How does Ironport send logs to SSIM?
This issue has been solved. See solution.
Nitass
November 4th, 2009
Hi,
I am a newcomer in SSIM. I am doubted how Ironport sends its logs to SSIM. Would anyone please clarify it for me? The following is my configuration.
At IronPort, it is set to send syslog messages to SSIM.
At SSIM, Ironport collector's sensor listens to UDP port 10535 but there is no syslog director configuration for Ironport collector. The syslog director's sensor is on UDP port 10514.
Anyway, I am able to query Ironport's logs in SSIM. I am wondered how it comes. Please let me know if I misunderstand anything.
Thanks,
Nitass
Filed under: Security Information Manager, Security
the ironport collector is not
the ironport collector is not compatible with syslog director, this is why you don't see it displayed in syslogdirector configuration.
you need to have your ironport appliance forward directly on the ironport collector port. in your case 10535.
If I am not wrong, it is not
If I am not wrong, it is not possible to change syslog port at Ironport appliance.
However, what I am doubted is why I am able to search Ironport log in SSIM. How does SSIM receive Ironport log???
Do you have any idea?
Thanks,
Nitass
Let me try to explain in
Let me try to explain in detail.
The problem we are facing is that you can't open a port <1024 as a non-root user.
But the onboard agent (and therefore the collectors) on our appliance is running as user sesuser which is a non-root user.
We are using iptables to redirect all traffic which arrives on port 514 to port 10514. That is the port the syslog-director is listening on by default.
Run command "iptables -t nat -L" and you will see the redirect rules which are present.
So the event from the ironport will eventually arrive on port 10514. If you have now the generic syslog collector configured the event will be picked up by this collector as it doesn't match any of the other Collector Signatures.
There is one thing you can do to get an onboard ironport collector to work.
In the sensor settings you will have to specify the following settings:
Protocol: UDP
Host names: <IP or Hostname of the CIsco Ironport> , it is vital that you specify the address or you will create a port conflict
Port Number: 10514
My configuration
This is my configuration. Could anyone please clarify it for me? Please correct me if I misunderstand anything.
Thank you very much,
Nitass
What you sre seeing in the
What you sre seeing in the table view are most likely Collector Statistics events.
Did you actually run a query for the Product Cisco Ironport and see if you have any real product events for Cisco Ironport?
Looking at your configuration I doubt that you will find any.
Yes, I did.
Yes, I did and was able to get the result. This is an example.
Any suggestion are welcome.
Thanks,
Nitass
One more thing
One more thing, there are event storage rules configuration as below. Is it related to this?
In addition, there is no sensor configuration of generic syslog event collector.
Please advise.
Mh, according to your
Mh, according to your screenshot you are getting events from Cisco Ironport.
Either your Cisco Ironport forwards events directly to port 10535 or there is some other solution in place which sends the events to port 10535. But you should actually know how your environment was setup.
I got it.
Thanks. I got it. It is redirected by iptables.
Thanks again,
Nitass
Would you like to reply?
Login or Register to post your comment.