Article Content
Article Number | 000017836 |
Issue | SecOps - RSA Connector Framework (RCF) unable to parse Syslog - WARNING: Ignoring incoming syslog request. The log facility # did not match: # |
Cause | This issue is caused by incorrect alert configuration on Security Analytics (SA) side. Due to incorrect configure, RCF is unable match alert facility # with the one that is configured in RCF itself. |
Resolution | To fix this issue, please follow the steps below: - Login to SA Admin site. For Report Engine (RE): - SA Administrator site > Reporting > Manage > Alert > Edit Alert. - Browse to 'Syslog' tab, change 'Facility' # via drop down menu. For Event Stream Analysis (ESA): -Administration>Devices>Select Device>Select "View" drop down>Select "Config">Select "Event Stream Analysis">Select "Notifications" -Change the Facility Number to the desired value via the drop down *** Note: Please make sure that facility # selected here is matching the facility # configured in SecOps Plug-in on RCF server. To find out in this facility # in SecOps plugin on RCF server, browse to '...\Program Files (x86)\EMC\RSA Connector Framework\config' while on RCF server and look for file named 'felix.properties'. Edit this file and search for string 'syslog.server.facility='. # at the end of string is the facility #.*** |
Legacy Article ID | a65917 |