Troubleshooting Syslog server connection issues
Technical Articles ID:
KB94306
Last Modified: 2023-02-20 05:16:48 Etc/GMT
Last Modified: 2023-02-20 05:16:48 Etc/GMT
Environment
Trellix Intrusion Prevention System (Trellix IPS)
Problem
You configure the Manager to send syslog alerts. But, the alerts aren't received or aren't being sent to the configured syslog server.
Solution
Enable sys logging:
Syslog server setup and reproduce the issue:
sys logging:
infocollector logs and packet capture data:
- Enable Manager
syslog logging and packet capture on a Windows-based Manager:
- Log on to the Windows Server hosting the Manager.
Or, connect via a remote session using Remote Desktop.
For more information about Remote Desktop, see this Microsoft article.
- Navigate to
<installation directory>\App\config\ .
- Locate the
log4j.xml file and copy it to a safe location.
- Open
log4j.xml in a text editor of your choice, such asWordPad orNotepad++ .
- Search for the following variables (if the file contains two sets of matching lines, use the second).
<category name="iv.syslog.engine">
<priority value="INFO"/>
</category>is
<category name="iv.syslog.special">
<priority value="INFO"/>
</category>
<category name="iv.syslog.configurator">
<priority value="INFO"/>
</category>
<category name="iv.syslog.faultforwarding.engine">
<priority value="INFO"/>
</category>
<category name="iv.syslog.alertforwarding.engine">
<priority value="INFO"/>
</category>
<category name="iv.syslog.auditlogforwarding.engine">
<priority value="INFO"/>
</category>
- Change INFO to DEBUG for the following components:
iv.syslog.engine, iv.syslog.special andiv.syslog.configurator .
For example:<category name="iv.syslog.engine"> <priority value="DEBUG"/></category>
- According to the
syslog source that you want to investigate further, enable the relevant component:Syslog Entry Manager Syslog Component i v.syslog.faultforwarding.engine 'Faults' iv.syslog.alertforwarding.engine 'IPS Events' iv.syslog.auditlogforwarding.engine 'User Activity'
For example:
<category name=" iv.syslog.faultforwarding.engine "><priority value="INFO"/></category>
<category name=" iv.syslog.alertforwarding.engine "><priority value="INFO"/></category>
<category name=" iv.syslog.auditlogforwarding.engine "><priority value="INFO"/></category>
- Save your changes. Debug will start automatically after a couple of minutes; there's no need to restart the Manager service.
- Start a packet capture from your Windows-based Manager using
Wireshark .
Filter PCAP, using the destination IP of thesyslog server.
- Log on to the Windows Server hosting the Manager.
- Enable Manager
syslog logging and packet capture in an MLOS-based Manager:
- Log on to the MLOS server hosting the Trellix IPS Manager as Admin.
- Enter the password for the user: Admin.
- At the command prompt:
Typeedit log4j.xml and press Enter.
- Enable the search: Type /.
Typesyslog and find the first occurrence of the word.
- Press n and cycle through all entries of
syslog until you see the following section:
<category name="iv.syslog.engine">
<priority value="INFO"/>
</category>is
<category name="iv.syslog.special">
<priority value="INFO"/>
</category>
<category name="iv.syslog.configurator">
<priority value="INFO"/>
</category>
<category name="iv.syslog.faultforwarding.engine">
<priority value="INFO"/>
</category>
<category name="iv.syslog.alertforwarding.engine">
<priority value="INFO"/>
</category>
<category name="iv.syslog.auditlogforwarding.engine">
<priority value="INFO"/>
</category>
- Change INFO to DEBUG for the following components:
iv.syslog.engine, iv.syslog.special , andiv.syslog.configurator .
For example:<category name="iv.syslog.engine"><priority value="DEBUG"/>
- According to the syslog source that you want to investigate further, enable the relevant component:
Syslog Entry Manager Syslog Component i v.syslog.faultforwarding.engine 'Faults' iv.syslog.alertforwarding.engine 'IPS Events' iv.syslog.auditlogforwarding.engine 'User Activity'
For example:
<category name=" iv.syslog.faultforwarding.engine "><priority value="INFO"/></category>
<category name=" iv.syslog.alertforwarding.engine "><priority value="INFO"/></category>
<category name=" iv.syslog.auditlogforwarding.engine "><priority value="INFO"/></category>
- Save your changes:
Press ESC, ":".
When you see ‘:’ in the left bottom corner, typewq
- Start a packet capture from your MLOS-based Manager.
NOTE: Enable the logging for the session output to capture the data for the packet capture.
See the documentation of the SSH client in use.
