Article Number | 000033851 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector RSA Version/Condition: 10.5.X, 10.6.X |
Issue | Although Syslog Event Source device is correctly configured to push logs to VLC and the events are received by VLC as confirmed by tcpdump capture with the command tcpdump -i any host <event source device ip address>, the logs (i.e. sessions) are not available in Investigation. - No backlog messages for syslog queue in VLC as below.
[root@XXXX ~]# rabbitmqctl list_queues -p logcollection consumers name messages Listing queues ... 1 rabbitmq.log 0 1 shovel.checkpoint.test 0 1 shovel.cmdscript.test 0 1 shovel.file.test 0 1 shovel.netflow.test 0 1 shovel.odbc.test 0 1 shovel.sdee.test 0 1 shovel.snmptrap.test 0 1 shovel.syslog.test 0 1 shovel.vmware.test 0 1 shovel.windows.test 0 - No errors in /var/log/messages relevant to Event Source IP address. |
Cause | This issue might be due to Syslog configuration not yet configured in VLC. |
Resolution | Please follow below steps to get syslog logs in the investigation page. 1. Login to Security Analytics GUI as administrator. 2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config. 3. Configure port number for both syslog-tcp and syslog-udp configuration as below. TCP:
 UDP:
 4. Verify Investigation page to see syslog logs. |