Syslog Events sent over TCP from Syslog-NG appear to be getting dropped

Article Id: 157924

Status: Published

Updated On: 05-08-2013 12:57

Legacy Id: TECH205390

Products:

Security Information Manager

Issue/Introduction:

Syslog Events sent over TCP from Syslog-NG appear to be getting dropped.

ucf.log shows lot of errors 
"com.symantec.cas.ucf.plugin.syslog.server.AbstractSyslogServer 
Error during connection closing. Broken pipe" on per minute basis 

ucf.log also often reports 
"com.symantec.cas.ucf.plugin.syslog.server.AbstractSyslogServer 
Error while process message. Connection reset by peer java.io.IOException: 
Connection reset by peer"

Cause:

BEEP control protocol is being used instead of Raw TCP.

Resolution:

Create a new "/syslog-server-options.xml" file in the Agent Home folder of Event Agent to force the syslog sensor to use Raw TCP Mode and not the BEEP control protocol.

The following properties should be declared in file "/syslog-server-options.xml". In this file the user specifies the necessary custom options for particular syslog servers (identified by port/protocol pair). The file format is as follows:

<plugins>
	<syslog-plugin>

		<syslog-servers>
			<syslog-server>
				<property name="port">514</property>
				<property name="protocol">UDP</property>

				<property 
name="socket.SO_RCVBUF">512000</property>
			</syslog-server>

			<syslog-server>
				<property name="port">514</property>
				<property name="protocol">TCP</property>
				
				<property name="next-event-
pattern">&lt;\d+&gt;</property>
				<property name="raw-tcp-mode">true</property>
				<property 
name="socket.SO_KEEPALIVE">true</property>
			</syslog-server>

		</syslog-servers>

		<order/>

	</syslog-plugin>
</plugins>

Applies To

Point Product sends the syslog events to an intermediary syslog server that uses Syslog-NG.

Then the intermediary syslog server using Syslog-NG sends the syslog events on to SSIM over TCP.