Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Cisco IronPort Event Collector at SSIM 4.8

Created: 25 Jan 2013 | 4 comments

 Hello!

I don't get any event from my Cisco C160 (Async 7.6.0-444). Cisco Event Collector v4.3 install at SSIM Applaince. Sensor listen port UDP 10514.

Collector log han't error.

 

But Ironport Events doesn't collect in system. In default, Cisco Ironport send event to syslog port 514, but Cisco Event Collector v4.3 don't support syslog.

I tried redirect event from Cisco host to port 10514, but it didn't get result.

I used iptables for redirect: 

iptables -t nat -A PREROUTING -s 10.2.a.b/32 -p UDP -m multiport --dport 514 -j REDIRECT --to-port 10514

What did I do incorrect?

Comments 4 CommentsJump to latest comment

alexovi4's picture

I think that best way (start steps) for troubleshooting your situations is to review next tech arcticle:

- http://www.symantec.com/docs/TECH90211

- www.symantec.com/docs/TECH90212.

Kvizzy's picture

In my opinion, Syslog Director was changed at SSIM version 4.8. And Cisco IronPort Event collector is not syslog collector.

I solved my trouble. I install collector on SSIM Agent and configured it listen port 514. This schema is works.

andlid's picture

I've got a similar problem that my box has stopped re-directing udp 514 to the syslog director, tried the links above but one does not apply since I've got 4.7 SSIM and the other has broken sister links so can't get any further kb assistance. I'm guessing it's something to do with the iptables not directing any syslogs to the collectors. I can see the traffic coming into the interface but no events are logged.

tried restarting the iptabels after a reboot to see if that helped but no...

Here is my iptables:

# Generated by iptables-save v1.2.11 on Mon Nov  5 12:01:47 2012
*nat
:PREROUTING ACCEPT [3:1604]
:POSTROUTING ACCEPT [964:84261]
:OUTPUT ACCEPT [964:84261]
-A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 10514
-A PREROUTING -p tcp -m tcp --dport 514 -j REDIRECT --to-ports 10514
COMMIT
# Completed on Mon Nov  5 12:01:47 2012
# Generated by iptables-save v1.2.11 on Mon Nov  5 12:01:47 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [31637:15634303]
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3539 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3700 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10010 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10030 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10012 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10099:49999 -j ACCEPT
-A INPUT -p udp -m udp --dport 10099:49999 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10514:10650 -j ACCEPT
-A INPUT -p udp -m udp --dport 10514:10650 -j ACCEPT
COMMIT
 

Any help would be greatly appriciated.

 

andlid's picture

Just an update on my above problem. Turns out it was the syslog director itself that had gone into some sort of crazy configuration problem. Once the profile was deleted and re-created it has worked ever since (fingers crossed). Never got to the bottom of the problem itself.