Video Screencast Help

not work syslog notification (SIM 4.7.4)

Created: 04 Feb 2013 • Updated: 07 Feb 2013 | 7 comments
sviridov's picture
This issue has been solved. See solution.

Configured all in accordance with article:
http://www.symantec.com/docs/TECH152638

to file syslog.conf added:

# Sending Incident Notification syslog events to another syslog server
local0.err                                              @192.168.13.204

when the incident is created in the file /var/log/messsages appear lines, like this:

Jan 29 11:34:37 sim Incident Service[4619]: Updated incident RULE: "тестовое правило" REF: 0000002308
Jan 29 11:35:38 sim Incident Service[4619]: Created incident RULE: "тестовое правило" REF: 0000002313

 

but in sislog server (UDP, 514) nothing not come.

 

Run tcpdump on the SIM-server:

# tcpdump host 192.168.13.204
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:43:38.453010 arp who-has 192.168.13.204 tell sim
11:43:38.453176 arp reply 192.168.13.204 is-at 00:50:56:bc:1e:26
11:43:38.453185 IP sim.34548 > 192.168.13.204.snmptrap:  V2Trap(35)  system.sysUpTime.0=0 .iso.org.dod.internet=[|snmp]

 

Comments 7 CommentsJump to latest comment

Laurent_c's picture

Hi,

 

The config you need to use is for notice event and not error.

 

[root@atr-ses-9650 log]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
local0.notice                                                @10.160.96.241
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
 

 

And you will get the syslog event sent to the remote server.

 

I can see on my syslog server :

 

sviridov's picture

The config you need to use is for notice event and not error.

is an error in the KB?

my syslog.conf:

[root@sim ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
local0.notice                                           @192.168.13.204

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

 

messages do not arrive at the server syslog.

which port you are listening on syslog server?

All my posts are made by google translator!

Laurent_c's picture

There must be error on KB.

 

My Kiwi syslog listen on 514. I will edit KB as this is wrong.

 

sviridov's picture

Laurent_c, you can receive syslog, if in the correlation rule set "Severity = 1"

All my posts are made by google translator!

Laurent_c's picture

Well I need to doouble check but I think I recevie syslog on all severity. Ok I think I understood what you meant after looking at logs:

So you correct, depending of the rule the Severity is changed.

So use local0.*

sviridov's picture

need fix KB

need use local0.* or  local0.info

All my posts are made by google translator!

Laurent_c's picture

KB changed and re-published, will take a little while to get active.