Previous Post Next Post

not work syslog notification (SIM 4.7.4)

Created: 04 Feb 2013 | Updated: 07 Feb 2013 | 7 comments

sviridov Partner Accredited

This issue has been solved. See solution.

Configured all in accordance with article:
http://www.symantec.com/docs/TECH152638

to file syslog.conf added:

# Sending Incident Notification syslog events to another syslog server
local0.err @192.168.13.204

when the incident is created in the file /var/log/messsages appear lines, like this:

Jan 29 11:34:37 sim Incident Service[4619]: Updated incident RULE: "тестовое правило" REF: 0000002308
Jan 29 11:35:38 sim Incident Service[4619]: Created incident RULE: "тестовое правило" REF: 0000002313

but in sislog server (UDP, 514) nothing not come.

Run tcpdump on the SIM-server:

# tcpdump host 192.168.13.204
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:43:38.453010 arp who-has 192.168.13.204 tell sim
11:43:38.453176 arp reply 192.168.13.204 is-at 00:50:56:bc:1e:26
11:43:38.453185 IP sim.34548 > 192.168.13.204.snmptrap: V2Trap(35) system.sysUpTime.0=0 .iso.org.dod.internet=[|snmp]

Discussion Filed Under:

Security, Symantec Security Information Manager, Troubleshooting

Comments RSS Feed

Comments 7 Comments • Jump to latest comment

Laurent_c Symantec Employee Accredited

not work syslog notification (SIM 4.7.4) - Comment:06 Feb 2013 : Link

Hi,

The config you need to use is for notice event and not error.

[root@atr-ses-9650 log]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
local0.notice                                                @10.160.96.241
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

And you will get the syslog event sent to the remote server.

I can see on my syslog server :

sviridov Partner Accredited

not work syslog notification (SIM 4.7.4) - Comment:06 Feb 2013 : Link

The config you need to use is for notice event and not error.

is an error in the KB?

my syslog.conf:

[root@sim ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
local0.notice                                           @192.168.13.204

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log