Endpoint Protection

 View Only
Expand all | Collapse all

Forwarding logs to a Syslog server

ℬrίαη

ℬrίαηSep 03, 2010 04:25 AM

ℬrίαη

ℬrίαηSep 03, 2010 07:42 AM

  • 1.  Forwarding logs to a Syslog server

    Posted Sep 02, 2010 10:28 AM

    Been having an issue sending logs to our Syslog server

    I've designated one of our SEPMs to be the Master Logging server. It works fine for a few days, then suddenly stops sending the log files. If I restart the SEPM service on that SEPM it will then start sending logs for a few days and then stop again. I can continue to restart the service but it's more of a workaround than a fix.

    Just curious to see if anyone has had experience with this.

    Nothing has changed on the syslog server or the SEPM for that matter. We put a sniffer on the syslog server and could see traffic from SEPM, then it would stop.

    Not really what changed as of yet.


  • 2.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 10:36 AM
    I had seen a similar issue when the customer migrated from Embedded to SQL.

    And we resolved the issue by changing the Log facility to 22


  • 3.  RE: Forwarding logs to a Syslog server

    Posted Sep 02, 2010 10:41 AM

    We've always been on SQL.

    What's the difference in different numbers for the log facility? Any document(s) on this?


  • 4.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 10:55 AM

    Log Facility is  the number  that you want to be used in the Syslog configuration file . Valid values range from 0 to 23.

    The value depends on the syslog server that you are using.

    .While troubleshooting a syslog we only a check a few things if it has been configured properly  or if the DUMP files are been created. Once the dump is created means SEPM part of log forwarding is working fine.
    The issue needs to troubleshooted on the syslog or on the network



  • 5.  RE: Forwarding logs to a Syslog server

    Posted Sep 02, 2010 11:01 AM

    Is there a location on the SEPM I can look at to see the DUMP files?


  • 6.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 11:18 AM
    Next time, you can you use the URL mentioned in the article below to sweep the database and see if that generates the results.

    http://www.symantec.com/connect/articles/how-does-sweep-function-work

    Aniket


  • 7.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 11:20 AM
    The location is Symantec endpoint protection manager/Data/DUMP


  • 8.  RE: Forwarding logs to a Syslog server

    Posted Sep 02, 2010 12:16 PM

    Been watching for the past hour and have not seen any DUMP files created. Is there any further troubleshooting I can do?


  • 9.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 04:07 PM
    May be run a wireshark packet capture on your sepm, and see if there is any traffic betwenn the sepm, and syslog server..

    Have you looked at the  log facility  number? Is it already 22?


  • 10.  RE: Forwarding logs to a Syslog server

    Posted Sep 02, 2010 04:28 PM
    The log facility number is at 6. This is per the spec we have from our syslog server.


  • 11.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 04:34 PM
    Do you  have server activity logs from SEPM-Monitors-Logs-system, covering the perioed when it was  working, and then it stopped?


  • 12.  RE: Forwarding logs to a Syslog server

    Posted Sep 02, 2010 08:30 PM

    Yes, I do have activity in the logs on the SEPM. That has never stopped.


  • 13.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 09:29 PM
    which version of SEP is this ?

    I've never seen any feature for pushing all of th log event to syslog server.


  • 14.  RE: Forwarding logs to a Syslog server

    Posted Sep 02, 2010 09:37 PM

    The latest, RU6 MP1

    Under Admin ---> Servers ---> Configure external logging you can setup SEPM to forward to a syslog server or create DUMP files to then send to syslog if you wish.


  • 15.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 02, 2010 09:51 PM
    wow, thanks Brian. I appreciate your help.

    Cheers,
    AWT


  • 16.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 03, 2010 12:24 AM
    This feature has been available since  older  versions  of sepm too! I do not remember which version it started, or whether it was there right from the RTM release, but definitely it was there before ru6 mp1.....

    Brian81, could you please post the server activity logs..?


  • 17.  RE: Forwarding logs to a Syslog server

    Posted Sep 03, 2010 04:25 AM

    Where are they located?


  • 18.  RE: Forwarding logs to a Syslog server

    Broadcom Employee
    Posted Sep 03, 2010 07:35 AM
    Log in to SEPM go to Monitors--->logs--->System--->server activity ,select appropriate time range and click on view logs.Are you able to find any relevant entry ?If  you want you can export this logs...


  • 19.  RE: Forwarding logs to a Syslog server

    Posted Sep 03, 2010 07:42 AM
      |   view attached

    Here is the log for the last 24 houra

    Attachment(s)

    xlsx
    log_0.xlsx   25 KB 1 version