Article Content
Article Number | 000034620 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance |
Issue | The customer wishes to capture syslog traffic on multiple interface. Unfortunately syslog traffic is only being captured on a single interface. |
Tasks | Make sure that the following are true:Syslog Is Listening on all interfacesnetstat -na |grep 514 shows that the log decoder is listening on port 514. Output should be similar to: tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN Firewall Rules allow Syslog traffic inThe following line should be visible in /etc/sysconfig/iptables -A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT |
Resolution | If the system is listening on port 514 on all interfaces, then you may be hitting a feature in Centos 6 where incoming traffic arrives on the interface but is dropped by the kernel. This is dropped by the reverse path filter where the routing suggests the traffic should arrive on a different interface. Add the following lines in /etc/sytsctl.conf to ensure that any dropped traffic is being logged. The line net.ipv4.conf.all.rp_filter=0 disables the reverse path filter on all interfaces. Add following line to your /etc/sysctl.conf file net.ipv4.conf.all.rp_filter=0 For the change to take effect run sysctl -p For more information see: https://access.redhat.com/solutions/53031 https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ |
Notes | To disable reverse path filtering on a single interface (for example em3) use the syntaxnet.ipv4.conf.em3.rp_filter=0 |