Environment
Access Manager 4.3
Access Manager 4.4
Situation
/etc/Auditlogging.cfg is getting updated every time we change the details through Dashboard -> Auditing.
By default, the Audit server Auditlogging.cfg should point to loopback interface on tcp 1290 as per https://www.netiq.com/documentation/access-manager-44/resources/NAM_Auditing_with_Syslog.pdf.
Whenever we change the details of Auditing from Dashboard, Auditlogging.cfg is getting populated with the details of the syslog server.
As a result, all the events are directly going from the component (AC/ IDP/ AG) to the syslog server directly and not via the local rsyslog service we would expect.
The configuration defined in /etc/rsyslog.d/nam.conf file does not come into play, which one would expect.
acidp3:~ # cat /etc/Auditlogging.cfg
LOGDEST=syslog
SERVERIP=192.168.13.234
SERVERPORT=1468
INSTALLTYPE=freshResolution
This is a bug and one of the below workarounds could be used to address it:
1. Manually modify the values of SERVERIP, SERVERPORT in /etc/Auditlogging.cfg to 127.0.0.1, 1468.
OR
2. Set the values of SERVERIP, SERVERPORT to blank.
Cause
Update to auditing configuration in iManager should only update the FORMAT parameter when changed - all other variables should remain unchanged.