the DLP Datacenter worker servers are still syslogging to my old SIEM.
I have made the global SIEM configuration change to the new IP but im not sure how to configure the worker servers to log to the correct new SIEM.
Hi Matty Farrington,
You change the SIEM configuration settings by going to RSA DP EM UI interface > Admin > Settings > SIEM Configuration.
The Syslog Messages sent to enVision consists of a TAG followed by the MESSAGE. The MESSAGE consists of a unique MESSAGEID followed by the CONTENT of the message.
Please find attached RSA DLP 9.6 Network userguide page no. 252 for further insight on configuring SIEM and the RSA DLP syslog messages guide to give you a full explanation on the generated messages by RSA DLP EM which aggregates logs from downstream nodes and send them within the context of attached document to the RSA enVision SIEM appliance.
Hope the provided information satisfies your inquiry!.
Download links for supportive documents:
The file LongArm.v8.Agent.exe.user, on our worker server, contains a reference to our old SIEM.
just to be clear, there is no separate configuration for syslogging from any other dlp server other than the enterprise manager?
they all feed into the EM which we then send on using the global siem config as described?
That's correct, the EM UI interface is the only location for the global DLP SIEM configuration.
Another approach, if you want to treat each of the DLP server nodes as an individual event_sources to your SIEM then you need to perform required configuration on each DLP server node in-line it's OS type and version.
Your Datacenter servers are windows based then each DLP server can be treated as a MS Windows server event_source to your SIEM.
Your DLP Network servers are CentOS based then each DLP network server can be treated as a Linux/CentOS event_source to your SIEM.
The file LongArm.v8.Agent.exe.user, on our worker servers, contains a reference to our old SIEM.
<syslog_server> <hostname>10.10.10.192</hostname> <port dotNetType="System.Int32">514</port> <bootstrap_messages dotNetType="System.Int32">1</bootstrap_messages> </syslog_server>
how is this value set?
do we change this manually to
Upon committing the change over EM UI [from SIEM configuration tab], you can go to "Admin Tab" > Datacenter > Configuration & status > click on Enterprise-coordinator > Edit> Advanced > Recover. Then re-check after 5 minutes if that file values got changed or not.
I checked a few servers and the IP did NOT update with the new IP as set in the EM UI.
This is expected behaviour. The problem is, SC does not contact the GW untill and unless, you initiate some scan, so any configuration change you make in EM console, the changes get pushed to GW only when you initiate some scan.
The solution for this is, You can either change it manually
the best way is to initiate some scan ( Make sure the GW that you have the problem with, is included in the scan group which you are trying to scan). You can stop the scan at the commissioning phase if you dont want to run full scan. This would change the configuration file in the GW to reflect the changes you made in EM console.
Hope this helps. Let us know if you have any questions.
Initiating a scan solved the problem, thank you!
Retrieving data ...