This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
TerrenceMcCann1
Beginner
Beginner
‎2019-06-14 08:42 AM

AM8.4 P03 Multiple SYSLOG Destinations

Jump to solution

I see there is a technote for sending SYSLOG to multiple destinations in Auth Manager 8.1: https://community.rsa.com/docs/DOC-46055 

 

In reviewing the steps involved, my instance of AM8.4 P03 does not have a configuration file for /etc/syslog-ng/syslog-ng.conf Does https://community.rsa.com/docs/DOC-46055 apply for AM8.4? If not, is there another means to send to multiple SYSLOG destinations?

 

pastedImage_1.png

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2019-06-14 11:23 AM

Jump to solution

8.4 switches over to rsyslog, and no longer uses syslog-ng.

 

Here is one way to do it on 8.4.0.0.0 and up

 

a) as root

edit /etc/rsyslog.d/remote.conf file and add your destinations/ports

 

example: here I have 4 destinations all UDP and port 514

 

vi /etc/rsyslog.d/remote.conf

 

<snip>

# Remote Logging using UDP
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host
*.* @10.101.99.140:514
*.* @1.2.3.4:514
*.* @2.3.4.5:514
*.* @12.12.12.12:514

 

<snip>

 

b) bump rsyslog

 

 service rsyslog restart

 

c) configure Security Console logging to send to 127.0.0.1

pastedImage_5.png

 

d) perform some actions, verify traffic is outgoing to all destinations

 

here I use tcpdump on command line to see if all four destinations work, I just

edited a user in security console to trigger a log event

 

edavis-vm150:/etc/rsyslog.d # tcpdump -i eth0 udp port 514 -nn


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


11:13:24.404511 IP 10.101.99.150.48350 > 10.101.99.140.514: SYSLOG user.info, length: 551
11:13:24.404536 IP 10.101.99.150.52317 > 1.2.3.4.514: SYSLOG user.info, length: 551
11:13:24.404557 IP 10.101.99.150.49073 > 2.3.4.5.514: SYSLOG user.info, length: 551
11:13:24.404603 IP 10.101.99.150.53604 > 12.12.12.12.514: SYSLOG user.info, length: 551

 

----

 

You can do more with rsyslog but that is beyond the scope of the RSA documentation. The help menu in Security Console discusses how to encrypt outgoing syslog with rsyslog, but doesn't cover multiple destinations or ports...etc. Many public web sites do cover various configuration options with rsyslog. 

View solution in original post

Reply
14 Replies
EdwardDavis
Employee
Employee
‎2019-06-14 11:23 AM

Jump to solution

8.4 switches over to rsyslog, and no longer uses syslog-ng.

 

Here is one way to do it on 8.4.0.0.0 and up

 

a) as root

edit /etc/rsyslog.d/remote.conf file and add your destinations/ports

 

example: here I have 4 destinations all UDP and port 514

 

vi /etc/rsyslog.d/remote.conf

 

<snip>

# Remote Logging using UDP
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host
*.* @10.101.99.140:514
*.* @1.2.3.4:514
*.* @2.3.4.5:514
*.* @12.12.12.12:514

 

<snip>

 

b) bump rsyslog

 

 service rsyslog restart

 

c) configure Security Console logging to send to 127.0.0.1

pastedImage_5.png

 

d) perform some actions, verify traffic is outgoing to all destinations

 

here I use tcpdump on command line to see if all four destinations work, I just

edited a user in security console to trigger a log event

 

edavis-vm150:/etc/rsyslog.d # tcpdump -i eth0 udp port 514 -nn


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


11:13:24.404511 IP 10.101.99.150.48350 > 10.101.99.140.514: SYSLOG user.info, length: 551
11:13:24.404536 IP 10.101.99.150.52317 > 1.2.3.4.514: SYSLOG user.info, length: 551
11:13:24.404557 IP 10.101.99.150.49073 > 2.3.4.5.514: SYSLOG user.info, length: 551
11:13:24.404603 IP 10.101.99.150.53604 > 12.12.12.12.514: SYSLOG user.info, length: 551

 

----

 

You can do more with rsyslog but that is beyond the scope of the RSA documentation. The help menu in Security Console discusses how to encrypt outgoing syslog with rsyslog, but doesn't cover multiple destinations or ports...etc. Many public web sites do cover various configuration options with rsyslog. 

View solution in original post

Reply
EricaChalfin
Employee
Employee
In response to EdwardDavis
‎2019-06-14 11:39 AM

Jump to solution

Terrence McCann‌,

 

The knowledge article on this topic can be found at 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote....

 

Regards,

Erica

0 Likes
Reply
TerrenceMcCann1
Beginner
Beginner
In response to EricaChalfin
‎2019-06-14 02:01 PM

Jump to solution

Thanks Erica. I wish that bulletin came up in my search results.

0 Likes
Reply
EricaChalfin
Employee
Employee
In response to TerrenceMcCann1
‎2019-06-14 03:00 PM

Jump to solution

Terrence McCann‌,

 

Interesting.  I just searched for auth manager 8.4 multiple syslog and that article was the only hit when searching in the RSA SecurID Access space

 

Can you tell me the search terms you used and if you searched within RSA SecurID Access or if you used the global search (the big magnifying glass in the upper right corner of each page)?  I just checked the article and it is tagged within an inch of its life.  If there anything we missed, we can add it.

 

Regards,

Erica

0 Likes
Reply
TerrenceMcCann1
Beginner
Beginner
In response to EricaChalfin
‎2019-06-17 08:30 AM

Jump to solution

Erica,

  It was a fault of my own. I searched using Google and didn't qualify with 8.4.

 

vr/ TJ

Reply
SpencerMay
Beginner
Beginner
In response to EdwardDavis
‎2019-06-18 09:03 AM

Jump to solution

Are these steps to be performed ONLY on the primary or on primary and any replicas? 

I ask because Step 2 in https://community.rsa.com/docs/DOC-101149 mentions logging into the primary.

Reply
EdwardDavis
Employee
Employee
In response to SpencerMay
‎2019-06-18 04:26 PM

Jump to solution

On command line... per each server.

Actions performed in the Security Console are on primary only, where one GUI can manage primary and replica settings.

Reply
EricaChalfin
Employee
Employee
In response to SpencerMay
‎2019-06-19 10:56 AM

Jump to solution

Spencer May‌,

 

Thank you for the feedback.  Much appreciated!  I updated 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote..., adding step 10 to the Resolution section, so it now reads:

  1. Once done with the primary, please repeat steps 1 through 9 above on each replica server in your deployment.  Be sure to complete the tasks on one before moving to the other(s).

Regards,

Erica

Reply
SpencerMay
Beginner
Beginner
In response to EdwardDavis
‎2019-06-20 10:56 AM

Jump to solution

Thanks

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.