Syslog not getting logs

I am trying to get the syslog portion of NPM configure correctly. I also have NCM installed (couldnt find its syslog service though)

I know that my syslog clients are sending correctly as I have tested them with Kiwi on the same server with it receiving logs. I also have them connected to another server and it recieves them when i send out tests. I have turned off the kiwi service and have done netstat showing only SyslogService.exe*32 listening on por 514. Using wireshark I can see the packets coming in and they look correct.

If i put syslog forwarding on the server and point it at itself it will receive syslog logs.

The only issue I have seen is that if i go into syslog viewer -> settings - > alerts/filter rules and click on all servers the only server listed in there is servername(169.254.73.214) in which the IP is obviously incorrect.

I have changed the IP in the config file to the correct IP but have not seen any change on service restarts or rebooting.

Find more posts tagged with

syslog__alerts

Accepted answers

netlogix

oh, and just because, did you check windows firewall? (sometimes easy things are just over looked)

I'd say trying disabling it in all three categories, and if it fixes it, then look around at the rules and make sure UDP 514 inbound for all three classes are enabled.

All comments

Questionario

hmm, the IP should be set correctly, is there no option to have it assigned to all unassigned? dont remember that option anymore...

anyhow, if that does not help, I heard there is an open bug in 10.1.1 where sometimes syslogs are not received correctly which is supposedly fixed in 10.1.2 (still in RC) but that's only what I heard.

TehDuffman

You can have it as "ANY" which is the default but it still doesn't work.

netlogix

When you ran netstat -ano, what address did it show?
Mine shows "UDP 0.0.0.0:514 *:* 4656"
and a tasklist /svc | find "4656"
Mine shows: "SyslogService.exe 4656 SolarwindsSyslogService"

which means it is the right exe/service listining on "ANY" interface ("0.0.0.0").

TehDuffman

Yes that is what mine shows with different PID same service.

Shows 0.0.0.0:514 - syslogservuce.exe if localIP = "ANY" in config file

Shows 192.168.100.1 - syslogservuce.exe if localIP = "192.168.100.1" in config file