Changing Auditing details in Admin Console Dashboard causes syslog server address/port to be written to Auditlogging.cfg file incorrectly and audit events bypass rsyslog locally

  • 7022855
  • 15-Apr-2018
  • 09-May-2018

Environment

Access Manager 4.3
Access Manager 4.4

Situation

/etc/Auditlogging.cfg is getting updated every time we change the details through Dashboard -> Auditing.

By default, the Audit server Auditlogging.cfg should point to loopback interface on tcp 1290 as per https://www.netiq.com/documentation/access-manager-44/resources/NAM_Auditing_with_Syslog.pdf.

Whenever we change the details of Auditing from Dashboard, Auditlogging.cfg is getting populated with the details of the syslog server. 

As a result, all the events are directly going from the component (AC/ IDP/ AG) to the syslog server directly and not via the local rsyslog service we would expect.
The configuration defined in /etc/rsyslog.d/nam.conf file does not come into play, which one would expect.


              
acidp3:~ # cat /etc/Auditlogging.cfg

LOGDEST=syslog

FORMAT=JSON

SERVERIP=192.168.13.234

SERVERPORT=1468
                INSTALLTYPE=fresh

Resolution

This is a bug and one of the below workarounds could be used to address it:

 

1.      Manually modify the values of SERVERIP, SERVERPORT in /etc/Auditlogging.cfg to 127.0.0.1, 1468.

 

OR

 

2.      Set the values of SERVERIP, SERVERPORT to blank.

Cause

Update to auditing configuration in iManager should only update the FORMAT parameter when changed - all other variables should remain unchanged.