000029114 - How to replace sysklogd with rsyslog on an RSA Security Analytics or NetWitness EL5 appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029114
Applies ToRSA Product Set: Security Analytics, NetWitness
RSA Product/Service Type: Core Appliance, NextGen Appliance
RSA Version/Condition: 10.3.x and below
Platform: CentOS
O/S Version: 5
 
IssueThe Set Syslog Forwarding appliance task in the Security Analytics UI and the NetWitness Administrator thick client only functions with rsyslog and not with sysklogd, which is installed on the CentOS 5 appliances by default.
TasksThis article will provide instructions for replacing the sysklogd package with rsyslog on an RSA Security Analytics or NetWitness appliance running CentOS 5.
ResolutionIn order to replace the sysklogd package with rsyslog on an EL5 appliance, follow the steps below:
  1. Download the rsyslog-8.2.2-1.el5.centos.zip file that is attached to this article and use an FTP client to transfer it to the /tmp directory on the appliance.
  2. Login to the appliance via SSH and navigate to the /tmp directory.
  3. Extract the RPM packages from the .zip file with the following command:  unzip rsyslog-8.2.2-1.el5.centos.zip
  4. Issue the command cd rsyslogEL5 to enter the directory where the RPM packages are stored.
  5. Issue the command below to install the RPM packages.
    rpm -Uvh rsyslog-8.2.2-1.el5.centos.x86_64.rpm jemalloc-3.4.0-1.el5.centos.x86_64.rpm json-c-0.11-3.el5.centos.x86_64.rpm libestr-0.1.9-1.el5.centos.x86_64.rpm libgt-0.3.11-1.el5.centos.x86_64.rpm liblogging-1.0.4-1.el5.centos.x86_64.rpm

  6. After the installation is complete, issue the command rpm -qa | grep sysklogd to verify that the sysklogd package is no longer present.
  7. Issue the rpm -qa | grep rsyslog to confirm that the rsyslog package has been installed correctly.
  8. Check the status of the rsyslog service with the following command:  service rsyslog status
  9. If the rsyslog service is stopped, start the service with the service rsyslog start command.
  10. Configure the rsyslog service to start on boot with the following command:  chkconfig rsyslog on
  11. Verify that the command in Step 10 was successful by issuing the chkconfig --list rsyslog command.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
NotesBelow is a screenshot of the entire process of replacing the sysklogd package with rsyslog on a Series 3 concentrator running CentOS 5.
Process of replacing sysklogd with rsyslog.
The full rsyslog repository where the RPM packages included in the attached zip file were obtained can be found here.

Outcomes