I see there is a technote for sending SYSLOG to multiple destinations in Auth Manager 8.1: https://community.rsa.com/docs/DOC-46055
In reviewing the steps involved, my instance of AM8.4 P03 does not have a configuration file for /etc/syslog-ng/syslog-ng.conf Does https://community.rsa.com/docs/DOC-46055 apply for AM8.4? If not, is there another means to send to multiple SYSLOG destinations?
8.4 switches over to rsyslog, and no longer uses syslog-ng.
Here is one way to do it on 8.4.0.0.0 and up
a) as root
edit /etc/rsyslog.d/remote.conf file and add your destinations/ports
example: here I have 4 destinations all UDP and port 514
vi /etc/rsyslog.d/remote.conf
<snip>
# Remote Logging using UDP
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host
*.* @10.101.99.140:514
*.* @1.2.3.4:514
*.* @2.3.4.5:514
*.* @12.12.12.12:514
<snip>
b) bump rsyslog
service rsyslog restart
c) configure Security Console logging to send to 127.0.0.1
d) perform some actions, verify traffic is outgoing to all destinations
here I use tcpdump on command line to see if all four destinations work, I just
edited a user in security console to trigger a log event
edavis-vm150:/etc/rsyslog.d # tcpdump -i eth0 udp port 514 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:13:24.404511 IP 10.101.99.150.48350 > 10.101.99.140.514: SYSLOG user.info, length: 551
11:13:24.404536 IP 10.101.99.150.52317 > 1.2.3.4.514: SYSLOG user.info, length: 551
11:13:24.404557 IP 10.101.99.150.49073 > 2.3.4.5.514: SYSLOG user.info, length: 551
11:13:24.404603 IP 10.101.99.150.53604 > 12.12.12.12.514: SYSLOG user.info, length: 551
----
You can do more with rsyslog but that is beyond the scope of the RSA documentation. The help menu in Security Console discusses how to encrypt outgoing syslog with rsyslog, but doesn't cover multiple destinations or ports...etc. Many public web sites do cover various configuration options with rsyslog.
The knowledge article on this topic can be found at 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers.
Regards,
Erica
Thanks Erica. I wish that bulletin came up in my search results.
Interesting. I just searched for auth manager 8.4 multiple syslog and that article was the only hit when searching in the RSA SecurID Access space.
Can you tell me the search terms you used and if you searched within RSA SecurID Access or if you used the global search (the big magnifying glass in the upper right corner of each page)? I just checked the article and it is tagged within an inch of its life. If there anything we missed, we can add it.
Regards,
Erica
Are these steps to be performed ONLY on the primary or on primary and any replicas?
I ask because Step 2 in https://community.rsa.com/docs/DOC-101149 mentions logging into the primary.
On command line... per each server.
Actions performed in the Security Console are on primary only, where one GUI can manage primary and replica settings.
Thanks
Thank you for the feedback. Much appreciated! I updated 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers, adding step 10 to the Resolution section, so it now reads:
- Once done with the primary, please repeat steps 1 through 9 above on each replica server in your deployment. Be sure to complete the tasks on one before moving to the other(s).
Regards,
Erica
Thanks.
I'm trying to setup syslog following QRadars documentation:
ims.logging.audit.admin.syslog_host = <IP address> ims.logging.audit.admin.use_os_logger = true ims.logging.audit.runtime.syslog_host = <IP address> ims.logging.audit.runtime.use_os_logger = true ims.logging.system.syslog_host = <IP address> ims.logging.system.use_os_logger = true
Where <IP address> is the IP address or host name of IBM® QRadar®.
/etc/syslog.conf
*.* @<IP address>
Where <IP address> is the IP address or host name of QRadar.
service syslog restart
Will this still work with 8.4 or do I need to follow 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers
Hi,
Possible to use TCP instead UDP to send logs ?
Regards,
Greg
8.4 switches over to rsyslog, and no longer uses syslog-ng.
Here is one way to do it on 8.4.0.0.0 and up
a) as root
edit /etc/rsyslog.d/remote.conf file and add your destinations/ports
example: here I have 4 destinations all UDP and port 514
vi /etc/rsyslog.d/remote.conf
<snip>
# Remote Logging using UDP
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host
*.* @10.101.99.140:514
*.* @1.2.3.4:514
*.* @2.3.4.5:514
*.* @12.12.12.12:514
<snip>
b) bump rsyslog
service rsyslog restart
c) configure Security Console logging to send to 127.0.0.1
d) perform some actions, verify traffic is outgoing to all destinations
here I use tcpdump on command line to see if all four destinations work, I just
edited a user in security console to trigger a log event
edavis-vm150:/etc/rsyslog.d # tcpdump -i eth0 udp port 514 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:13:24.404511 IP 10.101.99.150.48350 > 10.101.99.140.514: SYSLOG user.info, length: 551
11:13:24.404536 IP 10.101.99.150.52317 > 1.2.3.4.514: SYSLOG user.info, length: 551
11:13:24.404557 IP 10.101.99.150.49073 > 2.3.4.5.514: SYSLOG user.info, length: 551
11:13:24.404603 IP 10.101.99.150.53604 > 12.12.12.12.514: SYSLOG user.info, length: 551
----
You can do more with rsyslog but that is beyond the scope of the RSA documentation. The help menu in Security Console discusses how to encrypt outgoing syslog with rsyslog, but doesn't cover multiple destinations or ports...etc. Many public web sites do cover various configuration options with rsyslog.