Cisco IronPort collector does not display in the Syslog Director

book

Article ID: 177721

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

The Cisco IronPort product does not display in the Syslog Director even with all requirements met to do so.

 

Cause

Cisco IronPort does not use Syslog. IronPort can send messages to a port on a remote logging server, but the messages are not in Syslog format.

Resolution

The Cisco IronPort collector cannot be used in the Syslog Director.

To use the Cisco IronPort collector on the Symantec Security Information Manager (SSIM) appliance:
 

    1. On the System tile, go to the Product Configuration tab and navigate to the Cisco IronPort product.
    2. Create a new configuration and add the SSIM appliance as the computer.
    3. Enable the sensor and in Host Names, specify the IP Address or Hostname of the Cisco IronPort system.
    4. Enable the port to be 10514.
    5. Save the Sensor configuration.
    6. Distribute the product configuration.

This should open a second socket on the port 10514 and will be able to listen at the same time as the Syslog director. For this to work, you will need to disable the syslogdirector collector first,restart the event agent,enable the Ironport collector then enable the syslogdirector.

Note: In this setup the customer will have to create a Sensor for each Cisco IronPort appliance they have. They should all listen on port 10514 but on different hostname sockets.


 


Applies To

CISCO IronPort configuration interface only allows to send the syslog messages on port 514. There is no option to select another port than this default.