This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to configure RSA Authentication Manager to send log messages to a local file for an audit trail

Article Number

000036464

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.x

Issue

This article outlines on how to configure all instances of RSA Authentication Manager to send log messages to a local file to maintain an audit trail of all logon requests and operations performed using the Security Console.

 

Task

Download and install an SSH client for connecting remotely to the RSA Authentication Manager server for accessing the operating system.

Enable SSH to log on to the appliance operating system using Secure Shell (SSH)

Steps

  1. In the Operations Console, navigate to Administration > Operating System Access.
  2. In the SSH Settings section, select the checkbox for each NIC on which SSH needs to be enabled and click Save.
  3. On the primary instance, log on to the appliance via SSH with the user name rsaadmin and the operating system password.
  4. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.

login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter OS password>
Last login: Wed Jun 20 07:02:13 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils/
rsaadmin@am82p:/opt/rsa/am/utils

Resolution

Administrative Logs

  1. Using the user name of rsaadmin and the operating system password, login to the primary server via SSH, as described above.  
  2. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.

login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter OS password>
Last login: Wed Jun 20 07:02:13 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils/
rsaadmin@am82p:/opt/rsa/am/utils>
  1. To configure administrative logs from RSA Authentication Manager to log messages to a local file, type the command ./rsautil store -a config_all ims.logging.audit.admin.datastore database,file
  2. When prompted, type the Operations Console administrator user name and password.

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a config_all ims.logging.audit.admin.datastore database,file
Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password> 
psql.bin:/tmp/b6e88ac0-926a-4851-8e76-648f3a51595e7410652829394293332.sql:149: NOTICE:Changed the value of configuration 
​parameter 'ims.logging.audit.admin.datastore' from 'database' to 'database,file' for all instances.
 config_all
------------
(1 row)
 


Runtime Logs

Runtime logs are logs of your users' authentication activity and show successful and failed authentication attempts.

  1. Using the user name of rsaadmin and the operating system password, login to the primary server via SSH, as described above.  
  2. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.
  3. To configure RSA Authentication Manager to log runtime log messages to a local file, use the command ./rsautil store -a config_all ims.logging.audit.runtime.datastore database,file.
  4. When prompted, type the Operations Console administrator user name and password.

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a config_all ims.logging.audit.runtime.datastore database,file
Please enter OC Administrator username: <enter Operations Console administrator user name> 
Please enter OC Administrator password: <enter Operations Console administrator password> 
psql.bin:/tmp/f5823a48-2a9c-45cf-9e20-91a2214de4bf2460283098139289642.sql:149: NOTICE: Changed the value of configuration
parameter 'ims.logging.audit.runtime.datastore' from 'database' to 'database,file' for all instances.
 config_all
------------
(1 row)
 


System Logs

  1. Using the user name of rsaadmin and the operating system password, login to the primary server via SSH, as described above.  
  2. Change directories to RSA_AM_HOME/utils.  By default, RSA_AM_HOME is /opt/rsa/am.
  3. To configure system logs for RSA Authentication Manager to log messages to a local file, use the command ./rsautil store -a config_all ims.logging.system.datastore database,file.
  4. When prompted, type the Operations Console administrator user name and password.

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a config_all ims.logging.system.datastore database,file
Please enter OC Administrator username: <enter Operations Console administrator user name> 
Please enter OC Administrator password: <enter Operations Console administrator password> 
psql.bin:/tmp/02fab820-97da-45d9-b2ad-bcd5180b22f5120862600450095984.sql:149: NOTICE: Changed the value of configuration
parameter 'ims.logging.system.datastore' from 'database' to 'database,file' for all instances.
 config_all
------------
(1 row)
 

The configuration can also be done from the Security Console of RSA Authentication Manager, depending upon the log level requirement.

  1. Navigate to Setup > System Settings > Logging.
  2. Under Log Levels, set the value for:
  • Trace Log,
  • Administrative Audit Log,
  • Runtime Audit Log,
  • and/or System Log.
Image descriptionImage description
  1. Select one of the options below to send logs to the local RSA Authentication Manager operating system logs,
Image descriptionImage description
  1. Select the option below and provide the IP address of the remote syslog server to send logs to dedicated syslog server
Image descriptionImage description
 

Only one remote syslog server can be selected.

Notes

​Once the RSA Authentication Manager is configured to write log messages to local files, data is written to the following three files that are present in the following locations.​
  • Admin Log file : RSA_AM_HOME/server/logs/imsAdminAudit.log
  • Runtime Log file : RSA_AM_HOME/server/logs/imsRuntimeAudit.log
  • System Log file : RSA_AM_HOME/server/logs/imsSystem.log

The locations of these files are hard coded and cannot be changed.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 02:32 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.