Syslog traffic issues on Firebox
Syslog traffic from a T80 not making it over the tunnel to the Syslog server
-HQ has a Syslog server @ 10.1.11.116. Sitting behind an M4800 firebox
-Branch office firewall is a T80 running 12.8.0, with SYSLOG pointed to 10.1.11.116
-Policy based VPN (not virtual interface VPN) is set up between the fireboxes and working properly
-Syslog server does NOT see capture any logs from the branch firewall
-From the T80 I can view Traffic Monitor and observe all normal traffic getting logged here
-Dimension logging in the cloud is receiving logs and recording them for the branch office
-I have “Enable logging for traffic sent from this device” checked under the Diagnostic Logs settings
- Why do I never see Syslog traffic in Traffic monitor? This would be useful for troubleshooting. Shouldn't this be seen?
- What interface should I expect the source of the Syslog traffic to be coming from, since it's generated on the firebox?
When viewing PCAPs from the T80's physical LAN interfaces, I never see Syslog traffic.
When I view a PCAP the T80's WAN interface I see my Syslog traffic with the branch offices PUBLIC WAN IP as the source, Syslog server's private address (10.1.11.116) as the destination, and the destination interface is the WAN interface, not a tunnel. Assuming I am onto something here.
- Is it not possible to use a Syslog server that over a point to point VPN? Would route based VPN work better?
Let me cut to the chase. I have other branch offices set up seemingly the exact same way and Syslog traffic makes it to the Syslog server. I do still see some oddities from these working set ups:
-Traffic Monitor from these working branch still do not catch the Syslog traffic, even though Syslog traffic does make it over the tunnel and the Syslog server receives it.
-I still do not see Syslog traffic in PCAP from the working firebox's. Tried all and I can never see it from the branch.
When reviewing the working setup, the syslog server sees the Syslog traffic come from the branch offices VLAN1 interface IP
- How is this chosen? Is there a precedent of using the lowest VLAN interface or the interface with the lowest IP address or something? Curious about this, because the branch office with the problem does not use VLAN interfaces. It just has a trusted interface.
Of course I am going to open a ticket as well, but all recent cases have taken DAYS to get a response so asking here too.