Special Steps for Syslog Forwarder sending to RSyslog on Ubuntu?

I have an Ubuntu server running RSyslog, which has been in use for some time, gathering logs from a number of network switches and routers.  I am doing a pilot of sending Windows logs to this server, and am trying out the Solarwinds forwarder.  It is not working as expected, and I'm hoping maybe someone has been there before me, and can point me to something special I need to do.

Here are the details.

I have installed the forwarder on a Windows 10 workstation and configured it to send App, System and Security log entries.  I have configured rsyslog on the Ubuntu box to place the received log entries in a named file (same setup that has worked for a couple of years for the existing syslog senders).

When I first set it up, I did test entries for System and App logs.  Security doesn't seem to be "testable".  Those initial two entries showed up in the appropriate file, but nothing else.  The entries do not appear to be going to any other file in the /var/log directory either.

Here are some of the things I have tested:

Packet Capture

Running Wireshark on the Windows machine and TShark on Ubuntu I *see* the UDP syslog traffic between the machines.  It's there at both ends.

UDP/TCP

I've tried both protocols (both are enabled in rsyslog.conf)  I see the packet traffic at both ends with either protocol.

Facilities:

I've set the forwarder to tag traffic as at least 4 or 5 different "facilities" to see if rsyslog did something different with it - no change.

Message size:

I checked the length of messages as seen by TShark at the Ubuntu end.  They averaged about 1600 bytes, so I set the rsyslog MaxMessageSize to 4K.  No joy.

Is there something obvious that I'm missing?  Any suggestions would be appreciated!

Parents
  • Problem Solved

    This turned out to be Error Zero: Replace or Reboot Sys Admin.  [le sigh]  But let me share in case someone else makes my boneheaded mistake.

    I decided after the first test to change the target directory for the log file.  After posting the message above, it occurred to me that maybe I had mistyped the directory name in the rsyslog.d file that redirected the messages, so I went and checked.  Nope - dir name was fine.   What *wasn't* fine was the OWNERSHIP of the target directory.

    A quick chown syslog:syslog {dirname} and all was sweetness and light.

Reply
  • Problem Solved

    This turned out to be Error Zero: Replace or Reboot Sys Admin.  [le sigh]  But let me share in case someone else makes my boneheaded mistake.

    I decided after the first test to change the target directory for the log file.  After posting the message above, it occurred to me that maybe I had mistyped the directory name in the rsyslog.d file that redirected the messages, so I went and checked.  Nope - dir name was fine.   What *wasn't* fine was the OWNERSHIP of the target directory.

    A quick chown syslog:syslog {dirname} and all was sweetness and light.

Children
No Data