search cancel

syslog setting is lost during service restart while rsyslog service is down

book

Article ID: 229571

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SEP installer adds following configuration in rsyslog.conf, which passes events to sisidsagent via pipe:

- rsyslog.conf

# The following is required for Symantec Host IDS - Do not edit or remove
*.info;mail.err;mark.none |/var/log/ids_syslog.pipe

This configuration will be removed in the following scenario:

1. stop rsyslog service

# systemctl stop rsyslog

2. restart SEP services

# /usr/lib/symantec/stop.sh
Stopping Agent..
# /usr/lib/symantec/start.sh
Restarting Agent..

3. check content in /etc/rsyslog.conf

# diff rsyslog.conf rsyslog.conf.bak
79a80,82
>
> # The following is required for Symantec Host IDS - Do not edit or remove
> *.info;mail.err;mark.none |/var/log/ids_syslog.pipe

Resolution

Broadcom recognize this issue and will fix this in future release.