000033851 - Unable to see syslog event source logs from VLC in RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 31, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033851
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector
RSA Version/Condition: 10.5.X, 10.6.X
IssueAlthough Syslog Event Source device is correctly configured to push logs to VLC and the events are received by VLC as confirmed by tcpdump capture with the command tcpdump -i any host <event source device ip address>, the logs (i.e. sessions) are not available in Investigation.
- No backlog messages for syslog queue in VLC as below.
[root@XXXX ~]# rabbitmqctl list_queues -p logcollection consumers name messages
Listing queues ...
1       rabbitmq.log    0
1       shovel.checkpoint.test     0
1       shovel.cmdscript.test      0
1       shovel.file.test  0
1       shovel.netflow.test        0
1       shovel.odbc.test   0
1       shovel.sdee.test   0
1       shovel.snmptrap.test       0
1       shovel.syslog.test 0
1       shovel.vmware.test 0
1       shovel.windows.test       0

- No errors in /var/log/messages relevant to Event Source IP address.
CauseThis issue might be due to Syslog configuration not yet configured in VLC.
ResolutionPlease follow below steps to get syslog logs in the investigation page.
1. Login to Security Analytics GUI as administrator.
2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config.
3. Configure port number for both syslog-tcp and syslog-udp configuration as below.
User-added image
User-added image
4. Verify Investigation page to see syslog logs.