How to Forward RSA Authentication Manager 8.4 or Later Logs to Multiple Syslog Servers Using rsyslog
Originally Published: 2019-02-21
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
Use this article when you need RSA Authentication Manager 8.4 or later to forward log data to more than one remote syslog server simultaneously. As of Authentication Manager 8.4, the underlying OS was updated to SUSE Linux Enterprise Server (SLES) 12 SP4, which uses rsyslog instead of syslog-ng. The steps in this article reflect that change.
ℹ️ NOTE: For Authentication Manager 8.1 configurations, refer to How to configure RSA Authentication Manager 8.1 to send data to multiple remote syslog servers — covers the syslog-ng method used in earlier versions.
Prerequisites:
- Log On to the Appliance Operating System with SSH
- Administrative access to the Authentication Manager primary server (and each replica)
- The rsaadmin credentials and operating system password
- UDP port 514 open between the Authentication Manager appliance and each target syslog server
Resolution
ℹ️ NOTE: RSA Authentication Manager 8.4 uses rsyslog instead of syslog-ng. The remote syslog destinations are defined in
/etc/rsyslog.d/remote.conf. The global rsyslog configuration is located at /etc/rsyslog.conf.Step 1: Launch an SSH client (e.g., PuTTY) and connect to the primary Authentication Manager server.
ℹ️ NOTE: If a different username was selected during Quick Setup, use that username instead of
rsaadmin.Step 3: Elevate your session to root
sudo su - root
⚠️ CAUTION: You are now operating as root. Incorrect changes to system files can impact Authentication Manager availability. Proceed carefully.
Step 4: Enter the operating system password when prompted.
Step 5: Navigate to the rsyslog configuration directory:
cd /etc/rsyslog.d/
Step 6: Create a backup copy of the remote.conf file before making any changes:
cp remote.conf remote.conf.bak
Step 7: Open the remote.conf file for editing:
vi remote.conf
Step 8: Locate the remote hosts section in the file and append a new line for each additional syslog server using the format below:
########## Sending Messages to Remote Hosts ##########
# Remote Logging using TCP for reliable delivery
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host
# Remote Logging using UDP
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host
*.* @<syslog-server-1-IP>:514
*.* @<syslog-server-2-IP>:514
ℹ️ NOTE: A single
@ sends logs via UDP. Use @@ for TCP (reliable delivery). Replace <syslog-server-1-IP> and <syslog-server-2-IP> with the actual IP addresses of your syslog servers.Step 9: Save and close the file.
Step 10: Restart the rsyslog daemon:
rcsyslog restart
Expected output:
redirecting to systemctl restart syslog.service
Step 11: Verify the rsyslog service is running:
rcsyslog status
Expected output:
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2019-02-21 10:30:18 AEDT; 20s ago
Main PID: 11447 (rsyslogd)
Step 12: In the Security Console, configure logging to send to localhost:
Navigate to Administration > Logging > Remote Syslog and set the syslog destination to
127.0.0.1.Step 13: Verify that logs are reaching the remote syslog servers by monitoring outbound traffic on port 514.
To monitor all traffic on port 514:
tcpdump -nvv -i eth0 port 514
To monitor traffic to a specific syslog server:
tcpdump -nvv -i eth0 "dst host <syslog-server-IP> and dst port 514"
Confirm that log packets are being sent from the Authentication Manager appliance to each configured syslog server IP.
Step 14: Repeat Steps 1–12 on each replica server in your deployment.
⚠️ CAUTION: Complete all steps on one instance before moving to the next. Do not apply changes to multiple servers simultaneously.
Notes
Related Articles
How to configure RSA Authentication Manager 8.1, 8.2, 8.3 to send data to multiple remote syslog servers 1.79KNumber of Views How to configure SNMP for RSA Authentication Manager 8.x 1.29KNumber of Views How to verify RSA Authentication Manager (AM) 8.1 is sending syslog data to a remote syslog server. 1.28KNumber of Views How to send Operating System logs in /var/log/messages file to a remote syslog server in RSA Authentication Manager 8.6 o… 247Number of Views RSA Authentication Manager 8.x - Weak Ciphers Vulnerabilities found with Qualys Scan - Updated 1.55KNumber of Views
Trending Articles
RSA Authentication Manager 8.9 Setup and Configuration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. RSA Authentication Manager Upgrade Process
Don't see what you're looking for?