Remote syslog server is unable to recognize a new rsyslog format in RSA Authentication Manager 8.4 or later
Originally Published: 2019-11-15
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 or later
Platform: Linux
O/S Version: Suse Linux Enterprise Server 12 SP3 or later
Product Description: RSA SID Access Virtual Appliance
Issue
There are some issues with syslog ingestion from the Authentication Manager system to the remote syslog server, such as Splunk system.
The OS logs (seen in /var/log/messages) are in this format:
Nov 13 12:22:16 am82p sshd[28408]: error: PAM: Authentication failure for illegal user root from aunrkangol.example.com Nov 13 12:22:16 am82p sshd[28408]: Failed keyboard-interactive/pam for invalid user root from 10.8.9.71 port 58944 ssh2
The Authentication Manager 8.4 logs (seen in /var/log/messages) are in this format:
2019-11-13T14:50:18.332766+11:00 2019-11-13 14: 50:18,216, am84p.example.com, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, 727b5bf9d61f3e0a17063737e2c9083a,100bed93d61f3e0a60b71e8f084aecef,10.8.9.10,10.6.7.89,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,71e4919bd61f3e0a6b183e2cbfb5af72-U9+EdpeJQN8s,86173ab0d61f3e0a74a7e09a1d640a74,000000000000000000001000d0011000,000000000000000000001000e0011000,mtestuser1,mTest,User,5ad2154fd61f3e0a0cdc400fc348602a,000000000000000000001000e0011000,10.8.9.75,AUNRKANGOL,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,6,4,,,,,695d1f54d61f3e0a34bc29b78a5fd7a6,xxxxxxxx5213,,
A remote syslog server, such as Splunk, is able to ingest (and parse) the standard OS logs. However, when it receives the AM logs, it is unable to parse the format correctly.
Note that the date/time stamp in the OS example is completely different than the AM example. In the OS example, the hostname is coming in second while the AM example shows a date in this position.
Cause
Resolution
To turn the Traditional Format, login to the Authentication Manager instance
1. Launch an SSH client, such as PuTTy or access to the Console directly.
2. Login to the Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
3. Change to the root user:
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Mon Nov 12 10:43:13 2019 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am84p:~> sudo su - rsaadmin's password: <enter operating system password> am84p:~ #4. Using a text editor, such as vi, edit /etc/rsyslog.conf:
a. Make a backup of the current rsyslog.conf file and edit it
am84p:~ # cp /etc/rsyslog.conf /etc/rsyslog.conf.ORIG am84p:~ # vi /etc/rsyslog.confb. Enter insert mode by typing i
c. Uncomment it by deleting #
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
d. Exit insert mode by hitting Esc
e. To save the change and exit
5. For the changes to take effect, run the command below:
e. To save the change and exit
:wq!
am84p:~ # rcsyslog restart6. Verify that you get the "traditional" format, similar to below:
Nov 14 10:10:49 2019-11-14 10:10:49,700, am84p.example.local, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, ca5b67c2d61f3e0a5f22441cc1f684a0,100bed93d61f3e0a60b71e8f084aecef,10.9.10.84,10.6.31.214,AUTHN_LOGIN_EVENT,13002,FAIL,AUTHN_METHOD_FAILED,c702bc26d61f3e0a4f1986a895dfc603-DSGD19Z3SPMF,86173ab0d61f3e0a74a7e09a1d640a74,000000000000000000001000d0011000,000000000000000000001000e0011000,mtestuser1,mTest,User,5ad2154fd61f3e0a0cdc400fc348602a,000000000000000000001000e0011000,10.9.10.84,AUNRKANGMD1C,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,6,4,,,,,,,,
Related Articles
RSA Access Manger is unable to open new sockets Number of Views Unable to access Quick Setup page in RSA Authentication Manager 8.x Number of Views RSA Identity Governance & Lifecycle fails to start with "Unable to get avdb connection" message Number of Views After restarting RSA Identity Governance & Lifecycle, the browser shows an Initialization Status screen with connection er… Number of Views Initialization error "Unable to register service ReviewService" and "Unable to start local agent" in RSA Identity Governan… Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
