|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector
RSA Version/Condition: 10.5.X, 10.6.X
|Issue||Although Syslog Event Source device is correctly configured to push logs to VLC and the events are received by VLC as confirmed by tcpdump capture with the command tcpdump -i any host <event source device ip address>, the logs (i.e. sessions) are not available in Investigation.|
- No backlog messages for syslog queue in VLC as below.
[root@XXXX ~]# rabbitmqctl list_queues -p logcollection consumers name messages
- No errors in /var/log/messages relevant to Event Source IP address.
|Cause||This issue might be due to Syslog configuration not yet configured in VLC.|
|Resolution||Please follow below steps to get syslog logs in the investigation page.|
1. Login to Security Analytics GUI as administrator.
2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config.
3. Configure port number for both syslog-tcp and syslog-udp configuration as below.
4. Verify Investigation page to see syslog logs.