This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

SA 10.5.x and port 50514

Go to solution
TomiReiman
Beginner
Beginner

‎2015-10-05 09:00 AM

Hi,

 

We had to pause our scheduled upgrade from 10.4.0.1 via 10.4.1 to 10.5.0 because we failed to get any concrete information about the new port 50514, which is required from Audit logging. The 10.5 upgrade instructions document refers to the architecture picture found on SADocs, but I fail to see anything related to this port within the linked page.

 

Anyone able to tell from where to where does the port 50514 need to be opened? KB 000030600 references the port by accident, giving away that the protocol is UDP. Correct?

 

Really frustrating that these things cannot be found in the documentation, even though a link to the documentation is provided just above the mentioning of this new port.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2015-10-05 09:52 AM

Hi Tom,

 

Sorry about the confusion.  Port 50514 is used for auditing purposes, as each Security Analytics component writes audit logs to the local syslog receiver that is listening on that port.  The internal ticket SACE-4108 is open to address the topic of adding the port to the Network Architecture and Ports page of the Security Analytics 10.5 User Guide.

 

Thanks,

Jeff

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
Anonymous
Not applicable

‎2015-10-05 09:52 AM

Hi Tom,

 

Sorry about the confusion.  Port 50514 is used for auditing purposes, as each Security Analytics component writes audit logs to the local syslog receiver that is listening on that port.  The internal ticket SACE-4108 is open to address the topic of adding the port to the Network Architecture and Ports page of the Security Analytics 10.5 User Guide.

 

Thanks,

Jeff

0 Likes

Go to solution
TomiReiman
Beginner
Beginner
In response to Anonymous

‎2015-10-05 09:57 AM

Hi Jeffrey,

 

Where is the target configured when talking about other components than the SA server? I believe on the SA server this is related to the Administration > Auditing settings (talking about 10.4.1). Should we encounter any troubles while upgrading to 10.5.0 if this port is not open, say, between a log hybrid an our SA server? I.e. are there checks for the port to be open in the installation procedure, which might halt the entire upgrade if the port was not open?

0 Likes

Go to solution
TomiReiman
Beginner
Beginner

‎2015-10-06 01:16 AM

This link seems to resolve the issue:

 

Troubleshoot Global Audit Logging - RSA Security Analytics Documentation

 

The critical quote being "For centralized audit logging, each of the Security Analytics services writes audit logs to rsyslog listening on port 50514 using UDP on the local host."

 

Therefore, they way I understand this, is that each Security Appliance is forwarding its audit log to the localhost port 50514, and the logs then get forwarded to the Security Analytics server using Rabbit-MQ.

Go to solution
Anonymous
Not applicable
In response to TomiReiman

‎2015-10-06 09:24 AM

Hi Tom,

 

You are correct.  Each component sends audit logs to rsyslog listening on port 50514 and running on the same host.  Because it is a localhost communication, it is not required to open the port for accepting traffic from a different host.

 

Thanks,

Jeff

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.