This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
TomiReiman
Beginner
Beginner
‎2015-10-05 09:00 AM

SA 10.5.x and port 50514

Jump to solution

Hi,

 

We had to pause our scheduled upgrade from 10.4.0.1 via 10.4.1 to 10.5.0 because we failed to get any concrete information about the new port 50514, which is required from Audit logging. The 10.5 upgrade instructions document refers to the architecture picture found on SADocs, but I fail to see anything related to this port within the linked page.

 

Anyone able to tell from where to where does the port 50514 need to be opened? KB 000030600 references the port by accident, giving away that the protocol is UDP. Correct?

 

Really frustrating that these things cannot be found in the documentation, even though a link to the documentation is provided just above the mentioning of this new port.

Reply
1 Solution

Accepted Solutions
RSALinkTeamInac
Employee
Employee
‎2015-10-05 09:52 AM

Jump to solution

Hi Tom,

 

Sorry about the confusion.  Port 50514 is used for auditing purposes, as each Security Analytics component writes audit logs to the local syslog receiver that is listening on that port.  The internal ticket SACE-4108 is open to address the topic of adding the port to the Network Architecture and Ports page of the Security Analytics 10.5 User Guide.

 

Thanks,

Jeff

View solution in original post

0 Likes
Reply
4 Replies
RSALinkTeamInac
Employee
Employee
‎2015-10-05 09:52 AM

Jump to solution

Hi Tom,

 

Sorry about the confusion.  Port 50514 is used for auditing purposes, as each Security Analytics component writes audit logs to the local syslog receiver that is listening on that port.  The internal ticket SACE-4108 is open to address the topic of adding the port to the Network Architecture and Ports page of the Security Analytics 10.5 User Guide.

 

Thanks,

Jeff

View solution in original post

0 Likes
Reply
TomiReiman
Beginner
Beginner
In response to RSALinkTeamInac
‎2015-10-05 09:57 AM

Jump to solution

Hi Jeffrey,

 

Where is the target configured when talking about other components than the SA server? I believe on the SA server this is related to the Administration > Auditing settings (talking about 10.4.1). Should we encounter any troubles while upgrading to 10.5.0 if this port is not open, say, between a log hybrid an our SA server? I.e. are there checks for the port to be open in the installation procedure, which might halt the entire upgrade if the port was not open?

0 Likes
Reply
TomiReiman
Beginner
Beginner
‎2015-10-06 01:16 AM

Jump to solution

This link seems to resolve the issue:

 

Troubleshoot Global Audit Logging - RSA Security Analytics Documentation

 

The critical quote being "For centralized audit logging, each of the Security Analytics services writes audit logs to rsyslog listening on port 50514 using UDP on the local host."

 

Therefore, they way I understand this, is that each Security Appliance is forwarding its audit log to the localhost port 50514, and the logs then get forwarded to the Security Analytics server using Rabbit-MQ.

Reply
RSALinkTeamInac
Employee
Employee
In response to TomiReiman
‎2015-10-06 09:24 AM

Jump to solution

Hi Tom,

 

You are correct.  Each component sends audit logs to rsyslog listening on port 50514 and running on the same host.  Because it is a localhost communication, it is not required to open the port for accepting traffic from a different host.

 

Thanks,

Jeff

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.