Troubleshooting Remote Syslog and Forwarding

https://systemwrights.org/wordpress/?p=444 Troubleshooting Remote Syslog and Forwarding

Sequence of checkouts that help troubleshoot log forwarding…..

Know the network addresses of the source and destinations. Ping them or traceroute them.

On Each System Do The Following:

Run netstat -tulpn | grep 514 <- insert the port you expect to see here

Run ps ax | grep syslog
or
Run ps ax | grep rsyslog

In either case you should see your syslog is running. Either listening or sending.

IF NOT:

On each system check /etc/rsyslog.conf and any includes found in the /etc/rsyslog.d/ subdirectory. They must include any mod load information so the ports are opened up UDP/TCP or socket. Try this command
rsyslog -d
to get a debug from the syslog daemon. It will show what worked and what did not. The port number and addresses of the source and destination systems should be double checked in these respective system’s configs. TCP port, UDP port, UNIX Socket, config numbers have to match up at both ends.

After Any Reconfiguration:

Hopefully one-at-a-time type changes are made and tests run to see the success of that try. Remember that services need restarted after any change so that it can be picked up and included in the application.

MY FAVORITE GOTCHA TODAY:
In the forward statement

*.*:@[ip|host] sends UDP

and

*.*:@@[ip|host] sends TCP.