2 Replies Latest reply on Dec 6, 2012 4:11 AM by danfrye

    Collect syslog via TCP instead of UDP

      Is it possible to collect syslog in the Nitro solution over TCP instead of UDP? Under Interfaces > Communications tab I can see the syslog port set to 514, but a netstat -an on the command line of the receiver shows only 514UDP listening and not 514TCP. Are we missing a setting somewhere or is 514TCP not supported for syslog? I've looked in the 9.1.3 User Guide but it does not have any documentation on using syslog over TCP to the receiver, only using syslog 514TCP in the Event Forwarder on the ESM which we are not trying to do (i.e. we want to receive 514 TCP not send 514 TCP). Thanks...

        • 1. Re: Collect syslog via TCP instead of UDP
          Chris Boldiston

          Hi Danfrye



          That setting should set the syslogcollector to listen for TCP and UDP traffic on port 514. You can seee from the below that the first result has port 0 selected i.e. it is not listening for syslogs;


          The second netstat command was run after setting the Port in the Communication tab to 514.


          McAfee-ERC-1250 ~ # netstat -anp | grep 514


          McAfee-ERC-1250 ~ # netstat -anp | grep 514

          tcp6       0      0 :::514                  :::*                    LISTEN      3848/syslogcollecto

          udp6       0      0 :::514                  :::*                                3848/syslogcollecto


          If you are not seeing this result on your receiver then can you please log a support ticket and we will troubleshoot it.







          • 2. Re: Collect syslog via TCP instead of UDP

            Thanks Chris. We put the port back to 0 to disable it then re-entered 514. When we did an 'lsof -ni -P' it showed up in the list but with the TCP6 notation on it; no TCP note like we expected. Apparently disabling / re-enabling fixed it but not sure how or why, could be a bug somewhere. Not sure. Thanks for the reply,