|Applies To||RSA Security Analytics|
RSA Security Analytics Log Decoder
RSA Security Analytics Log Collector
|Issue||How to trace Log Collector to Log Decoder traffic in RSA Security Analytics.|
How do I trace log collector to log decoder traffic in SA?
How to I make sure there is traffic between my log decoder and log collector in Security Analytics?
|Resolution||Sometimes for troubleshooting purposes is useful to check if there is traffic from Log Collector to Log Decoder. (In this scenario the Local Log Collector is in the same box as the Log Decoder.)|
Using the loopback interface eliminates external syslog traffic going to Log Decoder, hence you would be able to verify communication issues between the Log Collector and the Log Decoder.
Since the TCP Collector module inside the Log Collector is forwarding unstructured events to the Log Decoder on port 514 over TCP on the loopback address you can do a tcpdump to capture the traffic using the following command: tcpdump -i lo -w mycap.pcap port 514
|Legacy Article ID||a65438|