ksaunders

Syslog Relay Headers

Discussion created by ksaunders on Jun 8, 2011
Latest reply on Jun 13, 2011 by RSA Admin

 

According to support, when using a Syslog-NG server, the Syslog-NG server itself should have "Remove relay headers" de-selelected, and all the devices that are being forwarded should have it selected.  But in working with my client, all messages coming across are undefined for AIX, Linux and Solaris when we set it up this way.  The devices are "discovered" as unknown, and we have to manually set the device type.

 

Here is an example of an AIX SU event. 

 

Mar  2 15:14:36 WebServer1 su: BAD SU from 1.2.3.4 to root at /dev/pts/1

 

In enVision event viewer , we have the Index  |  Date/Time  |  Device  |   and then the Event, which does not contain the date/time or hostname.....

 

Here is what we see in the event field:

 

su:  from root to oracle at /dev/pts/3


sshd[1234567]: Accepted password for xxxxxxx from 1.1.1.1 port 999 ssh2

 

Shouldn't they read:

 

Jun 8 12:40:33 1.1.1.1 su:  from root to oracle at /dev/pts/3

Jun 8 12:40:33 1.1.1.1sshd[1234567]: Accepted password for xxxxxxx from 1.1.1.1 port 999 ssh2

 

Is this portion being removed by the remove relay header setting?  enVision does not appear to recognize the events without this info.  We created some dummy records in Solaris that had this date/time and host info, and the events were recognized. 

 

This was recognized as an event by enVision for Solaris:

 

Jun 8 12:40:33 1.1.1.1 cacao_launcher[3889]: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available

 

This was *not* recognized:

 

cacao_launcher[3889]: [ID 702911 daemon.crit] SUNWcacaort launcher : No retries available

 

Any ideas???

 

Thanks,

KFS

 

Outcomes