000034620 - Capturing Syslog Traffic on Multiple Interfaces Fails in RSA NetWitness

Document created by RSA Customer Support Employee on Jan 13, 2017Last modified by RSA Customer Support on May 3, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034620
Applies ToRSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: SA Core Appliance/Log Decoder
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: EL6
IssueThe customer wishes to capture syslog traffic on multiple interface.
Unfortunately syslog traffic is only being captured on a single interface.
TasksMake sure that the following are true:

Syslog Is Listening on all interfaces

netstat -na |grep 514 shows that the log decoder is listening on port 514. The output should be similar to:

tcp        0      0       *                   LISTEN
tcp        0      0      *                   LISTEN
tcp        0      0                  ESTABLISHED
tcp        0      0          ESTABLISHED
tcp        1      0          CLOSE_WAIT
tcp        0      0                  ESTABLISHED
tcp        0      0 :::514                      :::*                        LISTEN
tcp        0      0 :::6514                     :::*                        LISTEN
udp        0      0       *
udp        0      0   *
udp        0      0 :::514                      :::*

Firewall Rules allow Syslog traffic in

The following line should be visible in /etc/sysconfig/iptables

-A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 514 -m comment --comment "4 Syslog UDP Port" -j ACCEPT

ResolutionIf the system is listening on port 514 on all interfaces, then you may be hitting a feature in CentOS 6 where incoming traffic arrives on the interface but is dropped by the kernel. This is dropped by the reverse path filter where the routing suggests the traffic should arrive on a different interface. 

Add the following lines in /etc/sysctl.conf to ensure that any dropped traffic is being logged. The line net.ipv4.conf.all.rp_filter=0 disables the reverse path filter on all interfaces. 

Add the following line to your /etc/sysctl.conf file 


For the change to take effect run

sysctl -p

For more information see: 

NotesTo disable reverse path filtering on a single interface (for example em3) use the syntax