SecurID^® Discussions

TJMcCann · ‎2019-06-14

I see there is a technote for sending SYSLOG to multiple destinations in Auth Manager 8.1: https://community.rsa.com/docs/DOC-46055

In reviewing the steps involved, my instance of AM8.4 P03 does not have a configuration file for /etc/syslog-ng/syslog-ng.conf Does https://community.rsa.com/docs/DOC-46055 apply for AM8.4? If not, is there another means to send to multiple SYSLOG destinations?

EdwardDavis · ‎2019-06-14

8.4 switches over to rsyslog, and no longer uses syslog-ng.

Here is one way to do it on 8.4.0.0.0 and up

a) as root

edit /etc/rsyslog.d/remote.conf file and add your destinations/ports

example: here I have 4 destinations all UDP and port 514

vi /etc/rsyslog.d/remote.conf

<snip>

# Remote Logging using UDP
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host
*.* @10.101.99.140:514
*.* @1.2.3.4:514
*.* @2.3.4.5:514
*.* @12.12.12.12:514

<snip>

b) bump rsyslog

service rsyslog restart

c) configure Security Console logging to send to 127.0.0.1

d) perform some actions, verify traffic is outgoing to all destinations

here I use tcpdump on command line to see if all four destinations work, I just

edited a user in security console to trigger a log event

edavis-vm150:/etc/rsyslog.d # tcpdump -i eth0 udp port 514 -nn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

11:13:24.404511 IP 10.101.99.150.48350 > 10.101.99.140.514: SYSLOG user.info, length: 551
11:13:24.404536 IP 10.101.99.150.52317 > 1.2.3.4.514: SYSLOG user.info, length: 551
11:13:24.404557 IP 10.101.99.150.49073 > 2.3.4.5.514: SYSLOG user.info, length: 551
11:13:24.404603 IP 10.101.99.150.53604 > 12.12.12.12.514: SYSLOG user.info, length: 551

----

You can do more with rsyslog but that is beyond the scope of the RSA documentation. The help menu in Security Console discusses how to encrypt outgoing syslog with rsyslog, but doesn't cover multiple destinations or ports...etc. Many public web sites do cover various configuration options with rsyslog.

View solution in original post

EdwardDavis · ‎2019-06-14

8.4 switches over to rsyslog, and no longer uses syslog-ng.

Here is one way to do it on 8.4.0.0.0 and up

a) as root

edit /etc/rsyslog.d/remote.conf file and add your destinations/ports

example: here I have 4 destinations all UDP and port 514

vi /etc/rsyslog.d/remote.conf

<snip>

# Remote Logging using UDP
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host
*.* @10.101.99.140:514
*.* @1.2.3.4:514
*.* @2.3.4.5:514
*.* @12.12.12.12:514

<snip>

b) bump rsyslog

service rsyslog restart

c) configure Security Console logging to send to 127.0.0.1

d) perform some actions, verify traffic is outgoing to all destinations

here I use tcpdump on command line to see if all four destinations work, I just

edited a user in security console to trigger a log event

edavis-vm150:/etc/rsyslog.d # tcpdump -i eth0 udp port 514 -nn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

11:13:24.404511 IP 10.101.99.150.48350 > 10.101.99.140.514: SYSLOG user.info, length: 551
11:13:24.404536 IP 10.101.99.150.52317 > 1.2.3.4.514: SYSLOG user.info, length: 551
11:13:24.404557 IP 10.101.99.150.49073 > 2.3.4.5.514: SYSLOG user.info, length: 551
11:13:24.404603 IP 10.101.99.150.53604 > 12.12.12.12.514: SYSLOG user.info, length: 551

----

You can do more with rsyslog but that is beyond the scope of the RSA documentation. The help menu in Security Console discusses how to encrypt outgoing syslog with rsyslog, but doesn't cover multiple destinations or ports...etc. Many public web sites do cover various configuration options with rsyslog.

_EricaChalfin · ‎2019-06-14

Terrence McCann‌,

The knowledge article on this topic can be found at 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers.

Regards,

Erica

TJMcCann · ‎2019-06-14

Thanks Erica. I wish that bulletin came up in my search results.

_EricaChalfin · ‎2019-06-14

Terrence McCann‌,

Interesting. I just searched for auth manager 8.4 multiple syslog and that article was the only hit when searching in the RSA SecurID Access space.

Can you tell me the search terms you used and if you searched within RSA SecurID Access or if you used the global search (the big magnifying glass in the upper right corner of each page)? I just checked the article and it is tagged within an inch of its life. If there anything we missed, we can add it.

Regards,

Erica

TJMcCann · ‎2019-06-17

Erica,

It was a fault of my own. I searched using Google and didn't qualify with 8.4.

vr/ TJ

SpencerMay · ‎2019-06-18

Are these steps to be performed ONLY on the primary or on primary and any replicas?

I ask because Step 2 in https://community.rsa.com/docs/DOC-101149 mentions logging into the primary.

EdwardDavis · ‎2019-06-18

On command line... per each server.

Actions performed in the Security Console are on primary only, where one GUI can manage primary and replica settings.

_EricaChalfin · ‎2019-06-19

Spencer May‌,

Thank you for the feedback. Much appreciated! I updated 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers, adding step 10 to the Resolution section, so it now reads:

Once done with the primary, please repeat steps 1 through 9 above on each replica server in your deployment. Be sure to complete the tasks on one before moving to the other(s).

Regards,

Erica

SpencerMay · ‎2019-06-20

Thanks

SecurID® Discussions

AM8.4 P03 Multiple SYSLOG Destinations

RSA Authentication Manager

SecurID^® Discussions