This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Collecting SysLog on a Remote Log Collector

Anonymous
Not applicable

‎2014-12-29 10:54 PM

Hi everyone,

I've deployed a virtual log collector (VLC) into a DMZ and I'm attempting to capture Palo Alto SysLog traffic.

I've followed the instructions via sadocs.emc.com about configuring the event sources but I'm not sure what else is required. The Palo Alto is configured to send it's syslog traffic to the VLC

 

has anyone else been able to get syslog traffic forwarded to a VLC that might be able to help?

 

Thanks.

0 Likes
3 REPLIES 3

SravanKoneti
Employee
Employee

‎2016-09-01 06:26 AM

Hi Jeremy,

 

Can you try this KB# https://community.rsa.com/docs/DOC-58534.

 

Thanks,

Sravan

0 Likes

Anonymous
Not applicable

‎2016-09-01 11:34 AM

Jeremy, After making the changes on your Palo Alto box, have you confirmed that syslog is being sent? Have you successfully received any other syslog on your VLC?

 

Try these resources;

 

https://community.rsa.com/servlet/JiveServlet/downloadBody/39974-102-1-10881/Palo%20Alto%20Networks%20Enterprise%20Firew… 

 

How to Forward System Logs to Syslog Server - Live Community 

 

Log Collection Guides - RSA Security Analytics Documentation 

 

I hope this helps...

0 Likes

BrianKeenan
Beginner
Beginner

‎2016-09-01 05:06 PM

Jeremy as others have stated check to make sure that you are receiving the syslog from the PA device.  You can use tcpdump on the interface you are sending the logs to on the VLC to see if you see the syslog messages filter on port 514.  If not then you have an issue on the PA device (or between it and the VLC).    If you see the traffic making it to the VLC then you need to validate you have syslog started and make sure you have it configured for the appropriate type which is usually udp port 514.  To validate this on the VLC go to config then event sources then select syslog from the drop down box.  Under the event categories you should see at least one defined here (there is either syslog-udp, syslog-tcp or both added).

If you have gotten this far and followed the instructions in the links from the other replies then more details would be required in order to help.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.