Syslog Events sent over TCP from Syslog-NG appear to be getting dropped.
ucf.log shows lot of errors "com.symantec.cas.ucf.plugin.syslog.server.AbstractSyslogServer Error during connection closing. Broken pipe" on per minute basis ucf.log also often reports "com.symantec.cas.ucf.plugin.syslog.server.AbstractSyslogServer Error while process message. Connection reset by peer java.io.IOException: Connection reset by peer"
BEEP control protocol is being used instead of Raw TCP.
Create a new "/syslog-server-options.xml" file in the Agent Home folder of Event Agent to force the syslog sensor to use Raw TCP Mode and not the BEEP control protocol.
The following properties should be declared in file "
<plugins> <syslog-plugin> <syslog-servers> <syslog-server> <property name="port">514</property> <property name="protocol">UDP</property> <property name="socket.SO_RCVBUF">512000</property> </syslog-server> <syslog-server> <property name="port">514</property> <property name="protocol">TCP</property> <property name="next-event- pattern"><\d+></property> <property name="raw-tcp-mode">true</property> <property name="socket.SO_KEEPALIVE">true</property> </syslog-server> </syslog-servers> <order/> </syslog-plugin> </plugins>
Applies To
Point Product sends the syslog events to an intermediary syslog server that uses Syslog-NG.
Then the intermediary syslog server using Syslog-NG sends the syslog events on to SSIM over TCP.