RSA Security Analytics Log Decoder is receiving incomplete or corrupted events from syslog-ng relay

Issue

RSA Security Analytics Log Decoder is receiving incomplete or corrupted events from syslog-ng relay.
The total number of messages that the log decoder processes does not match the total number of events sent from the syslog-ng server.
tcpdump output shows: "Lost packets; UDP Checksum (chksum) errors" or similar UDP checksum errors.

Cause

The issue is caused by a bug in the checksum calculation present in the libnet version 1.1.2.1 library required for the spoof-source function.

Resolution

This product is often used a syslog relay.  This solution describes why some syslog messages from syslog-ng server appear to be corrupted and how to resolve the issue.
In this case the syslog-ng server has the spoof-source function enabled to relay log messages to the log decoder.

Compile the latest libnet package and replace the existing one. The syslog-ng binary may also need to be recompiled using the --enable-spoof-source flag.

RSA does not support this third-party product. Our hardened appliances do not have compilers or development libraries installed.

Notes

BalaBit syslog-ng is a open source, third-party product.  More information can be found at the following link:  http://www.balabit.com/network-security/syslog-ng/

Further information on relaying log messages with syslog-ng (spoof-source):
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/en/syslog-ng-ose-v3.3-guide-admin-en/html/example-how-relaying-works.html

Internal Comments

UserName:shurtj
6/19/2014 2:28:35 PM - Approved Article
Changed article status from Tech Reviewed to Copy Edited following technical review by Lee McCotter. Made minor formatting changes and consolidated some statements in order to abide by Primus best practices.

Product Details

RSA Security Analytics
RSA Security Analytics Log Decoder
BalaBit syslog-ng

Approval Reviewer Queue

ITM Approval Group