|Applies To||RSA Product Set: Archer|
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition: 220.127.116.11
Problem: The syslog listener receives the messages but does not process the syslog messages or record that they were ever received.
- RSA Archer Audit Logging is enabled.
- RSA Archer Audit Logging passes the connection test in the Archer Control Panel.
- RSA Archer Audit Logging is configured to send to a syslog listener.
- RSA Archer Services have been restarted to use the Audit Logging configuration.
- Network traces confirm that the traffic is reaching the syslog listener.
- Some syslog listeners, such as RSA NetWitness, discard all incoming syslog messages that are received if the messages do not conform to RFC-5424.
- RSA Archer's Audit Logging feature sends syslog messages that do not conform to RFC-5424.
Use one of the options below to resolve the issue:
- Consult syslog listener documentation to reconfigure the syslog listener to accept syslog messages that are not RFC-5424 compliant, if possible; or
- Use a different syslog listener that accepts all syslog messages, including syslog messages that are not RFC-5424 compliant.
|Workaround||A second syslog listener server, such as winsyslog, can be deployed as middleware to convert the syslog messages that are received from Archer into a format that is RFC-5424 compliant and then forward them to another syslog listener that requires RFC-5424 compliant syslog messages.|