Remote syslog server is unable to recognize a new rsyslog format in RSA Authentication Manager 8.4 or later
Originally Published: 2019-11-15
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 or later
Platform: Linux
O/S Version: Suse Linux Enterprise Server 12 SP3 or later
Product Description: RSA SID Access Virtual Appliance
Issue
There are some issues with syslog ingestion from the Authentication Manager system to the remote syslog server, such as Splunk system.
The OS logs (seen in /var/log/messages) are in this format:
Nov 13 12:22:16 am82p sshd[28408]: error: PAM: Authentication failure for illegal user root from aunrkangol.example.com Nov 13 12:22:16 am82p sshd[28408]: Failed keyboard-interactive/pam for invalid user root from 10.8.9.71 port 58944 ssh2
The Authentication Manager 8.4 logs (seen in /var/log/messages) are in this format:
2019-11-13T14:50:18.332766+11:00 2019-11-13 14: 50:18,216, am84p.example.com, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, 727b5bf9d61f3e0a17063737e2c9083a,100bed93d61f3e0a60b71e8f084aecef,10.8.9.10,10.6.7.89,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,71e4919bd61f3e0a6b183e2cbfb5af72-U9+EdpeJQN8s,86173ab0d61f3e0a74a7e09a1d640a74,000000000000000000001000d0011000,000000000000000000001000e0011000,mtestuser1,mTest,User,5ad2154fd61f3e0a0cdc400fc348602a,000000000000000000001000e0011000,10.8.9.75,AUNRKANGOL,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,6,4,,,,,695d1f54d61f3e0a34bc29b78a5fd7a6,xxxxxxxx5213,,
A remote syslog server, such as Splunk, is able to ingest (and parse) the standard OS logs. However, when it receives the AM logs, it is unable to parse the format correctly.
Note that the date/time stamp in the OS example is completely different than the AM example. In the OS example, the hostname is coming in second while the AM example shows a date in this position.
Cause
Resolution
To turn the Traditional Format, login to the Authentication Manager instance
1. Launch an SSH client, such as PuTTy or access to the Console directly.
2. Login to the Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
3. Change to the root user:
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Mon Nov 12 10:43:13 2019 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am84p:~> sudo su - rsaadmin's password: <enter operating system password> am84p:~ #4. Using a text editor, such as vi, edit /etc/rsyslog.conf:
a. Make a backup of the current rsyslog.conf file and edit it
am84p:~ # cp /etc/rsyslog.conf /etc/rsyslog.conf.ORIG am84p:~ # vi /etc/rsyslog.confb. Enter insert mode by typing i
c. Uncomment it by deleting #
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
d. Exit insert mode by hitting Esc
e. To save the change and exit
5. For the changes to take effect, run the command below:
e. To save the change and exit
:wq!
am84p:~ # rcsyslog restart6. Verify that you get the "traditional" format, similar to below:
Nov 14 10:10:49 2019-11-14 10:10:49,700, am84p.example.local, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, ca5b67c2d61f3e0a5f22441cc1f684a0,100bed93d61f3e0a60b71e8f084aecef,10.9.10.84,10.6.31.214,AUTHN_LOGIN_EVENT,13002,FAIL,AUTHN_METHOD_FAILED,c702bc26d61f3e0a4f1986a895dfc603-DSGD19Z3SPMF,86173ab0d61f3e0a74a7e09a1d640a74,000000000000000000001000d0011000,000000000000000000001000e0011000,mtestuser1,mTest,User,5ad2154fd61f3e0a0cdc400fc348602a,000000000000000000001000e0011000,10.9.10.84,AUNRKANGMD1C,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,6,4,,,,,,,,
Related Articles
AM7.1 Unable to install a patch: The installer was unable to set required configuration data. Number of Views Unable to access Quick Setup page in RSA Authentication Manager 8.x Number of Views The user is unable to login to RSA Identity Governance and Lifecycle if the password contains special characters Number of Views Unable to see quick links solution tabs or navigation menu after signing in with SSO Number of Views How to send Operating System logs in /var/log/messages file to a remote syslog server in RSA Authentication Manager 8.6 o… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
