How to send Operating System logs in /var/log/messages file to a remote syslog server in RSA Authentication Manager 8.6 or later
Originally Published: 2024-03-15
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 or later
Platform: SUSE Linux Enterprise Server
O/S Version: SUSE Linux 12 SP3 or later
Product Description: RSA SecurID Appliance
Issue
However, the contents of /var/log/messages are not forwarded along with the application-level log. This means that a remote syslog server or SIEM system will not see any logins to the operating system or attempts to use SU.
Resolution
There is a configuration file in /etc/rsyslog.d/remote.conf where you can define the syslog server(s) to which you want to connect. And we have /etc/rsylog.conf for rest of the configuration related to rsyslog.
1. Launch an SSH client, such as PuTTY.
2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
3. Changes the privileges of rsaadmin with the command
# sudo su - root
4. Enter the operating system password when prompted.
5. Go to /etc/rsyslog.d/ and make a copy of the remote.conf file.
# cp remote.conf remote.conf.ORIG
6. Edit the remote.conf configuration file using an editor such as vi.
7. Append the remote syslog servers with the format below in the following section of the /etc/rsyslog.d/remote.conf file:
For example, remote syslog server IP address is 10.10.10.20 :
# ######### Sending Messages to Remote Hosts ########## # Remote Logging using TCP for reliable delivery # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host # Remote Logging using UDP # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @10.10.10.20:514 # ######### Receiving Messages from Local AM Server ########## $ModLoad imudp.so $UDPServerAddress 10.10.10.20 $UDPServerRun 514
8. To restart the Remote Syslog Service, run systemctl restart rsyslog
# systemctl status rsyslog.service
9. Go to /var/log/messages, and verify that the connection is successfully established between the remote syslog server and Authentication Manager.
10. Monitor the outgoing traffic to the remote syslog server with the commands:
# tcpdump -nvv -i eth0 "dst host n.n.n.n and dst port 514"
11. Once done with the primary, please repeat steps 1 through 10 above on each replica server in your deployment. Be sure to complete the tasks on one before moving to the other(s).
Notes
Related Articles
Errors when configuring RSA Access Manager to send logs to RSA enVision or a generic syslog server Number of Views How to configure RSA Authentication Manager to send log messages to a local file for an audit trail Number of Views Forward syslog messages in RSA Authentication Manager 8.0 through 8.3 Number of Views Formatting for syslog data sent from RSA Authentication Manager 8.x Number of Views How to configure RSA Authentication Manager 8.1, 8.2, 8.3 to send data to multiple remote syslog servers Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM Downloading RSA Authentication Manager license files or RSA Software token seed records
Don't see what you're looking for?
