000017836 - SecOps - RSA Connector Framework (RCF) unable to parse Syslog - WARNING: Ignoring incoming syslog request. The log facility # did not match: #

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017836
IssueSecOps - RSA Connector Framework (RCF) unable to parse Syslog - WARNING: Ignoring incoming syslog request. The log facility # did not match: #
 
CauseThis issue is caused by incorrect alert configuration on Security Analytics (SA) side. Due to incorrect configure, RCF is unable match alert facility # with the one that is configured in RCF itself.
 
ResolutionTo fix this issue, please follow the steps below:
- Login to SA Admin site.
For Report Engine (RE):
- SA Administrator site > Reporting > Manage > Alert > Edit Alert.
- Browse to 'Syslog' tab, change 'Facility' # via drop down menu.
For Event Stream Analysis (ESA):
-Administration>Devices>Select Device>Select "View" drop down>Select "Config">Select "Event Stream Analysis">Select "Notifications"
-Change the Facility Number to the desired value via the drop down
*** Note:  Please make sure that facility # selected here is matching the facility # configured in SecOps Plug-in on RCF server. To find out in this facility # in SecOps plugin on RCF server, browse to '...\Program Files (x86)\EMC\RSA Connector Framework\config'  while on RCF server and  look for file named 'felix.properties'. Edit this file and search for string 'syslog.server.facility='. # at the end of string is the facility #.***

 
Legacy Article IDa65917

Attachments

    Outcomes