RSA Access Manager supports forwarding aserver.log, eserver.log and/or dispatcher.log to RSA enVision. The same method may also work for sending logs to a generic syslog server, although that has not been qualified by RSA and hence is not supported.
Instructions to configure that feature are in the "Installation and Configuration Guide" for your RSA Access Manager server version. For example, in the Access Manager Server 6.2.4 Installation and Configuration Guide, the instructions are in chapter 18 "Integrate With enVision", section "Configure Access Manager Server Using Syslog" on page 345.
There are problems with two of the steps in those instructions in all v6.2.x Installation and Configuration Guide manuals.:
The SecurCare Online website URL given in step 2 is no longer available.
The conversion pattern that is given in step 4 is incorrect. If used as shown in the manual, the server fails with the following error message when Access Manager runs (note the misspelling of the word "pattern"):
log4j:ERROR Unexpected char [R] at position 2 in conversion pattern
The RSA website "SecurCare Online" has been replaced with a new site, "RSA Link".
The conversion pattern in step 4 has a percent sign (%) specified where it should not be in front of the word "RSAAXM".
In step 2, download the three files aserver_log4j.conf, eserver_log4j.conf, anddispatcher_log4j.conf files from: RSA NetWitness Event Source Additional Downloads for RSA Access Manager. An RSA Link login is required to be able to access that page. Only those three *_log4j.conf files on that page are needed to configure an Access Manager Server using syslog, so any other files on that page should be ignored.
In step 4, the correct ConversionPattern instruction setting is: