Cisco IronPort collector does not display in the Syslog Director
search cancel

Cisco IronPort collector does not display in the Syslog Director


Article ID: 177721


Updated On:


Security Information Manager


The Cisco IronPort product does not display in the Syslog Director even with all requirements met to do so.



Cisco IronPort does not use Syslog. IronPort can send messages to a port on a remote logging server, but the messages are not in Syslog format.


The Cisco IronPort collector cannot be used in the Syslog Director.

To use the Cisco IronPort collector on the Symantec Security Information Manager (SSIM) appliance:

    1. On the System tile, go to the Product Configuration tab and navigate to the Cisco IronPort product.
    2. Create a new configuration and add the SSIM appliance as the computer.
    3. Enable the sensor and in Host Names, specify the IP Address or Hostname of the Cisco IronPort system.
    4. Enable the port to be 10514.
    5. Save the Sensor configuration.
    6. Distribute the product configuration.

This should open a second socket on the port 10514 and will be able to listen at the same time as the Syslog director. For this to work, you will need to disable the syslogdirector collector first,restart the event agent,enable the Ironport collector then enable the syslogdirector.

Note: In this setup the customer will have to create a Sensor for each Cisco IronPort appliance they have. They should all listen on port 10514 but on different hostname sockets.


Applies To

CISCO IronPort configuration interface only allows to send the syslog messages on port 514. There is no option to select another port than this default.