Article Number
000033285
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Packet Decoder, Log Decoder, Concentrator, Broker
RSA Version/Condition: 10.5.x, 10.6.0.0, 10.6.0.1, 10.6.0.2
Platform: CentOS
O/S Version: 6
Issue
Running
Set Syslog Forwarding from
Host Procedures from the Task List Dialog, as per the
Hosts and Services Getting Started Guide, does not forward any syslog events from the host to an external syslog server. Running tcpdump –nni em1 dst port 514 does not display any packets to the syslog server.
Cause
Due to a bug in the current version, running Set Syslog Forwarding creates /etc/rsyslog.nw.conf with an incorrect string value of
"nw" where it is supposed to be
"Nw".
# cat /etc/rsyslog.nw.conf
:programname, contains, "nw" @x.x.x.x:514
# This file is generated automatically. Do not edit it!
As the actual log contains a service name (i.e., programname) that starts with Nw as below, the above configuration will not find any event to forward.
May 26 22:53:07 DECODER_HOST NwDecoder[15246]: [Scheduler] [info] Running task /database with message dbState (op=save type=session,meta,packet) - 1800 secs waited
Resolution
The issue is currently under investigation and will be address in the future release. This KB article will be updated once the new release becomes available.
Workaround
To workaround the issue,
- Modify "nw" to "Nw" in /etc/rsyslog.nw.conf. This can be done despite the warning 'Do not edit it!' within the file. If you prefer you can created a backup of the rsyslog.nw.conf prior to making the change.
- After saving the file changes, restart the rsyslog service by running the following command:
service rsyslog restart
