|Applies To||RSA Product Set: Archer, Security Analytics|
RSA Product/Service Type: SecOps, Reporting Engine
RSA Version/Condition: 1.3
O/S Version: 2008 R2, 2012, 2012 R2
|Issue||In SecOps 1.3, user who do not utilize Incident Management in Security Analytics can use UCF to configure a Syslog endpoint to receive Reporting Engine alerts.|
For the Reporting Engine to send alerts to UCF, it is necessary to configure syslog configuration in Security Analytics (Administration -> Services-> Reporting Engine -> Config -> Output Action).
There is a parameter called "Syslog Message Delimiter". You must set to LF in order for UCF to parse the alerts properly. Setting it to CR will cause UCF to trash the request without any process.
In SecOps 1.1, we can use delimiters such as CR. Therefore, if you upgrade to SecOps 1.3, you will need to ensure to change the delimiter setting in the Syslog configuration
|Resolution||The cause of this issue is currently being investigated by the Engineering team so that it may be resolved in a future release.|
If you are experiencing this issue, contact RSA Support and quote this article number for further assistance.
|Workaround||In the Security Analytics UI:|
4. Click "Save"