Forward syslog messages in RSA Authentication Manager 8.0 through 8.3
Originally Published: 2016-06-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0 - 8.3
Issue
Resolution
- Log in as the rsaadmin via SSH.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan 6 14:05:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan 6 14:05:00 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
- Run the command sudo su – to become the root user.
- Using a text editor, such as vi, edit /etc/syslog-ng/syslog-ng.conf:
rsaadmin@am8p:~> sudo su -
rsaadmin's password: <enter operating system password>
am8p:~ # vi /etc/syslog-ng//syslog-ng.conf
rsaadmin's password: <enter operating system password>
am8p:~ # vi /etc/syslog-ng//syslog-ng.conf
- Find the first mention of destination.
#destination newscrit { file("/var/log/news/news.crit"
# owner(news) group(news)); };
#log { source(src); filter(f_newscrit); destination(newscrit); };
/destination
- This brings you to the following line in bold below:
# Enable this and adopt IP to send log messages to a log server.
#
#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };
- Uncomment this line and the next, and change the IP address to the IP of the syslog aggregator. Check the port as well to ensure itis the one your aggregator is listening on.
destination logserver { udp("192.168.33.104" port(514)); };
log { source(src); destination(logserver); };
log { source(src); destination(logserver); };
- To save, press Esc then :wq! to exit.
- Restart the syslog service to make the changes take effect. I don't know why it uses syslog instead of syslog-ng.
am8p:~ # /etc/init.d/syslog restart
Shutting down syslog services done
Starting syslog services done
Shutting down syslog services done
Starting syslog services done
- Test by logging out and back in, then checking the syslog aggregator to see if the login shows up. Note that it might be listed as an sshd event.
Notes
This article is version specific and applies to older versions of RSA Authentication Manager that still use syslog-ng, and not newer versions using rsyslog.
Related Articles
How to include the hostname in the syslog output for RSA Authentication Manager 8.x Number of Views Errors when configuring RSA Access Manager to send logs to RSA enVision or a generic syslog server Number of Views Error message "[crit] wtd51 Unable to create thread due to limit on number of processes" in RSA Web Threat Detection Number of Views Interpret LDAP error codes Number of Views How to send Operating System logs in /var/log/messages file to a remote syslog server in RSA Authentication Manager 8.6 o… Number of Views
Trending Articles
RSA-2022-12: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
