AnsweredAssumed Answered

How to stop syslog collection at VLCs?

Question asked by Nitin Maurya on May 16, 2018
Latest reply on May 17, 2018 by Eric Partington

Like • Show 0 Likes0
Comment • 7

Hi Community,

Can anyone please help me to stop collecting syslogs at VLCs? Is there any way so that I can drop syslogs from a particular source device.

Thanks and Regards,

Nitin Maurya

No one else has this question

Outcomes

7 Replies

Eric Partington May 16, 2018 9:02 AM
Mark Correct
Correct Answer
Two questions in your question:

Stop collecting syslog and stop collecting from a specific host

Stop collecting syslog: you can stop the syslog colelctions on VLC under the event sources > syslog and also stop the service from starting under system

Stop collecting syslog from specific host: under event sources > syslog > filters you can define filters on that VLC to stop from a source IP or with events in the message or header. Then apply that filter to a syslog collection to make it apply to that particular port and protocol (UDP514 or TCP6514).
Like • Show 0 Likes0
Actions
- Nitin Maurya @ Eric Partington on May 17, 2018 12:57 AM
  Mark Correct
  Correct Answer
  Hi Eric,
  
  Actually it was a single question. To be clear I want to stop syslogs from a source with xxx.xxx.xxx.xxx IP address at our VLC itself rather than removing IP of our VLC from syslog configuration at source.
  Like • Show 0 Likes0
  Actions
vladimir rydvanov May 16, 2018 9:10 AM
Mark Correct
Correct Answer
Hi, Maurya

That to stop collecting syslogs at VLC:
- in GUI go to Services
- for VLC select Actions View->System
- then Collection->Syslog->Stop
To disable particular source device, you need to remove IP of your VLC from the syslog sending configuration on this source.

Regards,
Vladimir Rydvanov
Like • Show 0 Likes0
Actions
- Eric Partington @ vladimir rydvanov on May 16, 2018 9:21 AM
  Mark Correct
  Correct Answer
  VLC > Config > Event Sources > Filters > Create Filter … these are the options you can use to filter sources at the VLC.. these are not available on a LC/LD (only on VLC).
  
  1 person found this helpful
  Like • Show 1 Like1
  Actions
- Nitin Maurya @ vladimir rydvanov on May 17, 2018 12:59 AM
  Mark Correct
  Correct Answer
  Stopping at syslog sending source is different thing.I want to stop receiving syslog for that source at our VLC itself.
  Like • Show 0 Likes0
  Actions
  - David Waugh @ Nitin Maurya on May 17, 2018 3:32 AM
    Mark Correct
    Correct Answer
    If you want to physically stop the syslog packets from this particular source from reaching the VLC then you will need to
    1) Stop the source from sending the syslog to the VLC OR
    2)Block the syslog packets before they reach the VLC with a firewall rule
    Like • Show 0 Likes0
    Actions
    - Eric Partington @ David Waugh on May 17, 2018 8:36 AM
      Mark Correct
      Correct Answer
      Or option 3 using the above screenshot set a filter rule for the VLC to drop based on the source IP.
      
      Key=source IP
      Operator equals
      Value = IP address to drop
      Action:match=drop
      
      Then set that filter rule in your syslog config so that it applies and you have now dropped the source IP from syslog collection. I have used this to successfully drop F5 healthcheck traffic from the mq pipeline.
      
      See this blog for example:
      
      https://community.rsa.com/community/products/netwitness/blog/2016/11/25/filtering-f5-udp-syslog-health-checks?sr=search&searchId=b95b6552-0231-43e4-909d-4c3c254af7e9&searchIndex=0
      Like • Show 0 Likes0
      Actions

How to stop syslog collection at VLCs?

Outcomes

Related Content

Recommended Content