Configure the Remote Syslog Host for Real Time Log MonitoringConfigure the Remote Syslog Host for Real Time Log Monitoring

You can configure a remote syslog host to log messages from Authentication Manager. The remote syslog can manage logs from multiple systems in the network, including RSA Authentication Manager. The remote host must be a valid UNIX or Linux machine with syslog capabilities. The location of files and IP tables used in configuration may vary depending on your remote host. For instructions, see your UNIX or Linux documentation.

After you have configured the remote syslog host, you must configure a destination for your log files. In the Security Console on each Authentication Manager instance, you can choose how to send log records to the remote syslog host:

• Authentication Manager can send logs directly to the remote syslog host without encryption.
• Authentication Manager can save logs locally, and you can configure the appliance operating system to encrypt the logs before sending them to remote syslog host.

Encrypt Syslog RecordsEncrypt Syslog Records

On each RSA Authentication Manager 8.7 SP1 instance, you can configure the appliance operating system to encrypt the syslog records before sending them to the remote syslog host.

RSA qualified SUSE Linux Enterprise Server (SLES) 12 Service Pack 3 and rsyslog version 8.24.0 for the remote syslog host.

Note: This configuration data is not saved in backup files. If you restore the Authentication Manager instance, you must perform the procedure again.

Before you begin

• In the Security Console, save the log data to the internal database only or save the log data to both the internal database and the local operating system syslog. For instructions, see Configure Logging.
• Collect the required information:
  • The Fully Qualified Hostname (FQHN) for the remote syslog server.
  • The port that Authentication Manager will use to contact the remote syslog server
• Obtain the public certificate for the remote syslog server.
• The rsaadmin operating system password is required.

Procedure

1. Log on to the appliance with the User ID rsaadmin and the operating system password that you defined during Quick Setup.
   • On a hardware appliance, an Amazon Web Services appliance, or an Azure appliance, log on to the appliance using an SSH client.
   • On a virtual appliance, log on to the appliance using an SSH client, the VMware vSphere client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.

   To log on to the appliance operating system using Secure Shell (SSH), you must enable SSH.

   For instructions, see Enable Secure Shell on the Appliance.

2. Copy the remote syslog public certificate to the directory /opt/rsa/am/certs/remoteSyslogServer.
3. Switch to the root user, and edit /etc/rsyslog.d/remote.conf with additional configuration data.
4. To configure one remote syslog server, add the following information:

   $DefaultNetstreamDriverCAFile /opt/rsa/am/certs/remoteSyslogServer/Server_CA_0_Root.crt
   $DefaultNetstreamDriver gtls # use gtls netstream driver
   $ActionSendStreamDriverMode 1 # require TLS for the connection
   $ActionSendStreamDriverAuthMode x509/name #certificate validation and subject name authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
   *.* @@(o)fqhn:port

   Where the value of parameter DefaultNetstreamDriverCAFile should be the file location of the remote syslog public certificate, and the values of fqhn and port are configured in the remote syslog server's configuration file remote.conf.

   For more than one remote syslog server, add the following information:

   $DefaultNetstreamDriverCAFile /opt/rsa/am/certs/remoteSyslogServer/Server_CA_0_Chain.crt
   $DefaultNetstreamDriver gtls # use gtls netstream driver
   $ActionSendStreamDriverMode 1 # require TLS for the connection
   $ActionSendStreamDriverAuthMode x509/name #certificate validation and subject name authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
   *.* @@(o)fqhn1:port
   #----
   #----Syslog Server 2
   *.* @@(o)fqhn2:port
   #----
   

   Where the value of parameter DefaultNetstreamDriverCAFile should be the file location of the public certificate used by all of the remote syslog servers, and the values of fqhn1 and port are configured in the first remote syslog server's configuration file remote.conf, and the values of of fqhn2 and port are configured in the second remote syslog server's configuration file remote.conf. Add lines as needed for additional syslog servers.

5. To restart the Remote Syslog Service, run service rsyslog restart
6. Go to /var/log/messages, and verify that the connection is successfuly established between the remote syslog server and Authentication Manager.