NetWitness Community

HariRumbay2 · ‎2016-08-31

We are getting bombarded on an VLC with these error messages , any sights on what braked up from the syslog input .

[syslog-udp.udp514] [processing] [Receiver WorkUnit] [processing] Unidentified content from 10.x.x.x received on receiver: '2016-08-31 08:15:10 [96191] <warning> reason=feed.ingress.hit type=module md5=DE7796EA41XXXXXXXXX'

Aug 31 07:14:05 NwLogCollector[27614]: [TCPConnector] [warning] Event data length is 0. This event will be ignored. Event data: Event: collection_meta: "lc.lpid" : "syslog.syslog-udp""lc.cid" : "VLC01""lc.msgtype" : "0""lc.ctype" : "syslog""lc.wuid" : "175""lc.esname" : "udp514""lc.estype"

SravanKoneti · ‎2016-09-01

Hi Hari,

Looks like your syslog event source ( 10.x.x.x) is not sending correct format of syslog messages. Netwitness accepts RFC-5424 format syslog messages.. RFC 5424 - The Syslog Protocol

Error:

Unidentified content from 10.x.x.x received on receiver

HariRumbay2 · ‎2016-09-02

Thanks Sravan for the comments , The bigger point here is to understand the loss due to such warnings .

To verify , i've navigated using investigator with filter as "log collector id = VLC ip address & Collection method = syslog " for past 24 hours and could see valid device types being learned there like solaris , trip , WLC etc ...

So , are we missing any syslog events here or just it throws warnings though it's processed .

SravanKoneti · ‎2016-09-02

Hi Hari,

you may be getting logs from all other syslog devices in the investigation page. But, you may not be seeing logs from device which has errors as below. you can apply filter as device=10.X.X.X and verify.

Error:

Unidentified content from 10.x.x.x received on receiver

If the device is sending incorrect format of syslog messages, we may need to investigate from device side.

Thanks,

Sravan

NetWitness Community

VLC Syslog Warnings