5 Replies Latest reply on Mar 21, 2018 9:54 AM by bobmarley

    Device's syslogs not getting to NPM/Syslog Viewer

    lauren0rz

      Seemingly out of nowhere, the syslog messages for one of my devices (our core router, of course) stopped coming into the NPM syslog. There were no changes made on the router (I compared config changes between days, since the daily backup job works fine), it says it's sending logs to the server in 'sh log'. I restarted the Syslog service on my primary poller, and restarted the poller itself. I removed the 'logging host x.x.x.x' and added it back in.

       

      I configured an additional syslog server (our Splunk instance) on the router, and those messages come through fine there.

      I checked the Windows firewall logs and I can see it allowing incoming packets from the router on 514. I ran Wireshark and can see all the actual syslog messages coming in there too.

      I checked my syslog rules/filters (I hadn't added any or changed any recently), but I'm not seeing anything there. I disabled all the rules that even reference the router. The Cisco RTCN rule is at the very top, but I'm not getting anything from that. I've tried disabling/enabling rules, moving them to the bottom and then back to the top, in case something got screwy, but nope. I added a rule at the very top to send any logs from the router to a text file, that's of course got nothing. The SyslogServiceLog files in the ProgramData/Solarwinds folder had nothing useful in it. If it were easy to blow away the syslog filters and import them again, to confirm there's nothing broken there, I would, but that doesn't seem possible.

       

      I'm very much open to suggestions, I didn't have the time or patience to open a support ticket today and I'd be super grateful if I didn't have to do so... I'm hoping it's just something stupid (it usually is...)