+1I have created a rsyslog server and configured metallic to send audit trails and alerts using syslog server by following this guide - https://documentation.commvault.com/2022e/essential/114237_configuring_syslog_server.html?_gl=1*pf4vx8*_gcl_au*MTAwMzEzNTY2LjE2ODkxNjQyNDI. I am not able to see any audit logs on my rsyslog server.
I have configure rsyslog server to listen on both tcp and udp.
Are you saying you can see alerts but not audit events? Or you cant see both? If the later, what port are you using for the TCP connection? If possible try using port 443, and configure your syslog server to receive on that port also.
+1I can’t see both. Neither Audit nor alerts. In our environment, there might not be any alerts but audit logs can be seen in the ‘Reports > Audit Trails’ report.
For BG, I have configured a rsyslog server (to listen on 2 different ports over UDP and TCP) which is routed through a public IP and is reachable from the Metallic's infrastructure.
I tried using 443 as well but there are no logs seen in the /var/log/syslog file on the rsyslog server.
+18My $0.02 -- your commands my vary, but examples from my environment.
Verify the syslog server is listening:
# netstat -an | grep :514
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp6 0 0 :::514 :::*
Verify the port is open in the firewall:
# firewall-cmd --info-service=syslog | grep 514
ports: 514/udp
# firewall-cmd --query-service=syslog
yes
You will see data in /var/log/messages:
# tail /var/log/messages | grep commserve
Jun 25 16:32:26 commserve Events: Eventid = {874213} Occurrencetime = {25 Jun 2024 16:29:43} Eventseverity = {Information} Commcellname = {commserve} Computer = {commserve} Eventcode = {35:4952} Program = {WebServer} Description = {Syslog - Audit is enabled for Commcell} Utctimestamp = {1719350983}
Thanks,
Scott
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
