.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
When troubleshooting syslog performance and connectivity it is helpful to be able to generate test syslog messages and send them to another host to insure that syslog is functioning correctly.Some third party utilities have been used to generate test syslog messages in the past but these utilities are not necessary as CentOS (and most other Linux distros) can generate test syslog messages natively.
Follow the steps below to generate and send syslog messages to a syslog server.
Tasks
Follow these steps to generate and send a syslog event from an appliance to a syslog server (either RSA Log Decoder or another syslog server):- Logon to the appliance you wish to test.
- Elevate to root privilege.
- Test UDP syslog messages on port 514 with the following command:
echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514
- Test TCP syslog messages on port 514 with the following command:
echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514
- Logon to the syslog server and verify that the test messages have been received.
- Logon to the SA Server and navigate to the appropriate concentrator and search for the syslog entries that have been captured.
Set a query to filter on "device.type = linux" to filter out unnecessary log events.
Notes
Consider trying various syslog "keyword" indicators in the strings passed in tests. These examples use only "<14>" but other values are possible.It is necessary to use a "keyword" or the syslog will not be processed, but will be recorded into /var/log/messages on the target Log Decoder.
An example of such a logged event is listed below:
Sep 15 19:20:22 LOGDECODER01 nw[5178]: [SYSLOG] [warning] Unidentified content from 10.1.1.1
received on receiver: 'no keyword test TCP syslog from CentOS Host'
Sep 15 19:20:23 LOGDECODER01 nw[5178]: [SYSLOG] [warning] Unidentified content from 10.1.1.1
received on receiver: 'no keyword test TCP syslog from CentOS Host'
received on receiver: 'no keyword test TCP syslog from CentOS Host'
Sep 15 19:20:23 LOGDECODER01 nw[5178]: [SYSLOG] [warning] Unidentified content from 10.1.1.1
received on receiver: 'no keyword test TCP syslog from CentOS Host'
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Security Analytics Server, Decoder, Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), Archiver, Malware Analysis
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
Summary
Use this process to generate test Syslog messages from any Security Analytics appliance running CentOS or other distributions of Linux.
Approval Reviewer Queue
ASOC Approval Group