Anonymous_User Absent Member.
Absent Member.
273 views

Syslog Messages Dropped by SYSLOG Event Source Server


Hello,

On my Event Source Server, I can see that the server listening for
syslog messages on port 40006 (custom port) and the maximum messages the
server can buffer is 100,000. But there is a lot of messages dropped...
Do you have any idea why ?

I use Sentinel 7 and there is 100 windows servers sending there logs to
this Event Source Server in SYSLOG UDP.

Thank you


--
bgirault
------------------------------------------------------------------------
bgirault's Profile: https://forums.netiq.com/member.php?userid=2170
View this thread: https://forums.netiq.com/showthread.php?t=46510

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Syslog Messages Dropped by SYSLOG Event Source Server


First thing that springs to mind is did you set your syslog connector to
allow events sources to be created automatically?
If you made the event sources by hand just delete them (or leave them),
set the connector to create them automatically and see if the events
sources are created (of course make sure you have a syslog connector and
something like a generic event collector).
You can also look in the server0.0.log file if you see any messages of
drops and the reason why.


--
jcvader1
------------------------------------------------------------------------
jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
View this thread: https://forums.netiq.com/showthread.php?t=46510

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Syslog Messages Dropped by SYSLOG Event Source Server

[resend due to forum dropping the post]



Along with jcvader1's comments I have a few follow-up questions/comments:

1. How do you know you are dropping events? I do not doubt that you are,
but how do you see that?

2. You're using UDP (this is why I do not doubt you are dropping events).
UDP is an unreliable protocol and, in my opinion, should never be used
for auditing because auditing data are important, and even their order is
important in many cases. UDP is not made to do this well... it is the
unreliable form of TCP. There is never any guarantee of delivery and if I
ever become an auditor I'm going to have a hard time accepting
environments that use UDP for audited information since it's possible,
even likely, that data are lost. But, as everybody replies, our network
is really reliable, and the event source and CM sit next to eachother, and
it's only a few events per second, and they are ten-gigabit links, and..
and... and.... I don't care. Sentinel never gets restarted for OS or
Sentinel patches? Events lost. A collector or connector plugin is never
upgraded requiring those nodes to be restarted in ESM? Events lost.

3. The latest Syslog connector, 2011.1r1 as I recall, now has file-backed
caching so be sure you are using this in any case so that you're not
limited to the memory-only caching from previous versions of the connector.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.