How to stop syslog collection at VLCs?
Can anyone please help me to stop collecting syslogs at VLCs? Is there any way so that I can drop syslogs from a particular source device.
Thanks and Regards,
- Community Thread
- Forum Thread
- RSA NetWitness Endpoint
- RSA NetWitness Platform
Two questions in your question:
Stop collecting syslog and stop collecting from a specific host
Stop collecting syslog: you can stop the syslog colelctions on VLC under the event sources > syslog and also stop the service from starting under system
Stop collecting syslog from specific host: under event sources > syslog > filters you can define filters on that VLC to stop from a source IP or with events in the message or header. Then apply that filter to a syslog collection to make it apply to that particular port and protocol (UDP514 or TCP6514).
That to stop collecting syslogs at VLC:
- in GUI go to Services
- for VLC select Actions View->System
- then Collection->Syslog->Stop
To disable particular source device, you need to remove IP of your VLC from the syslog sending configuration on this source.
VLC > Config > Event Sources > Filters > Create Filter … these are the options you can use to filter sources at the VLC.. these are not available on a LC/LD (only on VLC).
Actually it was a single question. To be clear I want to stop syslogs from a source with xxx.xxx.xxx.xxx IP address at our VLC itself rather than removing IP of our VLC from syslog configuration at source.
If you want to physically stop the syslog packets from this particular source from reaching the VLC then you will need to
1) Stop the source from sending the syslog to the VLC OR
2)Block the syslog packets before they reach the VLC with a firewall rule
Or option 3 using the above screenshot set a filter rule for the VLC to drop based on the source IP.
Value = IP address to drop
Then set that filter rule in your syslog config so that it applies and you have now dropped the source IP from syslog collection. I have used this to successfully drop F5 healthcheck traffic from the mq pipeline.
See this blog for example:
Thanks for your effort. I tried creating rule to drop traffic at VLC itself using your 3rd option but I could not get it done. I am still getting logs. Also in your link given, it is using F5 LTM that we don't have in our environment.