5 Replies Latest reply on Jul 27, 2018 2:12 PM by jvogel

    Syslogs Reaching Server, but not Showing up in Syslog Viewer



      For the time being, we're using NPM's Syslog Viewer (v2016.2.0. we have a license for Kiwi, but can't implement it yet). I have the majority of our devices pointing directly to the NPM server handling syslog, but due to segregation, I need some devices to send their messages to a server they can reach, and it then can forward these messages to my NPM server.

      I'm doing this forwarding using rsyslog. I set a proof-of-concept of this on a VM of Linux Mint (18.3, 32-bit, rsyslog v8.16.0-lubuntu3) I have on my machine, and it worked flawlessly.


      I then spun up a CentOS 7 (64-bit, rsyslog v8.36.0) server and set it up the same way, but this one isn't working like my test did. It's sending all of the syslog messages as it should (udp/514), and these messages are reaching my NPM server (verified with TCPDump on the CentOS server and WireShark on the NPM server), but the messages from this server won't show up in Syslog Viewer. To muddle things further, if I configure my CentOS server to forward to my Mint server, then have my Mint server forward to the NPM server, those packets will show up in Syslog Viwer just fine.


      Any ideas why this might be? I've tried literally everything I can think of, and this is driving me mad. I've even compared the packets from Syslog messages sent directly (without the rsyslog forward) that Syslog Viewer displays with packets from my forwarded messages, and the only difference I could see there is that the forwarded packets have the Don't Fragment bit sent (though I was able to get rid of this by sending larger test syslog packets).