• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Syslog Plugin Stopped Receving Data?

dustin.davisdustin.davis

New Life Form
I have restarted the rsyslog service via service rsyslog restart a few times with no change. service rsyslog status yields a running service with no errors. How can I further troubleshoot this? This plugin has worked without issue since installation but suddenly stopped after no major changes were made. The log files are indeed being populated by events, as expected. The only issue is that that OSSIM itself is not seeing these events, because the plugin is "not receiving data".
beedee

Share post:

Answers

  • dustin davis,

    which log file is receiving the syslog data and is this data syslog service data from a remote device, or some other service sending via rsyslog?

    Also, can you confirm if the issue is with this single asset not receiving event, or no events being generated from ANY syslog source?
  • which log file is receiving the syslog data: a set of logs I've made with a custom rule in my rsyslog.conf file. These files were generating events earlier. No change has been made to rsyslog.conf.

    is this data syslog service data from a remote device, or some other service sending via rsyslog: it's from a remote syslog server forwarding logs of many devices.

    Also, can you confirm if the issue is with this single asset not receiving event: there's only one asset that receive syslog events. So yes, single asset. BUt also could say "ANY" syslog source since there is only one.
  • dustin.davis,

    This still leaves a number of questions, as I am not sure where or how you made modifications. This said, try looking at the following items:

    1 - If you made a custom rsyslog rule, then did you also modify the plugin to look in a different directory, and if so, did you do this using a *.local plugin file, or just edit the .conf? A plugin update will overwrite the .conf file, breaking the plugin.

    2 - did you try running the comand "ossim-reconfig -c -v -d" to see if it returned any errors? This checks and rewrites the configuration files and restarts the standard system services in order, and will provide output on any errors found during the reconfig.

    3 - Even if all asset-based events are coming from one source, you should still see separate events generated by the OSSIM server itself unless you specifically excluded them via policy. Are you seeing these events, or are they missing? If they are missing, did you check the OSSIM server logs in /var/log/alienvault/agemt/ and /var/log/alienvault/server for errors?

    4 - Did you check your policies to make sure that you do not have a discard rule in place that is affecting processing. A policy set too broad (assets set to any, too many event types, or an empty Data Source Group) will cast a VERY wide net on event discards. 


    On a side note, consider which plugins are actually parsing the logs being forwarded? The syslog plugin is a VERy generic plugin, designed to monitor the rsyslog service itself. Depedning on the input, you could be missing or mis-categorizing a large number of events.
Sign In or Register to comment.