Article Content
Article Number | 000034620 |
Applies To | RSA Product Set: NetWitness Logs & Packets RSA Product/Service Type: SA Core Appliance/Log Decoder RSA Version/Condition: 10.6.x Platform: CentOS O/S Version: EL6 |
Issue | The customer wishes to capture syslog traffic on multiple interface. Unfortunately syslog traffic is only being captured on a single interface. |
Tasks | Make sure that the following are true:Syslog Is Listening on all interfacesnetstat -na |grep 514 shows that the log decoder is listening on port 514. The output should be similar to:
Firewall Rules allow Syslog traffic inThe following line should be visible in /etc/sysconfig/iptables
|
Resolution | If the system is listening on port 514 on all interfaces, then you may be hitting a feature in CentOS 6 where incoming traffic arrives on the interface but is dropped by the kernel. This is dropped by the reverse path filter where the routing suggests the traffic should arrive on a different interface. Add the following lines in /etc/sysctl.conf to ensure that any dropped traffic is being logged. The line net.ipv4.conf.all.rp_filter=0 disables the reverse path filter on all interfaces. Add the following line to your /etc/sysctl.conf file
For the change to take effect run
For more information see: https://access.redhat.com/solutions/53031 https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ |
Notes | To disable reverse path filtering on a single interface (for example em3) use the syntax
|