Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

not work syslog notification (SIM 4.7.4)

Created: 04 Feb 2013 • Updated: 07 Feb 2013 | 7 comments
sviridov's picture
This issue has been solved. See solution.

Configured all in accordance with article:
http://www.symantec.com/docs/TECH152638

to file syslog.conf added:

# Sending Incident Notification syslog events to another syslog server
local0.err                                              @192.168.13.204

when the incident is created in the file /var/log/messsages appear lines, like this:

Jan 29 11:34:37 sim Incident Service[4619]: Updated incident RULE: "тестовое правило" REF: 0000002308
Jan 29 11:35:38 sim Incident Service[4619]: Created incident RULE: "тестовое правило" REF: 0000002313

but in sislog server (UDP, 514) nothing not come.

Run tcpdump on the SIM-server:

# tcpdump host 192.168.13.204
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:43:38.453010 arp who-has 192.168.13.204 tell sim
11:43:38.453176 arp reply 192.168.13.204 is-at 00:50:56:bc:1e:26
11:43:38.453185 IP sim.34548 > 192.168.13.204.snmptrap:  V2Trap(35)  system.sysUpTime.0=0 .iso.org.dod.internet=[|snmp]

Comments 7 CommentsJump to latest comment

Laurent_c's picture

Hi,

The config you need to use is for notice event and not error.

[root@atr-ses-9650 log]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
local0.notice                                                @10.160.96.241
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
 

And you will get the syslog event sent to the remote server.

I can see on my syslog server :

sviridov's picture

The config you need to use is for notice event and not error.

is an error in the KB?

my syslog.conf:

[root@sim ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
local0.notice                                           @192.168.13.204

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

messages do not arrive at the server syslog.

which port you are listening on syslog server?

All my posts are made by google translator!

Laurent_c's picture

There must be error on KB.

My Kiwi syslog listen on 514. I will edit KB as this is wrong.

sviridov's picture

Laurent_c, you can receive syslog, if in the correlation rule set "Severity = 1"

All my posts are made by google translator!

Laurent_c's picture

Well I need to doouble check but I think I recevie syslog on all severity. Ok I think I understood what you meant after looking at logs:

So you correct, depending of the rule the Severity is changed.

So use local0.*

sviridov's picture

need fix KB

need use local0.* or  local0.info

All my posts are made by google translator!

Laurent_c's picture

KB changed and re-published, will take a little while to get active.