsautil store -a config_all ims.logging.system.datastore database,file.
  4. When prompted, type the Operations Console administrator user name and password.


rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a config_all ims.logging.system.datastore database,file
Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password>
psql.bin:/tmp/02fab820-97da-45d9-b2ad-bcd5180b22f5120862600450095984.sql:149: NOTICE: Changed the value of configuration
parameter 'ims.logging.system.datastore' from 'database' to 'database,file' for all instances.
config_all
------------
(1 row)

 

The configuration can also be done from the Security Console of RSA Authentication Manager, depending upon the log level requirement.



  1. Navigate to Setup > System Settings > Logging.
  2. Under Log Levels, set the value for:

  • Trace Log,
  • Administrative Audit Log,
  • Runtime Audit Log,
  • and/or System Log.

User-added image


  1. Select one of the options below to send logs to the local RSA Authentication Manager operating system logs,

User-added image


  1. Select the option below and provide the IP address of the remote syslog server to send logs to dedicated syslog server

User-added image

 

Only one remote syslog server can be selected.

NotesOnce the RSA Authentication Manager is configured to write log messages to local files, data is written to the following three files that are present in the following locations.
  • Admin Log file : RSA_AM_HOME/server/logs/imsAdminAudit.log
  • Runtime Log file : RSA_AM_HOME/server/logs/imsRuntimeAudit.log
  • System Log file : RSA_AM_HOME/server/logs/imsSystem.log

The locations of these files are hard coded and cannot be changed.

Attachments

    Outcomes