|Applies To||RSA Security Analytics|
RSA Security Analytics Log Decoder
|Issue||RSA Security Analytics Log Decoder is receiving incomplete or corrupted events from syslog-ng relay.|
The total number of messages that the log decoder processes does not match the total number of events sent from the syslog-ng server.
tcpdump output shows: "Lost packets; UDP Checksum (chksum) errors" or similar UDP checksum errors.
|Cause||The issue is caused by a bug in the checksum calculation present in the libnet version 22.214.171.124 library required for the spoof-source function.|
This product is often used a syslog relay. This solution describes why some syslog messages from syslog-ng server appear to be corrupted and how to resolve the issue.
Compile the latest libnet package and replace the existing one. The syslog-ng binary may also need to be recompiled using the --enable-spoof-source flag.
RSA does not support this third-party product. Our hardened appliances do not have compilers or development libraries installed.
BalaBit syslog-ng is a open source, third-party product. More information can be found at the following link: http://www.balabit.com/network-security/syslog-ng/
Further information on relaying log messages with syslog-ng (spoof-source):
|Legacy Article ID||a65758|