Our syslog servers are in a subnet attached only to our core router... no other path to them. They are collecting syslog messages (udp 514) from all over our network. We log over a gig per day.
The syslog VLAN has an ACL applied out.
The lines permitting any host to hit the syslog server for udp eq syslog shows no hits at all.
Are there conditions that would preclude hits from registering? I can't find any other ACL lines prior to these entires that would permit these specific packets through and there is a "deny ip any any" at the end of the list. Other ACls in the list shows up to millions of hits, so I know they are functioning and in use.
I don't understand why they aren't showing up in the hit counts?!