No messages to SIEM


No messages to SIEM

Paul Bakker

Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Tamas Lengyel

Paul Bakker - 2/9/2018
Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Hi Paul,

If you turn on one of the other outputs (such as LOGbinder Event Log or one of the Syslog File output), do you get any messages on those outputs?

Tamas

Paul Bakker

Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Hi Paul,

If you turn on one of the other outputs (such as LOGbinder Event Log or one of the Syslog File output), do you get any messages on those outputs?

Tamas

Yes, i do have events in logbinder sp event log


Tamas Lengyel

Paul Bakker - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Hi Paul,

If you turn on one of the other outputs (such as LOGbinder Event Log or one of the Syslog File output), do you get any messages on those outputs?

Tamas

Yes, i do have events in logbinder sp event log


Okay, good. Could you please turn on diagnostic logging (in Options set it to Level 1), restart the service, and after there are some events have occurred on the other outputs, compress and send me in private message all *.log files from the 'C:\ProgramData\LOGbinder SP' folder. Thanks.

Tamas Lengyel

Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Hi Paul,

If you turn on one of the other outputs (such as LOGbinder Event Log or one of the Syslog File output), do you get any messages on those outputs?

Tamas

Yes, i do have events in logbinder sp event log


Okay, good. Could you please turn on diagnostic logging (in Options set it to Level 1), restart the service, and after there are some events have occurred on the other outputs, compress and send me in private message all *.log files from the 'C:\ProgramData\LOGbinder SP' folder. Thanks.

Thanks for the logs. According to the logs, you should be getting the messages through Syslog.
Has this worked before, or this is the first installation?
Do you have multiple NICs in the LOGbinder server?
Paul Bakker

Tamas Lengyel - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Hi Paul,

If you turn on one of the other outputs (such as LOGbinder Event Log or one of the Syslog File output), do you get any messages on those outputs?

Tamas

Yes, i do have events in logbinder sp event log


Okay, good. Could you please turn on diagnostic logging (in Options set it to Level 1), restart the service, and after there are some events have occurred on the other outputs, compress and send me in private message all *.log files from the 'C:\ProgramData\LOGbinder SP' folder. Thanks.

Thanks for the logs. According to the logs, you should be getting the messages through Syslog.
Has this worked before, or this is the first installation?
Do you have multiple NICs in the LOGbinder server?

First installation, two nic's in LOGbinder server

Paul Bakker

Tamas Lengyel - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Hi Paul,

If you turn on one of the other outputs (such as LOGbinder Event Log or one of the Syslog File output), do you get any messages on those outputs?

Tamas

Yes, i do have events in logbinder sp event log


Okay, good. Could you please turn on diagnostic logging (in Options set it to Level 1), restart the service, and after there are some events have occurred on the other outputs, compress and send me in private message all *.log files from the 'C:\ProgramData\LOGbinder SP' folder. Thanks.

Thanks for the logs. According to the logs, you should be getting the messages through Syslog.
Has this worked before, or this is the first installation?
Do you have multiple NICs in the LOGbinder server?

Please give me an call to explain this problem!

Tamas Lengyel

Paul Bakker - 2/12/2018
Tamas Lengyel - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Tamas Lengyel - 2/9/2018
Paul Bakker - 2/9/2018
Hi, i'm trying to send events to my siem. I'm using syslog-cef. Howerver, no message seems to be send from the server.

If i look with microsoft network monitor i do not see any traffic on udp port 514.

Please advise,
Paul

Hi Paul,

If you turn on one of the other outputs (such as LOGbinder Event Log or one of the Syslog File output), do you get any messages on those outputs?

Tamas

Yes, i do have events in logbinder sp event log


Okay, good. Could you please turn on diagnostic logging (in Options set it to Level 1), restart the service, and after there are some events have occurred on the other outputs, compress and send me in private message all *.log files from the 'C:\ProgramData\LOGbinder SP' folder. Thanks.

Thanks for the logs. According to the logs, you should be getting the messages through Syslog.
Has this worked before, or this is the first installation?
Do you have multiple NICs in the LOGbinder server?

Please give me an call to explain this problem!

Paul, thanks for your cooperation on this. Happy to hear that the solution worked.

This turned out to be a problem with multiple NICs. LOGbinder picked up the first interface when setting up the connection to the Syslog server. We have now implemented a solution to pick the actual network interface that is used in the connection. This update will be released shortly.

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search