7 Replies Latest reply on Sep 8, 2014 11:04 AM by yd9038

    Syslog data source



      Im researching about siem, and testing on AllInOne version 9.3.

      I added 1 data source for syslog on ESM 9.3, but this syslog can't retrieve any logs from syslog-client, I saw that syslog-client sent logs to Receiver. I used netstat command on this AllInOne, but only:


      I think that it have to have more (tcp and udp) like this picture:


      anyone experice this problem, can you help me about this case?

      Thanks so much!

        • 1. Re: Syslog data source

          Run an "iptables -nvL" command from the allinonebox.


          You should see a line in the input policy that accepts TCP and/or UDP traffic for the ip address of the data source you added in ESM. You can also see if packets have been received for the data source. If this is 0, better look at the syslog source itself or in between firewalls that drop the traffic.

          • 2. Re: Syslog data source

            Have you do the initial configuration of the appliance in opening the ports to received logs?

            • 3. Re: Syslog data source

              Dear Robert van Buuren,

              Thanks for your informations. it's right. firewall of this device filtered these traffics:


              I don't know why this device filtered these traffics. I think when I was setting up syslog (514) from interface, it will accept these traffices:


              I delete these rules or insert accept all from, then write again this data source, but iptables still filter again these traffices. you have any way to resolve this problem?


              Thanks so much!

              • 4. Re: Syslog data source

                Dear rme-0695,

                yes, i created a data source to receive logs:



                • 5. Re: Syslog data source

                  From your screenshots I see no incorrect configuration. By default, the ESM-ELM combobox will drop all inbound traffic if it not listed in the inbound filter. This filter is automatically added when you add a syslog/netflow/MEf or any other data source that pushes events towards SIEM. So the rule needs to be there or otherwise no traffic will be accepted. I also see in your screenshot of iptables that no packets have been received. This should indicate that either your ubuntu is not sending logs or a firewall sowhere on the line is blocking 514 traffic.

                  • 6. Re: Syslog data source

                    Dear Robert van Buuren,

                    Thank you very much! now, I don't know why AllInOne received log from ubuntu. I tested so many, used tcpdump, I saw ubuntu sent logs to AllInOne, but can't see logs from ubuntu receiver on AllInOne device. Now, im preparing to capture pic for tcpdump and ESM console, i saw logs sent to ubuntu receiver.

                    Thanks again!

                    • 7. Re: Syslog data source

                      You may want to enable "Log unknown syslog events" to see all syslog data that is sent to the receiver:



                      Also, if the datasource is in DMZ, you will need to have some ports opened on the firewall as well.