SEP installer adds following configuration in rsyslog.conf, which passes events to sisidsagent via pipe:
- rsyslog.conf
# The following is required for Symantec Host IDS - Do not edit or remove
*.info;mail.err;mark.none |/var/log/ids_syslog.pipe
This configuration will be removed in the following scenario:
1. stop rsyslog service
# systemctl stop rsyslog
2. restart SEP services
# /usr/lib/symantec/stop.sh
Stopping Agent..
# /usr/lib/symantec/start.sh
Restarting Agent..
3. check content in /etc/rsyslog.conf
# diff rsyslog.conf rsyslog.conf.bak
79a80,82
>
> # The following is required for Symantec Host IDS - Do not edit or remove
> *.info;mail.err;mark.none |/var/log/ids_syslog.pipe
If you start SEP‘s service without rsyslogd running, the comment “# The following is required for Symantec ... log/ids_syslog.pipe” will be removed from rsyslog.conf.
To avoid this, start rsyslogd before starting the SEP service.