cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6

How to get logs from linux

Hi,

     I want to get logs from the following, I have tried the following but still it is not gathering logs. I tried to upload sample logs but it can parse the logs. I have tried linux agent but still it doesn't gather logs.

1. CentOS 5 and 6

type of logs: messages,maillog,lastlog

path: /var/log

config made:

Vendor: UNIX

Data source type that I have tried: Linux(ASP), UNIX OS (Solaris, Red Hat, Linux, HP-UX, IBM AIX), Generic(ASP)


2.) Zimbra

type of log: zimbra.log

path: /var/log

config made:

Vendor: UNIX

Data source type that I have tried: Linux(ASP), UNIX OS (Solaris, Red Hat, Linux, HP-UX, IBM AIX), Generic(ASP)


3.) Elastix VOIP

type of log (filename): full, full.1,full.2

config made:

Vendor: UNIX

Data source type that I have tried: Linux(ASP), UNIX OS (Solaris, Red Hat, Linux, HP-UX, IBM AIX), Generic(ASP)

4.) Apache installed on Ubuntu

type of logs: access.log

path: /var/log/apache2

config made:

Vendor: apache

Data source type that I have tried: apache web(ASP), apache HTTP

5.) PepLink

type of log: syslog

config I made:

Vendor: Generic Syslog

Data source: Advance Syslog Parser

SNMP v2 enabled

5 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 6

Re: How to get logs from linux

Are you sure you config syslog at Linux push log to McAfee SIEM?

If you sure config it, you can check syslog push McAfee SIEM via command:

tcpdump -i eth0 src  x.x.x.x and port 514

Eth0 is card connect with Linux

x.x.x.x: is IP of Linux

Can you capture at command ?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 6

Re: How to get logs from linux

1.) configure apache to send logs to syslog -

2.) configure syslog to send logs to your receiver-

3.) tcpdump on receiver to verify traffic over 514

esher72
Level 9
Report Inappropriate Content
Message 4 of 6

Re: How to get logs from linux

My CentOS boxes are set up as follows:

In /etc/rsyslog.conf I have:

# ### end of the forwarding rule ###

*.* @@X.X.X.X:514

With X.X.X.X as the IP of my receiver. If I SSH to my receiver and run tcpdump, I see the syslog coming. If you don't see it, then you need to troubleshoot that first.

Then in the ESM, I have the datasource set to Linux (ASP). I have had one person in McAfee support tell me to use "UNIX OS (Solaris, Red Hat, Linux, HP-UX, IBM AIX), Generic(ASP)" and another has said that CentOS wasn't Red Hat enough and that "Linux(ASP)" worked better. Your call there I guess.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: How to get logs from linux

Hi,

you must use Linux (ASP) for all Unix platforms, for Apache use Apache (ASP). All DataSources not-asp are conisiderated legacy and they are deprecated.

Rgds,

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 6

Re: How to get logs from linux

Don't put the port 514 in the syslog file, it doesn't need it. 🙂

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community