Get Debug logs for the SIEM agent by running the script with a -d
The log file is found in /var/log/_client.log. The variable would be qradar, arcsight, or splunk.
python _agent.py -d
Look for the number of files that are written to syslog, errors etc.
If nothing is processed, check and clear the agent status files.
In the SIEM agent directory check for export_log.lock and last_job.status. Clear the files by starting the agent with a -c
python _agent.py -c
Look at what the syslog server processes.
tail -f /var/log/messages
tail -f /var/log/syslog
Check what data the syslog server sends to the SIEM server by packet capture.
tcpdump dst (IP of SIEM server) and 514 -nnvvXS
Netcat can be used in troubleshooting to listen on an interface and write the data to a file.
Example:
On another Linux run netcat and pipe to a file: ncat -l -p 8000 --udp -o /tmp/cloudsoc.log
On the SIEM agent computer: ./_agent.py -t :8000
Alternative:
Run the agent with the FILE output option
python _agent.py -o FILE -f