000037276 - Audit Logging feature sends syslog messages that fail to be processed and fail to be recorded as being received by a syslog listener in RSA Archer 6.4.1.2

Document created by RSA Customer Support Employee on Apr 8, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037276
Applies ToRSA Product Set: Archer
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition: 6.4.1.2
IssueConfiguration:
  • RSA Archer Audit Logging is enabled.
  • RSA Archer Audit Logging passes the connection test in the Archer Control Panel.
  • RSA Archer Audit Logging is configured to send to a syslog listener.
  • RSA Archer Services have been restarted to use the Audit Logging configuration.
  • Network traces confirm the traffic is reaching the syslog listener.
Problem: The syslog listener receives the messages but does not process the syslog messages or record that they were ever received.
Cause
  • Some syslog listeners, such as RSA NetW.itness, discard all incoming syslog messages received if the messages do not conform to RFC-5424.
  • RSA Archer's Audit Logging feature sends syslog messages that do not conform to RFC-5424.
Resolution
Use one of the options below to resolve the issue:


  1. Consult syslog listener documentation to reconfigure the syslog listener to accept syslog messages that are not RFC-5424 compliant, if possible; or
  2. Use a different syslog listener that accepts all syslog messages, including syslog messages that are not RFC-5424 compliant.
WorkaroundA second syslog listener server, such as winsyslog, can be deployed as middleware to convert the syslog messages received from Archer into a format that is RFC-5424 compliant and then forward them to another syslog listener that requires RFC-5424 compliant syslog messages.

Attachments

    Outcomes