Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

rsyslog with SSIM

Created: 11 Oct 2012 | 5 comments
Hello,
 
        I have a question, rsyslog works fine with SSIM ?
 
        I configured my rsyslog to send logs to SSIM Server, by the way, the messages are categorized as Generic Syslog Collector and not as UNIX (R) OS Event Collector.
 
        I made the same configuration using syslog and it works.
 
        What's could be wrong?
 
 
Thanks in advance

Comments 5 CommentsJump to latest comment

Avkash K's picture

yes rsyslog works fine with SSIM.

By default, you need to check whether you have configured your UNIX Event collector to receive the logs.

If the logs are not parsed by the UNIX collector, it will be parsed by Generic syslog collector.

Regards,

Avkash K

suporte.symantec's picture
OK Avkash K
 
 
    I configured the UNIX Event Collector, but the messages are parsed just by Generic syslog Collector.
 
    Thanks!
Laurent_c's picture

It is a signature issue with redirector.

could you post sample event that goes to the generic syslog rather than Unix collector ?

suporte.symantec's picture
Hi,
 
 
So, I  removed all configurations and  a new installation Linux Agent and Unix Syslog, but nothing changed.
 
Right now, do not log about in my SSIM Server.
 
I tested trying to logon using wrong password and logs are send but don't show nothing in my queries
 
14:08:22.850739 IP 192.168.X.Y.38433 > 172.16.A.B.10525: UDP, length 148
14:08:24.755148 IP 192.168.X.Y.38433 > 172.16.A.B.10525: UDP, length 95
14:08:30.008516 IP 192.168.X.Y.38433 > 172.16.A.B.10525: UDP, length 97
14:08:30.021954 IP 192.168.X.Y.38433 > 172.16.A.B.10525: UDP, length 99
 
My Client = 192.168.X.Y
My Server = 172.16.A.B 
Ps.: There are normal comunication between servers.
 
I configured my rsyslog.conf on UDP port 514 and 10525 to test.
 
My Linux client kernel = 2.6.32-131.2.1.el6.x86_64
 
Thanks!
Laurent_c's picture

could you enalbe the generic syslog event collector and enable raw event logging.

Then could you post a sample of these raw events ? (you ahve a field called raw_event)

This is certainly a signature configuration if they reach the generic syslog.