As part of device compliance, we have been requested to make sure that all the device logs are reflecting in our syslog server.
Our team has been notified that multiple devices are still not getting reflected in our sys log server.
Compared the configuration, checked the routes, and firewall blocks but couldn't find any blockers.
Both working and no working device have the same syslog server configured. I have cases where routers configured with HSRP has Active device getting reflected but standby device not getting reflected in Qradar.
Syslog server- Qradar
as long as you have configuration correct the logs should send to syslog server.
do simple test from your router where the logs not sent see the device can reach the syslogs server.
1. ping syslog server - working
2. telnet syslogserver ip with port 514 see the connection open for you.
Thank you for the suggestion.
Telnet worked for port 601. As 514 is a UDP port, I doubt that telnet will work.
Route is available. But logs are not getting reflected in syslog server.
Apologies for the UDP telnet, i totally lost it.
1. other side need to check - in the device what interface use to send logs
2. post show logging
3. if the linux server is syslog server run tcpdump see any packets hitting on the interface from the device.