Configuring Linux

You can configure RSA Authentication Manager for syslog on Linux® based operating systems.

1. Using SSH, log in to the RSA Security Console as root user.
2. Open one of the following files for editing based on your version of RSA Authentication Manager:

   Versions earlier than version 8

   /usr/local/RSASecurity/RSAAuthenticationManager/utils/resources/ims.properties

   Version 8

   /opt/rsa/am/utils/resources/ims.properties

3. Add the following entries to the ims.properties file:

   ims.logging.audit.admin.syslog_host = <IP address> 
   ims.logging.audit.admin.use_os_logger = true 
   ims.logging.audit.runtime.syslog_host = <IP address> 
   ims.logging.audit.runtime.use_os_logger = true 
   ims.logging.system.syslog_host = <IP address> 
   ims.logging.system.use_os_logger = true

   Where <IP address> is the IP address or host name of IBM QRadar.

4. Save the ims.properties file.
5. Open the following file for editing:

   /etc/syslog.conf

6. Type the following command to add QRadar as a syslog entry:

   *.* @<IP address>

   Where <IP address> is the IP address or host name of QRadar.

7. Type the following command to restart the syslog services for Linux.

   service syslog restart

   For more information on configuring syslog forwarding, see your RSA Authentication Manager documentation.

What to do next

Configure the log source and protocol in QRadar. To receive events from RSA Authentication Manager, from the Log Source Type list, select the RSA Authentication Manager option.