Unix Syslog Connector listening on 5514 - Micro Focus Community

vigneshwar · ‎2019-05-15

This is very strange as I have one server out of several . Just the one that I cannot see any events in either of the two destinations ESM and Logger. All other servers are logging.

I went as far as running tcpdump on the connector machine and can see traffic getting there.to the listening port of the connector

10:13:28.473824 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com.5514: UDP, length 268
10:13:28.473837 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com.5514: UDP, length 268
10:13:55.043074 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com:5514: UDP, length 133
10:13:55.043161 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com.5514: UDP, length 149
10:14:14.950084 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com.5514: UDP, length 195

What could be the problem? I hope the asset doesnt have to be defined in ArcSight for me to see Traffic.

Any thoughts or ideas is appreciated.

Thanks

Vignesh

Ionut Daniel Mosoiu · ‎2019-05-15

Hi Vignesh,

can you please clarify your post?

From what you have written I don't understand the connection between ArcSight product and how the Linux is configured to run Syslog services.

In general, the Syslog SM can be configured to listen on any port if you want and in most of the case you change the port because you don't want to interfere with other services ( sometimes on Linux box on UDP 514 is running the local Syslog server ).

Best Regards,

Daniel

vigneshwar · ‎2019-05-15

My ArcSight Smart Connector for Syslog Daemon is configured to run on that server listening on port 5514. Sorry i should have been clear about it. Thanks

Ionut Daniel Mosoiu · ‎2019-05-15

Hi Vignesh,

sorry if I ask again but what is the issue that you have?

Your sources are not sending events to your Syslog SM that's run on UDP 5514 or your Smart Connector it's not sending events received to some destinations like ESM or Logger?

Best Regards,

Daniel

vigneshwar · ‎2019-05-15

No problems about your questions.

All our Smart connectors are defined with destinations pointing to our ESM and Logger Installations. So once we have sources sending events to the connector, we will immediately see them in ESM and Logger.

The syslog.server.com is the host where the smart connector is running for Syslog Daemon on port 5514 and has defined destinations to our ESM and Logger instances.

Does this clarify any?

Thanks for your help

Vignesh

Ionut Daniel Mosoiu · ‎2019-05-15

Vignesh,

now I see.

Please try to follow the next thread maybe can clarify more your current situation

https://community.microfocus.com/t5/ArcSight-User-Discussions/Configure-syslog-on-non-standard-port/m-p/1572808?collapse_discussion=true&filter=location&location=forum-board:arcsight-discussions&q=standard%20ports&search_type=thread

Best Regards,

Daniel

vitz1 · ‎2019-05-16

can you check with iptables -L if there are any firewall-rules?
- if yes, change firewall rules
can you check if the sending device is sending to the right interface?
- if the interface does not expect traffic from the source on that interface, it will discard the traffic, so it might be needed to add a route on that interface, even if this is UDP traffic