Highlighted
Absent Member.
Absent Member.
236 views

Integration of Unix servers with ArcSight - syslog mechanism

Hello Guys,

Has anyone come across a strange situation wherein you 5(for example) UNIX servers which communicate with ArcSight Smart Connector server on port UDP 514 via syslog mechanism.

All the 5 UNIX servers are in the same network and can communicate with the ArcSight Smart Connector server. While integrating the servers only 3 servers are integrated (ArcSight manager is receivinglogs) but other 2 servers don't get integrated. Even after making the same configuration changes in the syslog.conf files.

Kindly share your thoughts on this, and help me resolve this issue.

Thank you in advance.

Regards,

Siddarth.

Labels (1)
0 Likes
Reply
4 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Integration of Unix servers with ArcSight - syslog mechanism

Sounds like you have a problem with the syslog configuration on your unix servers.

To me this is very simple, if the logs from one unix how made through the connector then the others should as well. I am assuming that the unix hosts are the same and the connector doesn't have any special unusual configuration.

I suggest you review the configuration of the syslog daemon on the hosts which don't appear to be sending anything.

Also, if you are using active channels to check of the events are coming, make sure to set the active channels to use manager receipt time. This will show you events even if their time is in the past or future.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Integration of Unix servers with ArcSight - syslog mechanism

Things to check:

Is syslogd running on the non-reporting source systems?

Host-based firewalls (iptables etc.) on the source systems, as well as the system hosting the connector. Is the UDP traffic allowed through on port 514 from the 2 quiet boxes to the connector host? Verify traffic is departing/arriving with tcpdump (or similar).

0 Likes
Reply
Absent Member.
Absent Member.

Re: Integration of Unix servers with ArcSight - syslog mechanism

I had a similar issue and after tons of troubleshooting found that the syslog.conf had illegal characters in it which was preventing the syslog daemon from reading it.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Integration of Unix servers with ArcSight - syslog mechanism

> found that the syslog.conf had illegal characters

That's a likely reason - IIRC syslog.conf only allows tabs, no spaces. Do a ":set list" in vi and make sure you only have tabs.

Rgrds

Peter

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.