Hi,
Trying to connect a SLES11SP3 IDM server to Sentinel 7.1 appliance version.



This is my config on the IDM machine:

/etc/syslog-ng/syslog-ng.conf
destination d_sentinel { tcp("192.168.0.7" port(1468)); };
log { source(src); destination(d_sentinel); };

The IDM machine has IP 192.168.0.6 and is sending audit data to Sentinel
from eDirectory/IDM/NMAS, i.e. the Platform Agent is sending data
successfully but syslog won't do the same.

I did a tcpdump capture on the IDM machine:

12:37:18.246732 IP 192.168.0.6.43995 > 192.168.0.7.1468: tcp 35
0x0000: 4500 0057 04df 4000 4006 b464 c0a8 0006 E..W..@.@..d....
0x0010: c0a8 0007 abdb 05bc f350 d21a 0164 0963 .........P...d.c
0x0020: 8018 0073 81a7 0000 0101 080a 039f e8d0 ...s............
0x0030: 0136 2c99 3c31 333e 4e6f 7620 2032 2031 .6,.<13>Nov..2.1
0x0040: 323a 3337 3a31 3820 6964 6d20 726f 6f74 2:37:18.idm.root
0x0050: 3a20 7465 7374 0a :.test.
12:37:18.247283 IP 192.168.0.7.1468 > 192.168.0.6.43995: tcp 0
0x0000: 4500 0034 e603 4000 4006 d362 c0a8 0007 E..4..@.@..b....
0x0010: c0a8 0006 05bc abdb 0164 0963 f350 d23d .........d.c.P.=
0x0020: 8010 01fa 516e 0000 0101 080a 0136 3264 ....Qn.......62d
0x0030: 039f e8d0 ....
12:37:20.824994 IP 192.168.0.6.43995 > 192.168.0.7.1468: tcp 35
0x0000: 4500 0057 04e0 4000 4006 b463 c0a8 0006 E..W..@.@..c....
0x0010: c0a8 0007 abdb 05bc f350 d23d 0164 0963 .........P.=.d.c
0x0020: 8018 0073 81a7 0000 0101 080a 039f eb55 ...s...........U
0x0030: 0136 3264 3c31 333e 4e6f 7620 2032 2031 .62d<13>Nov..2.1
0x0040: 323a 3337 3a32 3020 6964 6d20 726f 6f74 2:37:20.idm.root
0x0050: 3a20 7465 7374 0a :.test.
12:37:20.825564 IP 192.168.0.7.1468 > 192.168.0.6.43995: tcp 0
0x0000: 4500 0034 e604 4000 4006 d361 c0a8 0007 E..4..@.@..a....
0x0010: c0a8 0006 05bc abdb 0164 0963 f350 d260 .........d.c.P.`
0x0020: 8010 01fa 4c41 0000 0101 080a 0136 34e9 ....LA.......64.
0x0030: 039f eb55 ...U


The Sentinel server OS itself is logging successfully to Sentinel using
syslog.