How to Troubleshoot the Syslog Director

book

Article ID: 179910

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

 

Resolution

Before starting this document please review this document  for general information about how the Syslog Director works. This troubleshooting document assumes that you understand the basic functionality of the Syslog Director.

If you have reviewed the configuration document and you are confident the settings are correct but you are still not getting the expected behavior please see the steps below.

If your logs indicate an error: "No valid sensors in Working group" please read this article.

Check Your Syslog Director version. If you are not using Syslog Director 4.3, please update it.

The Redirect check box does not stay checked in the Syslog Director configuration Director Settings
For information on how to resolve this issue, read the Knowledge Base article: The Redirect check box does not stay checked in the Syslog Director configuration Director Settings
 

Do the events arrive at the generic Syslog Event collector?

If you do not have a Generic Syslog Event Collector configured, please refer again to the Syslog Director overview document which states that you should always setup the Generic Syslog Event collector whenever you use the Syslog Director. Configure the Generic Syslog event Collector using the steps in this document.

 

Yes, the events arrive at the generic Syslog Event collector

  • Signature Problem
    This may indicate a problem with the Signature. Some signature problems can be addressed by Live Update or in some cases signatures must be manually updated as described in this document.

 

  • Redirect is not Checked
    If the Redirect to a particular collector is not checked, you may find the events intended for this collector will arrive to the Generic collector.

If you find the Redirect is unchecked, check it, save and distribute.

 

  • Problem with the data source
    Different versions of, or misconfiguration of source products can cause the events to fail to match the expected signature. Also, some products have many different modules, some of which may not be supported by that particular collector. For example there are hundreds of modules available to Cisco devices called "facilities", not all of which will be supported by the SSIM Cisco collector. In some cases you can adjust signatures to match the event traffic you are seeing, in some cases the events themselves may have changed and they may not map correctly even if you are able to get the event to the appropriate collector by adjusting its signature.
     

No, the events do not appear in the generic Syslog Event collector

  1. Verify that the Generic Syslog Event collector is active, and its signature is empty as described in the overview document.
  2. Verify that the Syslog Director is listening on port 10514
    1. SSH in to the SSIM appliance and acquire Root access
    2. Type netstat -an |grep 10514
  3. Verify that the service is listening on the protocol you selected. If you do not see the service listening on this port, review the Syslog Director Sensor Configuration again.
  • Make sure there is a checkbox next to the active sensor
  • Make sure the appliance itself is added to the configuration and distributed
  • If the configuration appears correct but still does not function correctly you may need to delete the configuration and recreate it.

    Note that you will not see anything listening on port 514, the redirection occurs at a level which is not visible in netstat.

 

Use tcpdump to verify that the traffic from the desired device is arriving at the SSIM

  1. SSH in to the SSIM appliance and acquire Root access
  2. Type: tcpdump port 514 |grep <IP Address>
    Where IP Address is the address of the device you expect to be sending its traffic.

Your screen should show the traffic arriving to the SSIM.
Can you identify traffic from the Source device?

 

Yes, I can see the traffic in TCPDump, but it is not being picked up by any collector

The Syslog director is not processing properly. Make sure you have reviewed the general Syslog Director Configuration document.

  • Make sure the Generic Syslog Collector configuration is correct according to this document.
  • Make sure that the Redirects are active in the Syslog Director Configuration
  • Make sure the signatures are correct
  • Make sure the sensor configuration is distributed to the appliance
  • Delete and recreate your sensor configurations.
     

No, I can't see anything coming in on TCPDump

If you cannot identify the traffic from the source device using tcpdump, the traffic from that device is not making it to the SSIM.

  1. Verify that the source device is sending the events to the IP address of the SSIM on the correct port and protocol.
  2. Verify that there is no firewall between the SSIM and the Source device that will block this traffic.
     

Attachments