Article Number
000033851
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector
RSA Version/Condition: 10.5.X, 10.6.X
RSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector
RSA Version/Condition: 10.5.X, 10.6.X
Issue
Although Syslog Event Source device is correctly configured to push logs to VLC and the events are received by VLC as confirmed by tcpdump capture with the command tcpdump -i any host <event source device ip address>, the logs (i.e. sessions) are not available in Investigation.
- No backlog messages for syslog queue in VLC as below.
- No backlog messages for syslog queue in VLC as below.
[root@XXXX ~]# rabbitmqctl list_queues -p logcollection consumers name messages Listing queues ... 1 rabbitmq.log 0 1 shovel.checkpoint.test 0 1 shovel.cmdscript.test 0 1 shovel.file.test 0 1 shovel.netflow.test 0 1 shovel.odbc.test 0 1 shovel.sdee.test 0 1 shovel.snmptrap.test 0 1 shovel.syslog.test 0 1 shovel.vmware.test 0 1 shovel.windows.test 0- No errors in /var/log/messages relevant to Event Source IP address.
Cause
This issue might be due to Syslog configuration not yet configured in VLC.
Resolution
Please follow below steps to get syslog logs in the investigation page.
1. Login to Security Analytics GUI as administrator.
2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config.
3. Configure port number for both syslog-tcp and syslog-udp configuration as below.
TCP:
Image description
UDP:
Image description
4. Verify Investigation page to see syslog logs.
1. Login to Security Analytics GUI as administrator.
2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config.
3. Configure port number for both syslog-tcp and syslog-udp configuration as below.
TCP:
Image descriptionUDP:
Image description4. Verify Investigation page to see syslog logs.
In this article
