000034620 - Capturing Syslog Traffic on Multiple Interfaces Fails in RSA NetWitness

Document created by RSA Customer Support Employee on Jan 13, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034620
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
 
IssueThe customer wishes to capture syslog traffic on multiple interface.
Unfortunately syslog traffic is only being captured on a single interface.
TasksMake sure that the following are true:

Syslog Is Listening on all interfaces


netstat -na |grep 514 shows that the log decoder is listening on port 514. Output should be similar to:
 
tcp        0      0 0.0.0.0:514                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:6514                0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:514               127.0.0.1:57446             ESTABLISHED
tcp        0      0 192.168.123.3:42466         192.168.123.27:514          ESTABLISHED
tcp        1      0 192.168.123.3:45272         192.168.123.27:514          CLOSE_WAIT
tcp        0      0 127.0.0.1:57446             127.0.0.1:514               ESTABLISHED
tcp        0      0 :::514                      :::*                        LISTEN
tcp        0      0 :::6514                     :::*                        LISTEN
udp        0      0 0.0.0.0:514                 0.0.0.0:*
udp        0      0 127.0.0.1:50514             0.0.0.0:*
udp        0      0 :::514                      :::*

Firewall Rules allow Syslog traffic in


The following line should be visible in /etc/sysconfig/iptables
 
-A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 514 -m comment --comment "4 Syslog UDP Port" -j ACCEPT


 
ResolutionIf the system is listening on port 514 on all interfaces, then you may be hitting a feature in Centos 6 where incoming traffic arrives on the interface but is dropped by the kernel. This is dropped by the reverse path filter where the routing suggests the traffic should arrive on a different interface. 
Add the following lines in /etc/sytsctl.conf to ensure that any dropped traffic is being logged. The line net.ipv4.conf.all.rp_filter=0 disables the reverse path filter on all interfaces. 
Add following line to your /etc/sysctl.conf file 
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.log_martians=1 
net.ipv4.conf.default.log_martians=1

For the change to take effect run
sysctl -p

For more information see: 
https://access.redhat.com/solutions/53031 
https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ 
NotesTo disable reverse path filtering on a single interface (for example em3) use the syntax
 
net.ipv4.conf.em3.rp_filter=0

 

Attachments

    Outcomes