I have an Ubuntu server running RSyslog, which has been in use for some time, gathering logs from a number of network switches and routers. I am doing a pilot of sending Windows logs to this server, and am trying out the Solarwinds forwarder. It is not working as expected, and I'm hoping maybe someone has been there before me, and can point me to something special I need to do.
Here are the details.
I have installed the forwarder on a Windows 10 workstation and configured it to send App, System and Security log entries. I have configured rsyslog on the Ubuntu box to place the received log entries in a named file (same setup that has worked for a couple of years for the existing syslog senders).
When I first set it up, I did test entries for System and App logs. Security doesn't seem to be "testable". Those initial two entries showed up in the appropriate file, but nothing else. The entries do not appear to be going to any other file in the /var/log directory either.
Here are some of the things I have tested:
Packet Capture
Running Wireshark on the Windows machine and TShark on Ubuntu I *see* the UDP syslog traffic between the machines. It's there at both ends.
UDP/TCP
I've tried both protocols (both are enabled in rsyslog.conf) I see the packet traffic at both ends with either protocol.
Facilities:
I've set the forwarder to tag traffic as at least 4 or 5 different "facilities" to see if rsyslog did something different with it - no change.
Message size:
I checked the length of messages as seen by TShark at the Ubuntu end. They averaged about 1600 bytes, so I set the rsyslog MaxMessageSize to 4K. No joy.
Is there something obvious that I'm missing? Any suggestions would be appreciated!