This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
KentSaunders
Beginner
Beginner
‎2011-06-08 05:48 PM

Syslog Relay Headers

 

According to support, when using a Syslog-NG server, the Syslog-NG server itself should have "Remove relay headers" de-selelected, and all the devices that are being forwarded should have it selected.  But in working with my client, all messages coming across are undefined for AIX, Linux and Solaris when we set it up this way.  The devices are "discovered" as unknown, and we have to manually set the device type.

 

Here is an example of an AIX SU event. 

 

Mar  2 15:14:36 WebServer1 su: BAD SU from 1.2.3.4 to root at /dev/pts/1

 

In enVision event viewer , we have the Index  |  Date/Time  |  Device  |   and then the Event, which does not contain the date/time or hostname.....

 

Here is what we see in the event field:

 

su:  from root to oracle at /dev/pts/3


sshd[1234567]: Accepted password for xxxxxxx from 1.1.1.1 port 999 ssh2

 

Shouldn't they read:

 

Jun 8 12:40:33 1.1.1.1 su:  from root to oracle at /dev/pts/3

Jun 8 12:40:33 1.1.1.1sshd[1234567]: Accepted password for xxxxxxx from 1.1.1.1 port 999 ssh2

 

Is this portion being removed by the remove relay header setting?  enVision does not appear to recognize the events without this info.  We created some dummy records in Solaris that had this date/time and host info, and the events were recognized. 

 

This was recognized as an event by enVision for Solaris:

 

Jun 8 12:40:33 1.1.1.1 cacao_launcher[3889]: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available

 

This was *not* recognized:

 

cacao_launcher[3889]: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available

 

Any ideas???

 

Thanks,

KFS

 

0 Likes
Reply
9 Replies
RSAAdmin
Beginner
Beginner
‎2011-06-11 01:03 AM

So you are sending all of the hosts to a syslog-ng server which is then relaying the data to Envision?  If so, is there a reason? 

 

Paul

 

 

0 Likes
Reply
KentSaunders
Beginner
Beginner
In response to RSAAdmin
‎2011-06-11 10:19 AM

The reason is that the client wishes to do it this way.

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to KentSaunders
‎2011-06-11 10:59 AM

OK...to each their own. :smileywink:

 

Have you tried just leaving the Remove Relay settings as is?  I don't recall having to make any changes when I did this in the past...I just collected from the syslog-ng server and it worked. 

 

 

0 Likes
Reply
KentSaunders
Beginner
Beginner
In response to RSAAdmin
‎2011-06-11 12:24 PM

That is what we are doing.  enVision checks the "Remove Relay Headers" box automatically for all the downstream devices. 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to KentSaunders
‎2011-06-13 01:50 PM

I just meant, have you tried leaving the box checked for the syslog relay as well...that is what I meant by not remembering having to do anything.

 

Paul

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-06-13 01:57 PM

In the System Configuration...Services...Manage Collector Service is the "Support syslog relays:" box checked?

 

If you click on the On-line Help on this page and go to Support Syslog Relays link, there are 4 conditions:

 

Well-Formed, and its header contains the IP Address of the device.  - Preferred

 

Well-Formed, but its header contains a hostname rather than an IP address - envision attempts to resolve the hostname to IP address via the nic\csd\config\collectors\hostname.ini on the A-SRV or NAS and if successful uses the IP address to identify the sender.

 

Well-formed, but does not contain an IP address or a resolvable hostname - Envision uses the IP address embedded in the UDP header.

 

Not well-formed - Envision uses the IP address embedded in the UDP Header.

 

There is a good example on the help page.

 

Paul

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-06-16 11:20 AM

ksaunders,

 

We have a situation here that is strangely similar. The best solution we've found so far is:

 

keep_hostname(no); in syslog-ng (RSA doc says yes).

Remove Relay Headers should be UNchecked for the relay itself and also for the originating devices (RSA doc says unchecked for the relay, checked for the originating devices).

 

Also, despite what the pop-ups tell you, if you're changing the RRH setting, you need to restart the collector and possibly the locator service as well, and then wait a surprisingly long time.

 

Finally, after the discovery, the monitored systems need to be configured by hand. The system type and RRH checkbox seem to be set more or less at random, at least in a Unix environment with lots of different system types.

 

Please have your client try it, and be sure to share credit if it works. :smileytongue:

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-08-18 07:51 AM

Hi,

I want to know whether you installed syslog-ng server to collect logs and then transported it RSA envison.

Is this a feasible option?

If yes which syslog server can be used I have looking for Kiwi Syslog server and syslog ng.

Any reply on this wil be appreciated.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-08-18 12:52 PM

See the other posts on this same topic.  There are many viable options:

 

Kiwi

syslog-ng

rsyslog

 

Our professional services team also has an RSA Virtual Log Router available that can perform the same function.

 

Regards,

 

Paul

 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.