tennis-r7
commented
3 years ago @ethernetguru did you resolve this?
Closed ethernetguru closed 3 years ago
tennis-r7
commented
3 years ago @ethernetguru did you resolve this?
ethernetguru
commented
3 years ago @tennis-r7 I did get this resolved by working with rapid7 support. The default port of 514 is already bound to other inbound connections so I made it another port number.
fdejesus1125
commented
3 years ago Can you share this the code with me. I am also running into a similar problem.
ethernetguru
commented
3 years ago The main issue was because that the collector service is already monitoring the port of 514 that is for syslog dumps. A new port was set up 516 to be used instead. So the collector port needs to be updated in the inisight idr to look for port 516
and then the config.ini changed to match that new port number.
format = json
# filename can be syslog, stdout, any custom filename
filename = syslog
# endpoint can be event, alert or all
endpoint = event
# syslog properties
# for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
# for linux local systems use /dev/log
# for MAC OSX use /var/run/syslog
address = x.x.x.x:516
facility = daemon
socktype = udp
@fdejesus1125 if you want to share some details of the problem you're facing, perhaps we can provide more help.
I am setting up a syslog export for rapid 7 and following the guide here: https://docs.rapid7.com/insightidr/sophos-central/ I was able to get a connection done and got a result.txt that showed recent data back but I am not able to get the syslog connection working. Do I have the correct config file?
Edit: The script is running on a windows server with python 3