Auvik’s syslog feature allows you to troubleshoot faster by providing centralized access to syslog messages. Please make sure to review our relevant syslog and syslog device configuration articles to ensure no steps have been missed while setting up syslog:
Once the device has been correctly configured for syslog, the status of your device under Syslog > Summary should change to Forwarding.
If you’ve configured syslog but the device status hasn’t changed, try the following three steps to help with troubleshooting:
1. Confirm the source/destination IP address for Syslog
When configuring syslog on a device, you’ll typically be required to enter a destination IP address for syslog messages. If you only have one collector monitoring a site, this will be the IP address of the collector, as shown under Auvik Collectors.
If you have multiple IP addresses configured on the collector, then you’ll want to ensure the destination IP address is reachable from the device. In this case, you’ll want to ensure that the device is sending syslog to one of the IP addresses shown in the Export Information column under Syslog > Summary. If you send syslog messages to a collector that is not on that list, they’ll be discarded.
It’s also important to make sure that the source IP address used for syslog messages belongs to a subnet that is set to Scan or they will be discarded by the collector.
2. Ensure that the collector is bound to the port
When first deploying the collector, the service will bind to port 514 in order to receive syslog messages. If this port is being used by another service, it will prevent Auvik from binding to the port and receiving syslog messages.
Confirm that port 514 on the Windows collector and port 54059 on the Ubuntu collector* is bound to the collector service, using the following commands:
- On Windows: “netstat -tnab”
- On Ubuntu: “netstat -tulnpa”
* Even though the collector is bound to port 54059 on Ubuntu, you’ll still want to configure the device to send syslog messages to port 514.
3. Run and review a packet capture
Once you’ve confirmed that the correct IP address(es) have been configured, and the collector is bound to the port, the final step will be to run a packet capture in order to confirm whether syslog is reaching the collector.
To run the packet capture you’ll want to first access the collector shell using the steps outlined here: https://support.auvik.com/hc/en-us/articles/215149766-How-do-I-debug-using-the-Auvik-collector-#topic_enable
Once in the collector shell, you can enter the command “pcap start” to run a packet capture for 60 seconds. Once completed, use the command “copylogs” to upload the packet capture to Auvik support for review. Be sure to copy the URL that is returned. Reach out to Auvik support with the URL for the logs and we’ll be happy to review the packet capture for you.