bparmar-splunk
commented
1 year ago @AParida23 This issue is not related to SC4S and hence we are closing this issue.
Closed AParida23 closed 1 year ago
bparmar-splunk
commented
1 year ago @AParida23 This issue is not related to SC4S and hence we are closing this issue.
We are trying to collect syslog from a RHEL 6.10 OS. It is an on-prem server. However, we don't see the correct logs in the tcpdump or in the osnix index. The same syslog configuration works for AIX 5.3, AIX 6 and RHEL 8 as well.
Config file used for RHEL 6 and RHEL 8: "audit log imfile #Load the imfile input module authpriv.* /var/log/secure /var/log/audit/audit.log tag_audit_log: audit_log info local6
. @@receivinghostip:514"
Here's the tcpdump from the RHEL 6.10 server:
13:50:28.597040 IP (tos 0x0, ttl 60, id 27717, offset 0, flags [DF], proto TCP (6), length 60) sendinghostname.44476 > receivinghostname.shell: Flags [S], cksum 0xd4bf (correct), seq 447763177, win 14600, options [mss 1460,sackOK,TS val 2717269676 ecr 0,nop,wscale 7], length 0
The raw data that was received initially for the rhel 6 server : RAWMSG=\xff\xf4\xff\xfd PRI=13 MESSAGE=\xff\xf4\xff\xfd
The syslog-ng (version 2.40.0) is configured on a Splunk Heavy Forwarder and the logs collected are sent over to Splunk Cloud indexers via HEC.
Is this a compatibility issue between the OS version and syslog-ng?