000026818 - How to trace Log Collector to Log Decoder traffic in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026818
Applies ToRSA Security Analytics
RSA Security Analytics Log Decoder
RSA Security Analytics Log Collector
IssueHow to trace Log Collector to Log Decoder traffic in RSA Security Analytics.
How do I trace log collector to log decoder traffic in SA?
How to I make sure there is traffic between my log decoder and log collector in Security Analytics?
ResolutionSometimes for troubleshooting purposes is useful to check if there is traffic from Log Collector to Log Decoder.  (In this scenario the Local Log Collector is in the same box as the Log Decoder.)

Using the loopback interface eliminates external syslog traffic going to Log Decoder, hence you would be able to verify communication issues between the Log Collector and the Log Decoder.


Since the TCP Collector module inside the Log Collector is forwarding unstructured events to the Log Decoder on port 514 over TCP on the loopback address you can do a tcpdump to capture the traffic using the following command:  tcpdump -i lo -w mycap.pcap port 514

Legacy Article IDa65438

Attachments

    Outcomes