Verify packets are reaching the internal syslog server

1. In the vSphere Client, identify the ESXi host that the Aria Operations for Logs appliance VM is hosted on
2. Log in to the ESXi host identified in step 1 as root via SSH

   Note: Use Enable or Disable SSH and Bash Shell Access to enable SSH on the host if necessary.

3. Identify the switchport that the Aria Operations for Logs appliance VM is using

   net-stats -l | grep <appliance_name>

   

4. Start the packet capture using the command below for the protocol used for syslog traffic:
   
   • For UDP protocol: pktcap-uw --switchport [Switch Port] --dir 2 --udpport 514 --outfile /tmp/logs.pcap
   • For TCP protocol: pktcap-uw --switchport [Switch Port] --dir 2 --dstport 514 --outfile /tmp/logs.pcap
   • Note: The [Switch Port] in the command, should be replaced with the switch port number obtained from step 3.
   • Note: Both commands are set to capture port 514 and output to a pcap file called logs.pcap in the /tmp directory. The port number and the directory can be changed as needed.
5.  Allow the pktcap-uw command to run until the desired number of packets have been received, then press CTRL-C

   

6. Use an SCP utility to download the logs.pcap file from the /tmp directory on the ESXi host for review in a network packet analyzer tool, like Wireshark. 

   Note: No packets indicates that the logs are not being received by the Aria Operations for Logs application, you should review with your network team for issues within the networking environment.