Unix Syslog Connector listening on 5514
This is very strange as I have one server out of several . Just the one that I cannot see any events in either of the two destinations ESM and Logger. All other servers are logging.
I went as far as running tcpdump on the connector machine and can see traffic getting there.to the listening port of the connector
10:13:28.473837 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com.5514: UDP, length 268
10:13:55.043074 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com:5514: UDP, length 133
10:13:55.043161 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com.5514: UDP, length 149
10:14:14.950084 IP r-esx-pci-2.prod.int.eg.server.com.32623 > syslog.server.com.5514: UDP, length 195
can you please clarify your post?
From what you have written I don't understand the connection between ArcSight product and how the Linux is configured to run Syslog services.
In general, the Syslog SM can be configured to listen on any port if you want and in most of the case you change the port because you don't want to interfere with other services ( sometimes on Linux box on UDP 514 is running the local Syslog server ).
sorry if I ask again but what is the issue that you have?
Your sources are not sending events to your Syslog SM that's run on UDP 5514 or your Smart Connector it's not sending events received to some destinations like ESM or Logger?
No problems about your questions.
All our Smart connectors are defined with destinations pointing to our ESM and Logger Installations. So once we have sources sending events to the connector, we will immediately see them in ESM and Logger.
The syslog.server.com is the host where the smart connector is running for Syslog Daemon on port 5514 and has defined destinations to our ESM and Logger instances.
Does this clarify any?
Thanks for your help
now I see.
Please try to follow the next thread maybe can clarify more your current situation
- can you check with iptables -L if there are any firewall-rules?
- if yes, change firewall rules
- can you check if the sending device is sending to the right interface?
- if the interface does not expect traffic from the source on that interface, it will discard the traffic, so it might be needed to add a route on that interface, even if this is UDP traffic