Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..
1061 views

Adding another Syslog connector issue

Jump to solution

I'm using ArcSight Connector Appliance 6.4.0.6881.3. The appliance has 4 network adapters.

Eth0 - my primary syslog interface using ip 1.2.3.4

Eth1 - my secondary interface in case Eth0 fails.

Eth2 - my secondary syslog interface using ip 2.3.4.5

Eth3 - default configuration 192.168.38.35

I've completed the connector setup although I received the following error during setup: ( yes to continue)

"Connector parameters did not pass the verification with error [0:Unable to bind to port [2.3.4.5:514] for connector [//Default/Localhost/Container3/ConNamehere]. Do you still want to continue?"

Connector configuration:

Syslog Daemon

Port 514

IP Address 2.3.4.5

Protocol UDP

Forwarder false

The guide says I'm allowed to use port 514 on a second interface. Anyone know why I'm getting this?

Thanks,

Mark

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Thanks Christopher that's exactly what I thought.

Here's a question I just thought of. During connector setup, my original syslog connector is configured:

Connector #1 (Eth0 with IP 1.2.3.4)

Network Port: 514

IP Address: (ALL)

Protocol: UDP

Forwarder: false

My second syslog connector (which I'm trying to setup using Eth2) is configured:

Connector #2 (Eth2 with IP 2.3.4.5)

Network Port: 514

IP Address: 2.3.4.5

Protocol: UDP

Forwarder: false

I'm thinking I have to change the IP address of connector #1 from ALL to 1.2.3.4

Would that make sense or am I distracted by a squirrel?

Thanks,

Mark

View solution in original post

0 Likes
12 Replies
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Adding another Syslog connector issue

Jump to solution

Hi Mark,

Did you try with TCP 514 ?

Cheers

Gayan

Mr
0 Likes
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Thanks Gayan,

Modified my settings to raw TCP. Seems to have fixed my verification error that I received earlier. I'm now waiting for events to show up to confirm its working. I'll report back in a bit with an update before the end of day.

0 Likes
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Well no such luck. The connector appliance still shows no events eps in or out. ArcSight Console shows a few events but majority are raw event statistics. I do see the Connector started event. What is of interest in these events is they still show my Eth0 agent address in place of my new agent address of Eth2. Do I need to do anything with the agent.properties file to add the additional interface for events?

Reason for asking, in the Connector Appliance Admin Guide pg 154, I see a reference for "Changing the Network Interface Address for Events". I'm not sure if this is related but instead of "Change" I'd like to "Add" an interface for events. Is this possible?

0 Likes
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Just make sure your device's sending Syslog are sending it via TCP and not UDP and if your crossing Data Centers or WAN links that syslog is allowed to pass

You can also check to see if your sender for Syslog are sending via SSL - you may need to swap certs also.

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Adding another Syslog connector issue

Jump to solution

Hi Mark,

I do not know if it is the same problem with you but I have noticed that for port below 1024, you need to be root to bind to them.

Could you please check with which account you have installed the connector?

Thanks

Regards

Michael

0 Likes
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Mine all run from ArcMCs -- so they all install to the Appliance under root user authority - via the GUI -

0 Likes
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Excuse my ignorance but is that, logging into the GUI with root? I've been logging into the GUI with my own account and adding connectors from within. I was assuming this method used root for installation but now I'm second guessing.

0 Likes
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Adding another Syslog connector issue

Jump to solution

So in a nutshell - we use LDAP/s for full domain authentication to the GUI - some of those MAP to generically root level permissions - see below

MC has 1 to 8 containers - and each container can have up to 4 connectors installed -

Each Connector inside the container is running under sudo permissions as the arcsight user - not the user logged into the GUI - the user of the GUI alters the arcsight user which in turn alters the root user-

0 Likes
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Thanks Christopher that's exactly what I thought.

Here's a question I just thought of. During connector setup, my original syslog connector is configured:

Connector #1 (Eth0 with IP 1.2.3.4)

Network Port: 514

IP Address: (ALL)

Protocol: UDP

Forwarder: false

My second syslog connector (which I'm trying to setup using Eth2) is configured:

Connector #2 (Eth2 with IP 2.3.4.5)

Network Port: 514

IP Address: 2.3.4.5

Protocol: UDP

Forwarder: false

I'm thinking I have to change the IP address of connector #1 from ALL to 1.2.3.4

Would that make sense or am I distracted by a squirrel?

Thanks,

Mark

View solution in original post

0 Likes
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Adding another Syslog connector issue

Jump to solution

I think this configuration maybe the issue the IP Address of ALL on the first connector is for all participating NIC on the device

0 Likes
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Hmmmm so close but so far away. I deleted/recreated my first syslog eth0 replacing ip address All with the actual IP of the NIC. And just because I can, also deleted/recreated syslog eth2. Both connectors came online without any port binding issues so this was a good sign. But I was only able verify events for eth0 and not from eth2. I only see the following repeated events in eth2:

Content for type [system-zone-mappings] updated to version [00000000000000355968] for Agent ID [34yoRHVkBABCvGDdpnT+QEQ==]

Connector Raw Event Statistics

Also the Agent information in the event inspector for these events still shows the address as eth0 ip.

Next change applied:

I then successfully modified the connector/eth2 agent.properties file for this connector by adding at bottom:

connector.network.interface.name=eth2

I restarted the container holding the connector and, ohhhh so close, this at least fixed my connector raw and content for type events agent id. As it now shows the events being received from 2.3.4.5. Unfortunately these are the only events I still see. Argggg we're so close but so far away. I'm sure I'm missing a simple thing but haven't a clue where to look.

Anyone?

0 Likes
Super Contributor.. marknewton28 Super Contributor..
Super Contributor..

Re: Adding another Syslog connector issue

Jump to solution

Problem solved. Nothing was being sent to my new connector even though I was told there was. Once our Networking team got off there butts and actually looked at the issue they found the problem and fixed. Multiple NICs are now receiving syslogs without issue. Thanks everyone!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.