This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • NetWitness Knowledge Base Archive
  • Generating test syslog messages from the command line on an RSA Security Analytics Linux appliance
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Printer Friendly Page
    • Report Inappropriate Content

Generating test syslog messages from the command line on an RSA Security Analytics Linux appliance

Article Number

000031260

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Decoder, Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), Archiver, Malware Analysis
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
 

Issue

When troubleshooting syslog performance and connectivity it is helpful to be able to generate test syslog messages and send them to another host to insure that syslog is functioning correctly.  

Some third party utilities have been used to generate test syslog messages in the past but these utilities are not necessary as CentOS (and most other Linux distros) can generate test syslog messages natively.

Follow the steps below to generate and send syslog messages to a syslog server.

Task

Follow these steps to generate and send a syslog event from an appliance to a syslog server (either RSA Log Decoder or another syslog server):
  1. Logon to the appliance you wish to test.
  2. Elevate to root privilege.  
  3. Test UDP syslog messages on port 514 with the following command:

echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514
  1. Test TCP syslog messages on port 514 with the following command:

echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514
  1. Logon to the syslog server and verify that the test messages have been received.  
Image descriptionImage description
  1. Logon to the SA Server and navigate to the appropriate concentrator and search for the syslog entries that have been captured.
Set a query to filter on "device.type = linux" to filter out unnecessary log events.
Image descriptionImage description

Notes

Consider trying various syslog "keyword" indicators in the strings passed in tests.  These examples use only "<14>" but other values are possible.  

It is necessary to use a "keyword" or the syslog will not be processed, but will be recorded into /var/log/messages on the target Log Decoder.  

An example of such a logged event is listed below:

Sep 15 19:20:22 LOGDECODER01 nw[5178]: [SYSLOG] [warning] Unidentified content from 10.1.1.1 
received on receiver: 'no keyword test TCP syslog from CentOS Host'
Sep 15 19:20:23 LOGDECODER01 nw[5178]: [SYSLOG] [warning] Unidentified content from 10.1.1.1 
received on receiver: 'no keyword test TCP syslog from CentOS Host'
Tags (12)
  • Customer Support Article
  • KB Article
  • Knowledge Article
  • Knowledge Base
  • NetWitness
  • NetWitness Platform
  • NW
  • RSA NetWitness
  • RSA NetWitness Platform
  • RSA Security Analytics
  • Security Analytics
  • SIEM
0 Likes
Was this article helpful? Yes No
Share
No ratings

In this article

Version history
Last update:
‎2021-04-23 09:26 AM
Updated by:
Administrator RSA-KB-Sync Administrator

Related Content

Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.