How to check if Central Log Server is sending logs to Remote Syslog?
Release : 14.3 - 14.4
Component :
First, make sure vApp or your standalone installation of IM with Central Log server has tcpdump installed.
vApp 14.4 has tcpdump installed by default.
vApp 14.3 you will need to ask support to provide hotfix with tcpdump.
When you have tcpdump available use command, where interface should be default interface used (eth0) - can be omitted, host IP is IP of remote syslog server and port is 514 or your syslog port:
tcpdump -nnAs0 -i <interface> host <host ip> and port <port>
You will see all sent packets and confirmation of packets received by remote server.
After: https://linux.die.net/man/8/tcpdump
-nn
Don't convert protocol and port numbers etc. to names either.
-A
Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
-s0
Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. Packets truncated because of a limited snapshot are indicated in the output with ''[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. (...) Setting snaplen to 0 sets it to the default of 65535, for backwards compatibility with recent older versions of tcpdump.
https://knowledge.broadcom.com/external/article/168098/tcpdump-tutorial.html
Basic tcpdump tutorial.