Configure the Remote Syslog Host for Real Time Log Monitoring
Based on the version of the RSA Authentication Manager (AM), the remote syslog host can be configured as follows:
You can configure a remote syslog host to log messages from AM. The remote syslog can manage logs from multiple systems in the network, including AM.
RSA has qualified the following for the remote syslog host:
SUSE Linux Enterprise Server (SLES) 15 Service Pack 4 and rsyslog version 8.2306.0
Red Hat Enterprise Linux 9.1 and rsyslog version 8.2102.0
After you have configured the remote syslog host, you must configure a destination for your log files. On each AM instance in the Security Console, you can choose how to send log records to the remote syslog host:
AM can send logs directly to the remote syslog host without encryption.
AM can save logs locally, and you can configure the appliance operating system to encrypt the logs before sending them to remote syslog host.
Encrypt Syslog Records
On each AM 8.9 instance, you can configure the appliance operating system to encrypt the syslog records before sending them to the remote syslog host.
Note: For AM upgraded from 8.7 SP2 with an existing remote syslog configuration, clean up the existing remote syslog configuration to proceed with the further steps.
Note: Syslog configuration data is not saved in the backup files. If you restore the AM instance, you must reconfigure the remote syslog.
Before you begin
In the Security Console, go to Setup>System Settings>Logging>Select aninstance>Next and then select any one of the below options and Click Save.
Save to internal database and local operating system syslog.
Save to internal database and remote syslog at the following hostname or IP address. Provide 127.0.0.1 as IP address.
For more instructions, see Configure Logging.
If you are configuring log settings on the primary instance and you want to apply the same changes to the replica instance, click Apply the above settings to the replica instance(s) upon save.
Collect the required information:
The Fully Qualified Hostname (FQHN) for the remote syslog server.
The secure port that AM will use to contact the remote syslog server.
Obtain the public certificate for the remote syslog server.
Obtain the rsaadmin operating system password.
Procedure
Log on to the primary instance appliance using an SSH client. For details, see Log On to the Appliance Operating System with SSH.
To log on to the appliance operating system using Secure Shell (SSH), you must enable SSH. For instructions, see Enable Secure Shell on the Appliance.
Create a /opt/rsa/am/certs/remoteSyslogServer directory and copy the remote syslog public certificate to the directory.
Switch to the root user, and edit /etc/rsyslog.d/remote.conf with one of the additional configuration data mentioned below:
a. To configure AM for one remote syslog server.
# -- TLS Syslog Client: #<certificate_file> → The certificate of the configured remote syslog server. global(DefaultNetstreamDriverCAFile="/opt/rsa/am/certs/remoteSyslogServer/<certificate_file>") # set up the action for all messages action(type="omfwd" protocol="tcp" target="<fqhn>" port="<port>" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" gnutlsprioritystring="NORMAL:+VERS-TLS1.3")
b. To configure AM for multiple remote syslog servers.
# -- TLS Syslog Client: #<certificate_file> → The certificate which is common for all the configured remote syslog servers or the file concatenated with the certificates of all configured remote syslog servers in PEM format. global(DefaultNetstreamDriverCAFile="/opt/rsa/am/certs/remoteSyslogServer/<certificate_file>") # set up the action for all messages for Syslog Server 1 action(type="omfwd" protocol="tcp" target="<fqhn1>" port="<port1>" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" gnutlsprioritystring="NORMAL:+VERS-TLS1.3") # set up the action for all messages for Syslog Server 2 action(type="omfwd" protocol="tcp" target="<fqhn2>" port="<port2>" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" gnutlsprioritystring="NORMAL:+VERS-TLS1.3")
To restart the Remote Syslog Service, run service rsyslog restart.
To check the status of Remote Syslog Service, run service rsyslog status.
Go to /var/log/messages, and verify that the connection is successfully established between the remote syslog server and the AM.
For AM 8.7 SP2
You can configure a remote syslog host to log messages from AM. The remote syslog can manage logs from multiple systems in the network, including AM. RSA has qualified SUSE Linux Enterprise Server (SLES) 12 Service Pack 3 and rsyslog version 8.24.0 for the remote syslog host.
After you have configured the remote syslog host, you must configure a destination for your log files. In the Security Console on each AM instance, you can choose how to send log records to the remote syslog host:
AM can send logs directly to the remote syslog host without encryption.
AM can save logs locally, and you can configure the appliance operating system to encrypt the logs before sending them to remote syslog host.
Encrypt Syslog Records for AM 8.7 SP2
On each AM 8.7 SP2 instance, you can configure the appliance operating system to encrypt the syslog records before sending them to the remote syslog host.
Note: Configuration data is not saved in the backup files. If you restore the AM instance, you must perform the procedure again.
Before you begin
In the Security Console, save the log data to the internal database only or save the log data to both the internal database and the local operating system syslog. For more instructions, see Configure Logging.
Collect the required information:
The Fully Qualified Hostname (FQHN) for the remote syslog server.
The secure port that AM will use to contact the remote syslog server.
Obtain the public certificate for the remote syslog server.
Obtain the rsaadmin operating system password.
Procedure
Log on to the appliance with the User ID rsaadmin and the operating system password that you defined during Quick Setup.
On a hardware appliance, an Amazon Web Services appliance, or an Azure appliance, log on to the appliance using an SSH client.
On a virtual appliance, log on to the appliance using an SSH client, the VMware vSphere client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.
To log on to the appliance operating system using Secure Shell (SSH), you must enable SSH.
For instructions, see Enable Secure Shell on the Appliance.
Copy the remote syslog public certificate to the directory /opt/rsa/am/certs/remoteSyslogServer.
Switch to the root user, and edit /etc/rsyslog.d/remote.conf with additional configuration data.
To configure one remote syslog server, add the following information:
$DefaultNetstreamDriverCAFile /opt/rsa/am/certs/remoteSyslogServer/Server_CA_0_Root.crt
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name #certificate validation and subject name authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
*.* @@(o)fqhn:portWhere the value of parameter DefaultNetstreamDriverCAFile should be the file location of the remote syslog public certificate, and the values of fqhn and port are configured in the remote syslog server's configuration file remote.conf.
For more than one remote syslog server, add the following information:
$DefaultNetstreamDriverCAFile /opt/rsa/am/certs/remoteSyslogServer/Server_CA_0_Chain.crt
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name #certificate validation and subject name authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
*.* @@(o)fqhn1:port
#----
#----Syslog Server 2
*.* @@(o)fqhn2:port
#----Where the value of parameter DefaultNetstreamDriverCAFile should be the file location of the public certificate used by all of the remote syslog servers, and the values of fqhn1 and port are configured in the first remote syslog server's configuration file remote.conf, and the values of of fqhn2 and port are configured in the second remote syslog server's configuration file remote.conf. Add lines as needed for additional syslog servers.
To restart the Remote Syslog Service, run service rsyslog restart.
Go to /var/log/messages, and verify that the connection is successfully established between the remote syslog server and AM.
Related Articles
Replacing the Console Certificate Number of Views Import a Token Record File Number of Views Cloud Administration User Event Log API Number of Views How to configure RSA Authentication Manager to send log messages to a local file for an audit trail Number of Views Import a Console Certificate Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
