Syslog Relay Headers
According to support, when using a Syslog-NG server, the Syslog-NG server itself should have "Remove relay headers" de-selelected, and all the devices that are being forwarded should have it selected. But in working with my client, all messages coming across are undefined for AIX, Linux and Solaris when we set it up this way. The devices are "discovered" as unknown, and we have to manually set the device type.
Here is an example of an AIX SU event.
Mar 2 15:14:36 WebServer1 su: BAD SU from 220.127.116.11 to root at /dev/pts/1
In enVision event viewer , we have the Index | Date/Time | Device | and then the Event, which does not contain the date/time or hostname.....
Here is what we see in the event field:
su: from root to oracle at /dev/pts/3
sshd: Accepted password for xxxxxxx from 18.104.22.168 port 999 ssh2
Shouldn't they read:
Jun 8 12:40:33 22.214.171.124 su: from root to oracle at /dev/pts/3
Jun 8 12:40:33 126.96.36.199sshd: Accepted password for xxxxxxx from 188.8.131.52 port 999 ssh2
Is this portion being removed by the remove relay header setting? enVision does not appear to recognize the events without this info. We created some dummy records in Solaris that had this date/time and host info, and the events were recognized.
This was recognized as an event by enVision for Solaris:
Jun 8 12:40:33 184.108.40.206 cacao_launcher: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available
This was *not* recognized:
cacao_launcher: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available
OK...to each their own.
Have you tried just leaving the Remove Relay settings as is? I don't recall having to make any changes when I did this in the past...I just collected from the syslog-ng server and it worked.
In the System Configuration...Services...Manage Collector Service is the "Support syslog relays:" box checked?
If you click on the On-line Help on this page and go to Support Syslog Relays link, there are 4 conditions:
Well-Formed, and its header contains the IP Address of the device. - Preferred
Well-Formed, but its header contains a hostname rather than an IP address - envision attempts to resolve the hostname to IP address via the nic\csd\config\collectors\hostname.ini on the A-SRV or NAS and if successful uses the IP address to identify the sender.
Well-formed, but does not contain an IP address or a resolvable hostname - Envision uses the IP address embedded in the UDP header.
Not well-formed - Envision uses the IP address embedded in the UDP Header.
There is a good example on the help page.
We have a situation here that is strangely similar. The best solution we've found so far is:
keep_hostname(no); in syslog-ng (RSA doc says yes).
Remove Relay Headers should be UNchecked for the relay itself and also for the originating devices (RSA doc says unchecked for the relay, checked for the originating devices).
Also, despite what the pop-ups tell you, if you're changing the RRH setting, you need to restart the collector and possibly the locator service as well, and then wait a surprisingly long time.
Finally, after the discovery, the monitored systems need to be configured by hand. The system type and RRH checkbox seem to be set more or less at random, at least in a Unix environment with lots of different system types.
Please have your client try it, and be sure to share credit if it works.
I want to know whether you installed syslog-ng server to collect logs and then transported it RSA envison.
Is this a feasible option?
If yes which syslog server can be used I have looking for Kiwi Syslog server and syslog ng.
Any reply on this wil be appreciated.
See the other posts on this same topic. There are many viable options:
Our professional services team also has an RSA Virtual Log Router available that can perform the same function.