-
Title
Troubleshooting syslog not receiving data -
Description
Syslog is not receiving data.
Does TPAM send via UDP or TCP to the Syslog server? -
Cause
Possible causes:
- Syslog server only listening on TCP ports not UDP
- Syslog server not configured to accept traffic from TPAM appliances
- Firewall blocking the UDP syslog traffic -
Resolution
The destination syslog server, and port are specified in /admin | System Status | SysLog Configuration
TPAM sends syslog data on only the UDP port specified.
- Ensure the syslog software is configured for UDP on the port specified (some syslog software default to only listen on TCP ports)
- Ensure the syslog software accepts traffic from all TPAM console appliance IP addresses (Primary and repliacs)
- Ensure firewalls are not blocking the UDP traffic.The firewall on the syslog server must be configured to allow UDP traffic. Note that while a TCP port can be tested with a telnet test, this test is not applicable to UDP ports.
Depending on the server running the syslog software, the listening ports can be verified with the appropriate command:
netstat -anp | grep 514 (this works on a test Ubuntu system) will return:
udp 0 0 0.0.0.0:514 0.0.0.0:* 15028/syslog-ng
This shows the port UDP port 514 is listening on 0.0.0.0 (all interfaces) and the software listening on that port is 'syslog-ng'.
Note that the above command with -p may also show another service already listening on UDP port 514 - if a new syslog service is added to a system, it is important to remove or disable any existing syslog services.
Depending on the OS running the syslog software, the incoming traffic on the port can be verified:
sudo tcpdump -s0 -l -i eth1 port 514 (again on an Ubuntu system)
The above command (configure eth1 and command syntax to match environment) will dump traffic seen on both UDP and TCP for that port. This may help narrow down the issue as if you see TPAM traffic on this port, but the syslog server is not capturing the data, the syslog server is not configured correctly. Alternatively, if traffic is not seen: either TPAM is not sending anything, or the traffic is being blocked, not on the correct subnet, etc.