Skip to main content
Question

Not able to send audit trails and alerts using syslog server


Forum|alt.badge.img+1

I have created a rsyslog server and configured metallic to send audit trails and alerts using syslog server by following this guide - https://documentation.commvault.com/2022e/essential/114237_configuring_syslog_server.html?_gl=1*pf4vx8*_gcl_au*MTAwMzEzNTY2LjE2ODkxNjQyNDI. I am not able to see any audit logs on my rsyslog server.

 

I have configure rsyslog server to listen on both tcp and udp. 

4 replies

Forum|alt.badge.img+8
  • Vaulter
  • 53 replies
  • July 13, 2023

Are you saying you can see alerts but not audit events?  Or you cant see both?  If the later, what port are you using for the TCP connection?  If possible try using port 443, and configure your syslog server to receive on that port also.


Forum|alt.badge.img+1

I can’t see both. Neither Audit nor alerts. In our environment, there might not be any alerts but audit logs can be seen in the ‘Reports > Audit Trails’ report.

 

For BG, I have configured a rsyslog server (to listen on 2 different ports over UDP and TCP) which is routed through a public IP and is reachable from the Metallic's infrastructure.

 

I tried using 443 as well but there are no logs seen in the /var/log/syslog file on the rsyslog server.


Forum|alt.badge.img
  • 1 reply
  • June 25, 2024

Hello,

I got the same problem here. Were you able to find a solution so far?

Regards,

Yanick


Scott Moseman
Vaulter
Forum|alt.badge.img+18

My $0.02 -- your commands my vary, but examples from my environment.

Verify the syslog server is listening:

# netstat -an | grep :514
udp        0      0 0.0.0.0:514             0.0.0.0:*                          
udp6       0      0 :::514                  :::*       

Verify the port is open in the firewall:

# firewall-cmd --info-service=syslog | grep 514
  ports: 514/udp

# firewall-cmd --query-service=syslog
yes

You will see data in /var/log/messages:

# tail /var/log/messages | grep commserve
Jun 25 16:32:26 commserve Events: Eventid = {874213}  Occurrencetime = {25 Jun 2024 16:29:43}  Eventseverity = {Information}  Commcellname = {commserve}  Computer = {commserve}  Eventcode = {35:4952}  Program = {WebServer}  Description = {Syslog - Audit is enabled for Commcell}  Utctimestamp = {1719350983}  

Thanks,
Scott
 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings