000033285 - Set Syslog Forwarding does not configure RSA Security Analytics hosts to forward syslog events

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033285
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Packet Decoder, Log Decoder, Concentrator, Broker
RSA Version/Condition: 10.5.x,,,
Platform: CentOS
O/S Version: 6
IssueRunning Set Syslog Forwarding from Host Procedures from the Task List Dialog, as per the Hosts and Services Getting Started Guide, does not forward any syslog events from the host to an external syslog server.  Running tcpdump –nni em1 dst port 514 does not display any packets to the syslog server.
CauseDue to a bug in the current version, running Set Syslog Forwarding creates /etc/rsyslog.nw.conf with an incorrect string value of "nw" where it is supposed to be "Nw".
# cat /etc/rsyslog.nw.conf
:programname, contains, "nw"    @x.x.x.x:514
# This file is generated automatically. Do not edit it!

As the actual log contains a service name (i.e., programname) that starts with Nw as below, the above configuration will not find any event to forward.
May 26 22:53:07 DECODER_HOST NwDecoder[15246]: [Scheduler] [info] Running task /database with message dbState (op=save type=session,meta,packet)  - 1800 secs waited

ResolutionThe issue is currently under investigation and will be address in the future release.  This KB article will be updated once the new release becomes available.
WorkaroundTo workaround the issue,
  1. Modify "nw" to "Nw" in /etc/rsyslog.nw.conf.  This can be done despite the warning 'Do not edit it!' within the file.  If you prefer you can created a backup of the rsyslog.nw.conf prior to making the change.
  2. After saving the file changes, restart the rsyslog service by running the following command:
service rsyslog restart