000024583 - syslog over TCP

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024583
Applies ToenVision 4.0
enVision 3.5.x
Issuesyslog over TCP
CauseMost syslog data is transmitted over UDP (usually on port 514) however it is also possible to use TCP where TCP allows for a reliable transport mechanism and allows for larger messages.

The setup for syslog over TCP is on the syslog collector configuration screen.  Select Overview > System Configuration > Services > Manage Collector Service then select the appropriate site/Node link, this will display the main details about the syslog collection and at the end of the details is a line for TCP Information (this may be collapsed so look at the right hand side for the expand/collapse icon).

The RFC (Reliable Delivery for syslog at http://www.ietf.org/rfc/rfc3195.txt) suggests the well known port syslog-conn 601/TCP although use of this is optional and (as an example) a default Cisco PIX configuration uses 1468/TCP.

After selecting the listener port number you click the Add button to enter the IP addresses of devices which will use this facility. Also, as you may find in a variety of notes in the internet about syslog over TCP, you need to specify a delimiter for the different messages as (unlike UDP) it will not always be one message per single packet.  Use the default delimiter initially and then review the results before assuming that any alteration in the settings is required.

Setting up an enVision system to allow syslog over TCP does not stop the UDP collection and the system will read from both TCP and UDP at the same time.

Note:  There is an option sometimes added to Linux known as syslog-ng which has d_tcp configured as the syslog destination which may also be another TCP device used to send syslog data as well as Cisco PIX

Legacy Article IDa38142