Highlighted
Absent Member.
Absent Member.
2024 views

How to make sure connector is getting log info from new linux systems?

Jump to solution

Hi everyone,

First of all, I'm new to ArcSight, so bare with me with my limited knowledge on this.

We have a connector that has both type windowsfg for Windows Servers, and type syslog for Linux servers.

So my understanding would be windowsfg will be collecting Windows Security Events, and syslog will be collecting the security logs for Linux servers.

For new Windows Servers, what need to be done is to add new servers on the table parameters.

So my question would be - what do i need to do to ensure new Linux systems are passing log info to ArcSight connector syslog?

Thanks,

Keo

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Fleet Admiral
Fleet Admiral

Hi Keo Fua,

For collecting logs from Windows Hosts, you use WUC SmartConnector which works in pull/push mode.

For collecting logs from Linux Hosts, you have to use Syslog Daemon Smartconnectors which works only in push mode thus as Evgeny said, you need to configure on each Linux device the syslog configuration to send the logs to the Syslog SmartConnector which works as a syslog daemon (it listen on a specific configured port).

If logs are critical, I advice you to use TCP Raw.

To check if the smartconnector is properly configured in TCP Raw, you may used the telnet command (with correct port) and write something then the text should be visible on the active channel launched on the SmartConnector.

Then to check the Linux device syslog configuration, you may use netstat and tcpdump to see if the logs are sent to the SmartConnector.

Do not hesitate to ask question, if it is not enough clear or if you meet any issue.

Thanks

Kind regards

Michael

View solution in original post

0 Likes
4 Replies
Highlighted
Fleet Admiral
Fleet Admiral

You need config syslog daemon on every new linux system for send log to destination (with syslog connector) server.

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Also you can check the file syslog.properties on the connector to see if the IP of your Linux system is there, if not then the connecor is not getting syslog from that server.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

Hi Keo Fua,

For collecting logs from Windows Hosts, you use WUC SmartConnector which works in pull/push mode.

For collecting logs from Linux Hosts, you have to use Syslog Daemon Smartconnectors which works only in push mode thus as Evgeny said, you need to configure on each Linux device the syslog configuration to send the logs to the Syslog SmartConnector which works as a syslog daemon (it listen on a specific configured port).

If logs are critical, I advice you to use TCP Raw.

To check if the smartconnector is properly configured in TCP Raw, you may used the telnet command (with correct port) and write something then the text should be visible on the active channel launched on the SmartConnector.

Then to check the Linux device syslog configuration, you may use netstat and tcpdump to see if the logs are sent to the SmartConnector.

Do not hesitate to ask question, if it is not enough clear or if you meet any issue.

Thanks

Kind regards

Michael

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks guys! I appreciate your responses.

I'll get a test linux server and test it out (since the production one is critical and i don't have access to change the syslog config).

I'll let you guys know when I managed to get this work and mark the correct answer.

Thanks again guys!

Thanks,

Keo

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.