cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Collect syslog via TCP instead of UDP

Jump to solution

Is it possible to collect syslog in the Nitro solution over TCP instead of UDP? Under Interfaces > Communications tab I can see the syslog port set to 514, but a netstat -an on the command line of the receiver shows only 514UDP listening and not 514TCP. Are we missing a setting somewhere or is 514TCP not supported for syslog? I've looked in the 9.1.3 User Guide but it does not have any documentation on using syslog over TCP to the receiver, only using syslog 514TCP in the Event Forwarder on the ESM which we are not trying to do (i.e. we want to receive 514 TCP not send 514 TCP). Thanks...

1 Solution

Accepted Solutions
McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Collect syslog via TCP instead of UDP

Jump to solution

Hi Danfrye


That setting should set the syslogcollector to listen for TCP and UDP traffic on port 514. You can seee from the below that the first result has port 0 selected i.e. it is not listening for syslogs;

The second netstat command was run after setting the Port in the Communication tab to 514.

McAfee-ERC-1250 ~ # netstat -anp | grep 514

McAfee-ERC-1250 ~ # netstat -anp | grep 514

tcp6       0      0 :::514                  :::*                    LISTEN      3848/syslogcollecto

udp6       0      0 :::514                  :::*                                3848/syslogcollecto

If you are not seeing this result on your receiver then can you please log a support ticket and we will troubleshoot it.

Thanks

Chris

2 Replies
McAfee Employee siemchris
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Collect syslog via TCP instead of UDP

Jump to solution

Hi Danfrye


That setting should set the syslogcollector to listen for TCP and UDP traffic on port 514. You can seee from the below that the first result has port 0 selected i.e. it is not listening for syslogs;

The second netstat command was run after setting the Port in the Communication tab to 514.

McAfee-ERC-1250 ~ # netstat -anp | grep 514

McAfee-ERC-1250 ~ # netstat -anp | grep 514

tcp6       0      0 :::514                  :::*                    LISTEN      3848/syslogcollecto

udp6       0      0 :::514                  :::*                                3848/syslogcollecto

If you are not seeing this result on your receiver then can you please log a support ticket and we will troubleshoot it.

Thanks

Chris

Re: Collect syslog via TCP instead of UDP

Jump to solution

Thanks Chris. We put the port back to 0 to disable it then re-entered 514. When we did an 'lsof -ni -P' it showed up in the list but with the TCP6 notation on it; no TCP note like we expected. Apparently disabling / re-enabling fixed it but not sure how or why, could be a bug somewhere. Not sure. Thanks for the reply,

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.