On Sentinel 7.1.2 we have turned off auto adding of event sources for a
syslog connector. We decided to add event sources manually.

I'm not sure if I should be adding event sources by their hostname or IP
address or by any other name. How can I categorically confirm what name
to use when adding event sources manually please?

One of my Juniper firewall wasn't working so we enabled extra logging
for syslog connector in the following file:

File name: etc/opt/novell/sentinel/conf/collector_manager_log.prop
Line added:
esecurity.ccs.comp.evtsrcmgt.connector.syslogserve r.SyslogConnectorServer.level=ALL

then looked at the log - strangely it has errors that read
HOST *Nov*-".

Event source works if I create a syslog event source with the first 3
letters of the month (Nov, Dec, Jan etc). I'm adding a new event source
each month to keep it going.

I have more event sources and facing similar issue.

If I was to do a "tcpdump -v host <hostname/IP address>" on the
collector manager receiving syslog; this would give me a dump of data
coming from the event source. I need to know how Sentinel determines
the event source name from that dump?

sorry if its complicated I did my best to explain......

pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=52855