Unable to receive logs from a device to our SIEM Syslog server via TCP 514

asked 2020-01-30 10:20:43 +0000

Mitesh Agrawal gravatar image

updated 2020-01-30 10:21:18 +0000

I want to collect logs from a security device (McAfee Email Gateway) to our SIEM Syslog server. This security device can forward logs only via TCP syslog on any port (in our case it is 514). We are not getting logs from this security device and when I ran the wireshark to capture traffic from the security device to our syslog server, I got RST-ACK from the security device.

The complete wireshark is :

SYN --> from security device to syslog server

SYN-ACK --> from syslog server to security device

ACK --> from security device to syslog server

RST-ACK --> from security device to syslog server

What can be the issue? Is the three-way handshake complete? If not then why? If yes then why I am not able to see any log transfer.

Regards,

Mitesh Agrawal

edit retag flag offensive close merge delete

Comments

Can you post a capture of the TCP handshake and RST? Have you looked closely at the packets to see if they include data?

Chuckc gravatar imageChuckc ( 2020-01-30 13:52:11 +0000 )edit

Hi, Yes the packets doesn't include data. I have checked that. Will share some snapshots. Can't share the complete capture. Please help.

Mitesh Agrawal gravatar imageMitesh Agrawal ( 2020-01-30 14:03:33 +0000 )edit

The RST/ACK might just be a quick way to close the connection:
https://osqa-ask.wireshark.org/questi...

If you send the syslog as UDP is there data (log message) in the packet?

Chuckc gravatar imageChuckc ( 2020-02-02 04:37:40 +0000 )edit
add a comment