000014997 - RSA Security Analytics Log Decoder is receiving incomplete or corrupted events from syslog-ng relay

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014997
Applies ToRSA Security Analytics
RSA Security Analytics Log Decoder
BalaBit syslog-ng
IssueRSA Security Analytics Log Decoder is receiving incomplete or corrupted events from syslog-ng relay.
The total number of messages that the log decoder processes does not match the total number of events sent from the syslog-ng server.
tcpdump output shows: "Lost packets; UDP Checksum (chksum) errors" or similar UDP checksum errors.
CauseThe issue is caused by a bug in the checksum calculation present in the libnet version 1.1.2.1 library required for the spoof-source function.
Resolution

This product is often used a syslog relay.  This solution describes why some syslog messages from syslog-ng server appear to be corrupted and how to resolve the issue.
In this case the syslog-ng server has the spoof-source function enabled to relay log messages to the log decoder.

Compile the latest libnet package and replace the existing one. The syslog-ng binary may also need to be recompiled using the --enable-spoof-source flag.

RSA does not support this third-party product. Our hardened appliances do not have compilers or development libraries installed.

Notes

BalaBit syslog-ng is a open source, third-party product.  More information can be found at the following link:  http://www.balabit.com/network-security/syslog-ng/

Further information on relaying log messages with syslog-ng (spoof-source):
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/en/syslog-ng-ose-v3.3-guide-admin-en/html/example-how-relaying-works.html

Legacy Article IDa65758

Attachments

    Outcomes