Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033851 - Unable to see syslog event source logs from VLC in RSA Security Analytics

Document created by RSA Customer Support

on Aug 31, 2016•Last modified by RSA Customer Support

on Apr 22, 2017

Version 3Show Document

Like • Show 2 Likes2
Comment • 0
View in full screen mode

Article Content

Article Number	000033851
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector RSA Version/Condition: 10.5.X, 10.6.X
Issue	Although Syslog Event Source device is correctly configured to push logs to VLC and the events are received by VLC as confirmed by tcpdump capture with the command tcpdump -i any host <event source device ip address>, the logs (i.e. sessions) are not available in Investigation. - No backlog messages for syslog queue in VLC as below. [root@XXXX ~]# rabbitmqctl list_queues -p logcollection consumers name messages Listing queues ... 1 rabbitmq.log 0 1 shovel.checkpoint.test 0 1 shovel.cmdscript.test 0 1 shovel.file.test 0 1 shovel.netflow.test 0 1 shovel.odbc.test 0 1 shovel.sdee.test 0 1 shovel.snmptrap.test 0 1 shovel.syslog.test 0 1 shovel.vmware.test 0 1 shovel.windows.test 0 - No errors in /var/log/messages relevant to Event Source IP address.
Cause	This issue might be due to Syslog configuration not yet configured in VLC.
Resolution	Please follow below steps to get syslog logs in the investigation page. 1. Login to Security Analytics GUI as administrator. 2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config. 3. Configure port number for both syslog-tcp and syslog-udp configuration as below. TCP: UDP: 4. Verify Investigation page to see syslog logs.

Attachments

Outcomes

0 Comments

Incoming Links

Re: Collecting SysLog on a Remote Log Collector