Remote syslog server is unable to recognize a new rsyslog format in RSA Authentication Manager 8.4 or later
Originally Published: 2019-11-15
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 or later
Platform: Linux
O/S Version: Suse Linux Enterprise Server 12 SP3 or later
Product Description: RSA SID Access Virtual Appliance
Issue
There are some issues with syslog ingestion from the Authentication Manager system to the remote syslog server, such as Splunk system.
The OS logs (seen in /var/log/messages) are in this format:
Nov 13 12:22:16 am82p sshd[28408]: error: PAM: Authentication failure for illegal user root from aunrkangol.example.com Nov 13 12:22:16 am82p sshd[28408]: Failed keyboard-interactive/pam for invalid user root from 10.8.9.71 port 58944 ssh2
The Authentication Manager 8.4 logs (seen in /var/log/messages) are in this format:
2019-11-13T14:50:18.332766+11:00 2019-11-13 14: 50:18,216, am84p.example.com, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, 727b5bf9d61f3e0a17063737e2c9083a,100bed93d61f3e0a60b71e8f084aecef,10.8.9.10,10.6.7.89,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,71e4919bd61f3e0a6b183e2cbfb5af72-U9+EdpeJQN8s,86173ab0d61f3e0a74a7e09a1d640a74,000000000000000000001000d0011000,000000000000000000001000e0011000,mtestuser1,mTest,User,5ad2154fd61f3e0a0cdc400fc348602a,000000000000000000001000e0011000,10.8.9.75,AUNRKANGOL,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,6,4,,,,,695d1f54d61f3e0a34bc29b78a5fd7a6,xxxxxxxx5213,,
A remote syslog server, such as Splunk, is able to ingest (and parse) the standard OS logs. However, when it receives the AM logs, it is unable to parse the format correctly.
Note that the date/time stamp in the OS example is completely different than the AM example. In the OS example, the hostname is coming in second while the AM example shows a date in this position.
Cause
Resolution
To turn the Traditional Format, login to the Authentication Manager instance
1. Launch an SSH client, such as PuTTy or access to the Console directly.
2. Login to the Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
3. Change to the root user:
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Mon Nov 12 10:43:13 2019 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am84p:~> sudo su - rsaadmin's password: <enter operating system password> am84p:~ #4. Using a text editor, such as vi, edit /etc/rsyslog.conf:
a. Make a backup of the current rsyslog.conf file and edit it
am84p:~ # cp /etc/rsyslog.conf /etc/rsyslog.conf.ORIG am84p:~ # vi /etc/rsyslog.confb. Enter insert mode by typing i
c. Uncomment it by deleting #
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
d. Exit insert mode by hitting Esc
e. To save the change and exit
5. For the changes to take effect, run the command below:
e. To save the change and exit
:wq!
am84p:~ # rcsyslog restart6. Verify that you get the "traditional" format, similar to below:
Nov 14 10:10:49 2019-11-14 10:10:49,700, am84p.example.local, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, ca5b67c2d61f3e0a5f22441cc1f684a0,100bed93d61f3e0a60b71e8f084aecef,10.9.10.84,10.6.31.214,AUTHN_LOGIN_EVENT,13002,FAIL,AUTHN_METHOD_FAILED,c702bc26d61f3e0a4f1986a895dfc603-DSGD19Z3SPMF,86173ab0d61f3e0a74a7e09a1d640a74,000000000000000000001000d0011000,000000000000000000001000e0011000,mtestuser1,mTest,User,5ad2154fd61f3e0a0cdc400fc348602a,000000000000000000001000e0011000,10.9.10.84,AUNRKANGMD1C,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,6,4,,,,,,,,
Related Articles
RSA Identity Governance & Lifecycle fails to start with "Unable to get avdb connection" message Number of Views After restarting RSA Identity Governance & Lifecycle, the browser shows an Initialization Status screen with connection er… Number of Views RSA Access Manger is unable to open new sockets Number of Views Forward syslog messages in RSA Authentication Manager 8.0 through 8.3 Number of Views The user is unable to login to RSA Identity Governance and Lifecycle if the password contains special characters Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server How to troubleshoot Oracle database ORA-04030 errors in RSA Identity Governance & Lifecycle RSA Authentication Manager Upgrade Process Microsoft SQL Server Collectors can no longer connect to the SQL Server database after upgrade to Microsoft SQL Server 201…
Don't see what you're looking for?
