000031804 - Reporting Engine alerts are not processed by UCF due to incorrect syslog message delimiter in RSA SecOps 1.3

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on May 29, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031804
Applies ToRSA Product Set: Archer, Security Analytics
RSA Product/Service Type: SecOps, Reporting Engine
RSA Version/Condition: 1.3
Platform: Windows
O/S Version: 2008 R2, 2012, 2012 R2
IssueIn SecOps 1.3, user who does not utilize Incident Management in Security Analytics can use UCF to configure a Syslog endpoint to receive Reporting Engine alerts.

For the Reporting Engine to send alerts to UCF, it is necessary to configure syslog configuration in Security Analytics (Administration -> Services-> Reporting Engine -> Config -> Output Action).

There is a parameter called "Syslog Message Delimiter". You must set to LF in order for UCF to parse the alerts properly. Setting it to CR will cause UCF to trash the request without any process.

In SecOps 1.1, we can use delimiters such as CR.  Therefore, if you upgrade to SecOps 1.3, you will need to ensure to change the delimiter setting in the Syslog configuration
ResolutionThe cause of this issue is currently being investigated by the Engineering team so that it may be resolved in a future release.
If you are experiencing this issue, contact RSA Support and quote this article number for further assistance.
WorkaroundIn the Security Analytics UI:
  1. Go to Administration -> Services -> Reporting Engine -> Config -> Output Action.
  2. On the Syslog Configuration and modify the existing settings.
  3. Select LF in the Syslog Message Delimiter drop-down menu.

User-added image
4. Click "Save"