Forward syslog messages in RSA Authentication Manager 8.0 through 8.3
Originally Published: 2016-06-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0 - 8.3
Issue
Resolution
- Log in as the rsaadmin via SSH.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan 6 14:05:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan 6 14:05:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
- Run the command sudo su – to become the root user.
- Using a text editor, such as vi, edit /etc/syslog-ng/syslog-ng.conf:
rsaadmin@am8p:~> sudo su -
rsaadmin's password: <enter operating system password>
am8p:~ # vi /etc/syslog-ng//syslog-ng.conf
rsaadmin's password: <enter operating system password>
am8p:~ # vi /etc/syslog-ng//syslog-ng.conf
- Find the first mention of destination.
#destination newscrit { file("/var/log/news/news.crit"
# owner(news) group(news)); };
#log { source(src); filter(f_newscrit); destination(newscrit); };
/destination
- This brings you to the following line in bold below:
# Enable this and adopt IP to send log messages to a log server.
#
#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };
- Uncomment this line and the next, and change the IP address to the IP of the syslog aggregator. Check the port as well to ensure itis the one your aggregator is listening on.
destination logserver { udp("192.168.33.104" port(514)); };
log { source(src); destination(logserver); };
log { source(src); destination(logserver); };
- To save, press Esc then :wq! to exit.
- Restart the syslog service to make the changes take effect. I don't know why it uses syslog instead of syslog-ng.
am8p:~ # /etc/init.d/syslog restart
Shutting down syslog services done
Starting syslog services done
Shutting down syslog services done
Starting syslog services done
- Test by logging out and back in, then checking the syslog aggregator to see if the login shows up. Note that it might be listed as an sshd event.
Notes
This article is version specific and applies to older versions of RSA Authentication Manager that still use syslog-ng, and not newer versions using rsyslog.
Related Articles
Errors when configuring RSA Access Manager to send logs to RSA enVision or a generic syslog server Number of Views Formatting for syslog data sent from RSA Authentication Manager 8.x Number of Views How to send Operating System logs in /var/log/messages file to a remote syslog server in RSA Authentication Manager 8.6 o… Number of Views How to modify syslog date format on RSA Authentication manager 8.4 and up Number of Views RSA DLP Sample of DLP Syslog Messages sent to SIEM Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
