There are two parts to this solution.

Part 1

1. From the Security Console of the RSA Authentication Manager primary, navigate to Setup > System Settings.
2. Under Basic Settings, click Logging.
3. Select Primary as the instance type and click Next.
   1. Select the required Log Levels for Administrative Audit Log, Runtime Audit Log and System Log.
   2. For the Log Data Destination select Save to internal database and local operating system SysLog on the required Log Data options (Administrative Audit Log Data, Runtime Audit Log Data & System Log Data).
4. When finished click Save.

Part 2

This requires either SSH access or local console access to the operating system.

The proposed steps have not been officially qualified by RSA and must be tested prior to any production use.

1. Logon to the Authentication Manager operating system with the rsaadmin account

Note that during Quick Setup another user name may have been selected. Use that user name to login.

2. Elevate to root, entering the rsaadmin password when prompted for a password.

sudo su -

3. Navigate to /etc/syslog-ng.

am81p:~ # cd /etc/syslog-ng

4. Make a copy of the syslog-ng.conf file

am81p:/etc/syslog-ng # cp syslog-ng.conf syslog-ng.conf.ORIG

5. Edit the syslog-ng.conf configuration file using an editor such as vi.
6. Locate the comment # Enable this and adopt IP to send log messages to a log server
7. Uncomment the following two lines:

#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };

8. Change the IP address from 10.10.10.10 to be the IP address of the remote syslog server.  An example of what you are expecting to see is shown here:

The IP address of 192.168.100.100 is used only as an example for the IP address of a remote syslog server.

destination logserver { udp("192.168.100.100" port(514)); };
log { source(src); destination(logserver); };

9. Use the following format to send the data to more than one remote syslog:

destination logserver {
 udp("192.168.100.100" port(514));
 udp("192.168.27.130" port(514));
 udp("192.168.67.143" port(514));
};
log { source(src); destination(logserver); };

10. Key in :wq! to save changes to the syslog-ng.conf configuration file.
11. Restart the syslog daemon with the command /etc/init.d/syslog restart.  For example,

am81p:/etc/syslog-ng # /etc/init.d/syslog restart
Shutting down syslog services                                                                            done
Starting syslog services                                                                                 done
am81p:/etc/syslog-ng #

12. Monitor the outgoing traffic to the remote syslog server to check the change has worked with the command

tcpdump -i eth0 -Z root -n -A -v "dst host n.n.n.n and dst port 514"

 

Making the change to the /etc/syslog-ng/syslog-ng.conf configuration file is a custom change and must be noted when writing up the a disaster recovery plan for all authentication manager instances deployed for production usage.