- Type
show network ip
- Type
tcpdump -v -i host <SYSLOG SERVER IP>
NOTE: For INTERFACE, use the name listed in the output ofshow network ip
In the following example, this name iseth0 :
eth0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.40.10.1/24 brd 10.40.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:1ff:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
- Log on to the MLOS server hosting the Trellix IPS Manager as Admin.
- Open the Trellix IPS Manager.
- Click Manager, Setup, Notification, Firewall Access Events.
- Make sure that your syslog notification is enabled and the correct IP address and port are selected.
- Click Test Connection.
Note the date and time when you clicked Test Connection and add this information to your SR.
Support needs to review the logs around this time.
- Look for an entry resembling the following in
ems.log .
2021-03-11 14:57:06,581 DEBUG [Thread-487::executableHash, ] [logCorId1615474626563] iv.syslog.special -
Message is <32>Mar 11 14:57:06 SyslogACLLogTestForwarder: Network Security Manager syslog test message sent to /’IP ADDRESS:PORT using 4 and 0- If you see this line in the log, move to the next step.
- If you don't see this line, enable Debug logging and repeat the above steps.
NOTE: Other entries are present according to the relevant components enabled, alert detection in IPS, or activity such as login/logout in the Manager.
The Managersyslog component uses the UDP protocol, unless the TCP option is selected in the specificsyslog server section of the Manager GUI.
- Access the file
ems.log from the Manager to review the entries:- For Manager 10.x and 11.x:
- Click Manager, Troubleshooting, Logs, System file.
- Select
ems.log .
- For Manager 9.x:
- Click Manager, Troubleshooting, System Logs.
- Select
ems.log and export or filter the needed time frame. - Click View Messages.
- For Manager 10.x and 11.x:
- If case no log is visible for syslog in
ems.log , check the setting in the filelog4j.xml and test again according to point 4.
If the logs aren't seen, upload the data listed at the end of the article mentioning that debug logging was enabled.
- Disable Manager
syslog logging and review the capture in a Windows-based Manager.
- Log on to the Windows Server hosting the Trellix IPS Manager.
- Stop the packet capture.
- Navigate to
<installation directory>\App\config\ . - Open
log4j.xml in a text editor of your choice, such asWordPad orNotepad++ .
- Search for the following variables:
NOTE: If the file contains two sets of matching lines, only modify the second.
<category name="iv.syslog.engine">
<priority value="DEBUG"/>
</category>
<category name="iv.syslog.special">
<priority value="DEBUG"/>
</category>
<category name="iv.syslog.configurator">
<priority value="DEBUG "/>
</category>
<category name="iv.syslog.faultforwarding.engine">
<priority value="DEBUG "/>
</category>
<category name="iv.syslog.alertforwarding.engine">
<priority value="DEBUG "/>
</category>
<category name="iv.syslog.auditlogforwarding.engine">
<priority value="DEBUG "/>
</category>
- Change DEBUG to INFO for the components you edited earlier.
For example:<category name="iv.syslog.engine"> <priority value="INFO"/></category> .
- Save your changes. Debug will stop automatically after a couple of minutes; there's no need to restart the Manager service.
- Stop the PCAP session running on
Wireshark and save the file.
- Disable the Manager
syslog logging and review the capture in an MLOS-based Manager:
- If the SSH session is still open, stop the packet capture (press CTRL+C) and move to step 4 below.
- Log on to the MLOS server hosting the Trellix IPS Manager as Admin.
- Enter the password for user Admin.
- From the command prompt type,
edit log4j.xml and press Enter.
- Press / to enable the search.
Thelog4j.xml file opens.
- Use '/' to enable the search and enter syslog to find the first occurrence of the word.
Pressn and cycle through all entries of syslog until you see the following section:
<category name="iv.syslog.engine">
<priority value="DEBUG"/>
</category>
<category name="iv.syslog.special">
<priority value="DEBUG"/>
</category>
<category name="iv.syslog.configurator">
<priority value="DEBUG "/>
</category>
<category name="iv.syslog.faultforwarding.engine">
<priority value="DEBUG "/>
</category>
<category name="iv.syslog.alertforwarding.engine">
<priority value="DEBUG "/>
</category>
<category name="iv.syslog.auditlogforwarding.engine">
<priority value="DEBUG "/>
</category>
- Change DEBUG to INFO for the components changed above.
For example:<category name="iv.syslog.engine"> <priority value="INFO"/></category> .
- Save the changes: Press 'ESC' followed by ':'
Once you see ":" in the bottom-left corner, typewq
- For Windows-based Manager:
- Run the
infocollector log bat file in<Installation Directory>\App\diag\InfoCollector\infocollector.bat - Provide the
Wireshark capture.
- Run the
- For MLOS-based Manager:
- Run
InfoCollector.sh - Gather the text output of the MLOS administrator console.
- Run
Affected Products
Languages:
This article is available in the following languages:
