The contents of /var/log/messages are not forwarded along with the application-level log streams. This means that a remote syslog aggregator or SIEM system will not see any logins to the operating system or attempts to use SU.
To resolve this issue, edit the syslog config file on each RSA Authentication Manager primary and replica on each instance that you want to see the syslog to enable forwarding. These settings are not replicated.
Log in as the rsaadmin via SSH.
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Mon Jan 6 14:05:00 2020 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am
Run the command sudo su – to become the root user.
Using a text editor, such as vi, edit /etc/syslog-ng/syslog-ng.conf:
rsaadmin@am8p:~> sudo su - rsaadmin's password: <enter operating system password> am8p:~ # vi /etc/syslog-ng//syslog-ng.conf