This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to stop syslog collection at VLCs?

NitinMaurya
Contributor
Contributor

‎2018-05-16 08:09 AM

Hi Community,

 

Can anyone please help me to stop collecting syslogs at VLCs? Is there any way so that I can drop syslogs from a particular source device.

 

Thanks and Regards,

Nitin Maurya

Labels:
0 Likes
8 REPLIES 8

EricPartington
Employee
Employee

‎2018-05-16 09:02 AM

Two questions in your question:

 

Stop collecting syslog and stop collecting from a specific host

 

Stop collecting syslog: you can stop the syslog colelctions on VLC under the event sources > syslog and also stop the service from starting under system

 

Stop collecting syslog from specific host: under event sources > syslog > filters you can define filters on that VLC to stop from a source IP or with events in the message or header.  Then apply that filter to a syslog collection to make it apply to that particular port and protocol (UDP514 or TCP6514).

0 Likes

vladimirrydvano
Beginner
Beginner

‎2018-05-16 09:10 AM

Hi, Maurya

 

That to stop collecting syslogs at VLC:

  • in GUI go to Services
  • for VLC select Actions View->System
  • then Collection->Syslog->Stop

 

To disable particular source device, you need to remove IP of your VLC from the syslog sending configuration on this source.

 

Regards,

Vladimir Rydvanov

0 Likes

EricPartington
Employee
Employee
In response to vladimirrydvano

‎2018-05-16 09:21 AM

VLC > Config > Event Sources > Filters > Create Filter … these are the options you can use to filter sources at the VLC.. these are not available on a LC/LD (only on VLC).

 

image001.png

NitinMaurya
Contributor
Contributor
In response to EricPartington

‎2018-05-17 12:57 AM

Hi Eric,

 

Actually it was a single question. To be clear I want to stop syslogs from a source with xxx.xxx.xxx.xxx IP address at our VLC itself rather than removing IP of our VLC from syslog configuration at source.

0 Likes

NitinMaurya
Contributor
Contributor
In response to vladimirrydvano

‎2018-05-17 12:59 AM

Stopping at syslog sending source is different thing.I want to stop receiving syslog for that source at our VLC itself. 

0 Likes

david_waugh
Beginner
Beginner
In response to NitinMaurya

‎2018-05-17 03:32 AM

If you want to physically stop the syslog packets from this particular source from reaching the VLC then you will need to

1) Stop the source from sending the syslog to the VLC OR

2)Block the syslog packets before they reach the VLC with a firewall rule

0 Likes

EricPartington
Employee
Employee
In response to david_waugh

‎2018-05-17 08:36 AM

Or option 3 using the above screenshot set a filter rule for the VLC to drop based on the source IP.

 

Key=source IP

Operator equals

Value = IP address to drop

Action:match=drop

 

Then set that filter rule in your syslog config so that it applies and you have now dropped the source IP from syslog collection.  I have used this to successfully drop F5 healthcheck traffic from the mq pipeline. 

 

See this blog for example:

 

https://community.rsa.com/community/products/netwitness/blog/2016/11/25/filtering-f5-udp-syslog-health-checks?sr=search&searchId=b95b6552-0231-43e4-909d-4c3c254af7e9&searchIndex=0

0 Likes

NitinMaurya
Contributor
Contributor
In response to EricPartington

‎2018-05-29 06:43 AM

Hi Eric,

 

Thanks for your effort. I tried creating rule to drop traffic at VLC itself using your 3rd option but I could not get it done. I am still getting logs. Also in your link given, it is using F5 LTM that we don't have in our environment.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.