Unable to see syslog event source logs from VLC in RSA Security Analytics
RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector RSA Version/Condition: 10.5.X, 10.6.X
Although Syslog Event Source device is correctly configured to push logs to VLC and the events are received by VLC as confirmed by tcpdump capture with the command tcpdump -i any host <event source device ip address>, the logs (i.e. sessions) are not available in Investigation.
- No backlog messages for syslog queue in VLC as below.
- No errors in /var/log/messages relevant to Event Source IP address.
This issue might be due to Syslog configuration not yet configured in VLC.
Please follow below steps to get syslog logs in the investigation page. 1. Login to Security Analytics GUI as administrator. 2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config. 3. Configure port number for both syslog-tcp and syslog-udp configuration as below.