Enable syslog forwarding from vSphere Replication Appliance to Remote Syslog Server failed with error message 'Not Connected'

search cancel

Enable syslog forwarding from vSphere Replication Appliance to Remote Syslog Server failed with error message 'Not Connected'

book

Article ID: 391625

calendar_today

Updated On: 03-23-2025

Products

VMware Site Recovery Manager 8.x

Issue/Introduction

Symptoms :

Enabling the Syslog server from vSphere Replication Appliance to Remote Syslog Server failed with the error message 'Not Connected'
Curl test from VRMS and remote syslog server failed, indicating a network connectivity issue.

curl -v telnet://<sys_log_server_ip_address>:514
IBM QRadar is used in the network between VRMS and Syslog remote server network.

Environment

VMware vSphere Replication 8.0
VMware vSphere Replication 9.x

Cause

The IBM QRadar authpriv privileges was not updated in the VRMS /etc/rsyslog.conf hence the connectivity was not established between the VRMS and remote syslog server.

Resolution

Make sure the steps to implement syslog forwarding in VRMS are updated correctly as per Broadcom Techdocs to 'Forward vSphere Replication Appliance Log Files to Remote Syslog Server.
Steps to update the authpriv to IBM QRadar IP address on the VRMS /etc/rsyslog.conf file

Please make a backup of the /etc/rsyslog.conf file on the VRMS(vSphere Replication applaince) before you make any changes to the file.

1. Log in to VRMS, as an admin user.

2. Open the vi /etc/rsyslog.conf file

3. Add the following facility information at last of the file and press TAB after authpriv.*:

authpriv.* <Press Tab> @Qradar IP

Example :

authpriv.* @1.1.1.1

4. Save the file.

5. Restart syslog by using the following command:

Systemctl restart rsyslog.conf

Once the above step is implemented the connectivity issue between VRMS and remote syslog should be fixed.

Additional Information

The IBM QRadar, a Security Information and Event Management (SIEM) solution requires the authpriv capability because it needs to access and process sensitive system logs and audit data to effectively monitor and analyze security events.

To access and process syslogs from VRMS to remote syslog server, QRadar needs the necessary privileges, including the ability to read system logs and audit data. The authpriv capability grants QRadar the required access to these sensitive resources.

Refer: IBM QRadar Configuring Syslog on Linux OS

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No