VLC Syslog Warnings
We are getting bombarded on an VLC with these error messages , any sights on what braked up from the syslog input .
[syslog-udp.udp514] [processing] [Receiver WorkUnit] [processing] Unidentified content from 10.x.x.x received on receiver: '2016-08-31 08:15:10  <warning> reason=feed.ingress.hit type=module md5=DE7796EA41XXXXXXXXX'
Aug 31 07:14:05 NwLogCollector: [TCPConnector] [warning] Event data length is 0. This event will be ignored. Event data: Event: collection_meta: "lc.lpid" : "syslog.syslog-udp""lc.cid" : "VLC01""lc.msgtype" : "0""lc.ctype" : "syslog""lc.wuid" : "175""lc.esname" : "udp514""lc.estype"
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Looks like your syslog event source ( 10.x.x.x) is not sending correct format of syslog messages. Netwitness accepts RFC-5424 format syslog messages.. RFC 5424 - The Syslog Protocol
Unidentified content from 10.x.x.x received on receiver
Thanks Sravan for the comments , The bigger point here is to understand the loss due to such warnings .
To verify , i've navigated using investigator with filter as "log collector id = VLC ip address & Collection method = syslog " for past 24 hours and could see valid device types being learned there like solaris , trip , WLC etc ...
So , are we missing any syslog events here or just it throws warnings though it's processed .
you may be getting logs from all other syslog devices in the investigation page. But, you may not be seeing logs from device which has errors as below. you can apply filter as device=10.X.X.X and verify.