Access Gateway on RHEL auditing events are not getting passed on to the Analytics Server

  • 7023755
  • 01-Mar-2019
  • 19-Sep-2019

Environment

  • Access Manager 4.4.x
  • Access Manager 4.5
  • Analytics Server

Situation

Events generated from the Access Gateway:
  • ACCESS GATEWAY ACCESSED
  • APPLICATIONACCESS GATEWAY LOGIN
are not shown up on the Analytics Server Dashboard. 

Resolution

  1. open the following ports with:

    • semanage port -a -t syslogd_port_t -p tcp 1290
    • semanage port -a -t syslogd_port_t -p tcp 1468

  2. restart syslog: "service rsyslog restart"

Cause

SELinux is blocking any traffic to port 1290 and 1468

Additional Information

Steps to analyze the issue.

On the Access Gateway:
  1. From the Administration Console checked that Auditing events were selected:
    Application Accessed - Session Created/Destroyed

  2. On the Access Gateway check file permission and configuration for:

    • /etc/Auditlogging.cfg
    • /etc/rsyslog.conf/etc/rsyslog.d/nam.conf

  3.  LAN trace taken with tcpdump on the Access Gateway: tcpdump -i any -s0 -w /tmp/syslog.cap
     noticed that the port 1290 seems not to be open.

  4. run "service rsyslog restart" on the Access Gateway and review "/var/log/messages"
    Error: "rsyslogd: Could not create tcp listener, ignoring port 1290 bind-address (null). [v8.24.0 try http://www.rsyslog.com/e/2077 ]"

  5. review open ports using: netstat -nap | grep 1290
    port 1290 was not listed as open port

  6. check if SELinux can interfere with port 1290 listening: "semanage port -l | grep 1290"
    NO results were listed which means that port 1290 is blocked by SELinux.