Syslog Events sent over TCP from Syslog-NG appear to be getting dropped

book

Article ID: 157924

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Syslog Events sent over TCP from Syslog-NG appear to be getting dropped.

ucf.log shows lot of errors 
"com.symantec.cas.ucf.plugin.syslog.server.AbstractSyslogServer 
Error during connection closing. Broken pipe" on per minute basis 

ucf.log also often reports 
"com.symantec.cas.ucf.plugin.syslog.server.AbstractSyslogServer 
Error while process message. Connection reset by peer java.io.IOException: 
Connection reset by peer"

Cause

BEEP control protocol is being used instead of Raw TCP.

Resolution

Create a new "/syslog-server-options.xml" file in the Agent Home folder of Event Agent to force the syslog sensor to use Raw TCP Mode and not the BEEP control protocol.

The following properties should be declared in file "/syslog-server-options.xml". In this file the user specifies the necessary custom options for particular syslog servers (identified by port/protocol pair). The file format is as follows:

<plugins>
	<syslog-plugin>

		<syslog-servers>
			<syslog-server>
				<property name="port">514</property>
				<property name="protocol">UDP</property>

				<property 
name="socket.SO_RCVBUF">512000</property>
			</syslog-server>

			<syslog-server>
				<property name="port">514</property>
				<property name="protocol">TCP</property>
				
				<property name="next-event-
pattern">&lt;\d+&gt;</property>
				<property name="raw-tcp-mode">true</property>
				<property 
name="socket.SO_KEEPALIVE">true</property>
			</syslog-server>

		</syslog-servers>

		<order/>

	</syslog-plugin>
</plugins>

 


Applies To

Point Product sends the syslog events to an intermediary syslog server that uses Syslog-NG.

Then the intermediary syslog server using Syslog-NG sends the syslog events on to SSIM over TCP.