Forward syslog messages in RSA Authentication Manager 8.0 through 8.3
Originally Published: 2016-06-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0 - 8.3
Issue
Resolution
- Log in as the rsaadmin via SSH.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan 6 14:05:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan 6 14:05:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
- Run the command sudo su – to become the root user.
- Using a text editor, such as vi, edit /etc/syslog-ng/syslog-ng.conf:
rsaadmin@am8p:~> sudo su -
rsaadmin's password: <enter operating system password>
am8p:~ # vi /etc/syslog-ng//syslog-ng.conf
rsaadmin's password: <enter operating system password>
am8p:~ # vi /etc/syslog-ng//syslog-ng.conf
- Find the first mention of destination.
#destination newscrit { file("/var/log/news/news.crit"
# owner(news) group(news)); };
#log { source(src); filter(f_newscrit); destination(newscrit); };
/destination
- This brings you to the following line in bold below:
# Enable this and adopt IP to send log messages to a log server.
#
#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };
- Uncomment this line and the next, and change the IP address to the IP of the syslog aggregator. Check the port as well to ensure itis the one your aggregator is listening on.
destination logserver { udp("192.168.33.104" port(514)); };
log { source(src); destination(logserver); };
log { source(src); destination(logserver); };
- To save, press Esc then :wq! to exit.
- Restart the syslog service to make the changes take effect. I don't know why it uses syslog instead of syslog-ng.
am8p:~ # /etc/init.d/syslog restart
Shutting down syslog services done
Starting syslog services done
Shutting down syslog services done
Starting syslog services done
- Test by logging out and back in, then checking the syslog aggregator to see if the login shows up. Note that it might be listed as an sshd event.
Notes
This article is version specific and applies to older versions of RSA Authentication Manager that still use syslog-ng, and not newer versions using rsyslog.
Related Articles
How to include the hostname in the syslog output for RSA Authentication Manager 8.x Number of Views Errors when configuring RSA Access Manager to send logs to RSA enVision or a generic syslog server Number of Views Monitoring scripts delayed when sent to remote syslog Number of Views Formatting for syslog data sent from RSA Authentication Manager 8.x Number of Views How to send Operating System logs in /var/log/messages file to a remote syslog server in RSA Authentication Manager 8.6 o… Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server How to troubleshoot Oracle database ORA-04030 errors in RSA Identity Governance & Lifecycle RSA Authentication Manager Upgrade Process Microsoft SQL Server Collectors can no longer connect to the SQL Server database after upgrade to Microsoft SQL Server 201…
Don't see what you're looking for?
