I am having some trouble getting vCenter syslogs into IDR. I have configured both vCenter side and IDR side and the connection seems to be working but I am not seeing any event logs. I’m not really sure what the issue is.
See screenshot for config details:
Have you tried taking a tcpdump on the collector to make sure the syslog is arriving? If you don’t see it, then you probably have an ACL or a firewall in the path blocking the connection from the vmware server to the collector.
To add to this, on occasion we have seen customers show a packet capture which shows packets arriving at the NIC, but the collector is still not getting anything, in this case I’d recommend checking that there is no software firewall running on the collector preventing the service from fetching those UDP packets further up the stack.
Lastly you could run a simply test to verify that the vCenter is not at fault by opening a netcat session to the UDP port.
nc -u 516
once open you can type a simple test message and hit enter. This should be viewable by hitting the View Raw Log button on the event source (within a minute or so)
I have not tried a tcpdump on the collector but I can try that. The vCenter and IDR collectors are on the same network so there’s no physical firewall in the way there. Then, as shown in the screenshot, vCenter test message to the collector appears to be successful.
ok I checked the Windows firewall log and saw the connection being dropped so I have to make an exception in the Windows firewall rules from vCenter to the collector. I missed it because 100% of the time I use group policy to push settings like firewall rules to servers. In this case, it was manually added on the server. I still should have looked there early on though. Live and learn.