|Issue||SecOps - RSA Connector Framework (RCF) unable to parse Syslog - WARNING: Ignoring incoming syslog request. The log facility # did not match: #|
|Cause||This issue is caused by incorrect alert configuration on Security Analytics (SA) side. Due to incorrect configure, RCF is unable match alert facility # with the one that is configured in RCF itself.|
|Resolution||To fix this issue, please follow the steps below:|
- Login to SA Admin site.
For Report Engine (RE):
- SA Administrator site > Reporting > Manage > Alert > Edit Alert.
- Browse to 'Syslog' tab, change 'Facility' # via drop down menu.
For Event Stream Analysis (ESA):
-Administration>Devices>Select Device>Select "View" drop down>Select "Config">Select "Event Stream Analysis">Select "Notifications"
-Change the Facility Number to the desired value via the drop down
*** Note: Please make sure that facility # selected here is matching the facility # configured in SecOps Plug-in on RCF server. To find out in this facility # in SecOps plugin on RCF server, browse to '...\Program Files (x86)\EMC\RSA Connector Framework\config' while on RCF server and look for file named 'felix.properties'. Edit this file and search for string 'syslog.server.facility='. # at the end of string is the facility #.***
|Legacy Article ID||a65917|