.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Although Syslog Event Source device is correctly configured to push logs to VLC and the events are received by VLC as confirmed by tcpdump capture with the command tcpdump -i any host- No backlog messages for syslog queue in VLC as below.
[root@XXXX ~]# rabbitmqctl list_queues -p logcollection consumers name messages
Listing queues ...
1 rabbitmq.log 0
1 shovel.checkpoint.test 0
1 shovel.cmdscript.test 0
1 shovel.file.test 0
1 shovel.netflow.test 0
1 shovel.odbc.test 0
1 shovel.sdee.test 0
1 shovel.snmptrap.test 0
1 shovel.syslog.test 0
1 shovel.vmware.test 0
1 shovel.windows.test 0
- No errors in /var/log/messages relevant to Event Source IP address.
Listing queues ...
1 rabbitmq.log 0
1 shovel.checkpoint.test 0
1 shovel.cmdscript.test 0
1 shovel.file.test 0
1 shovel.netflow.test 0
1 shovel.odbc.test 0
1 shovel.sdee.test 0
1 shovel.snmptrap.test 0
1 shovel.syslog.test 0
1 shovel.vmware.test 0
1 shovel.windows.test 0
Cause
This issue might be due to Syslog configuration not yet configured in VLC.
Resolution
Please follow below steps to get syslog logs in the investigation page.1. Login to Security Analytics GUI as administrator.
2. Navigate to Administration->Services->VLC->view->Config->Event Sources->Syslog/Config.
3. Configure port number for both syslog-tcp and syslog-udp configuration as below.
TCP:
UDP:
4. Verify Investigation page to see syslog logs.
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: SA Core Appliance, SA Virtual Log Collector
RSA Version/Condition: 10.5.X, 10.6.X
Summary
In a newly added VLC, Syslog configuration required to see logs collected by syslog collection.
Approval Reviewer Queue
ASOC Approval Group