Logs are not received by syslog protocol.

VMware Aria Operations for Logs 8.x

• You can verify packets are reaching the internal syslog server

  1. In the vSphere Client, identify the host that the Aria Operations for Logs appliance VM is hosted on
  2. Log in to the ESXi host identified in step 1 as root via SSH
     • Note: Use Enable or Disable SSH and Bash Shell Access to enable SSH on the host if necessary.
  3. To identify the switchport that the Aria Operations for Logs appliance VM is using, run the following command:
     • net-stats -l | grep <appliance_name>
     • 
  4. Start the packet capture using the command below for the protocol used for syslog traffic:
     
     • For UDP protocol: pktcap-uw --switchport <Switch Port #> --dir 2 --udpdestport 514 --outfile /tmp/logs.pcap
     • For TCP protocol: pktcap-uw --switchport <Switch Port #> --dir 2 --dstport 514 --outfile /tmp/logs.pcap
     • Note: The <Switch Port #> in the command, should be replaced with the switch port number obtained from step 3.
     • Note: Both commands are set to capture port 514 and output to a pcap file called logs.pcap in the /tmp directory. The port number and the directory can be changed as needed.
  5.  Allow the pktcap-uw command to run until the desired number of packets have been received, then press CTRL-C
     • 
  6. Use an SCP utility to download the logs.pcap file from the /tmp directory on the ESXi host for review in a network packet analyzer tool, like Wireshark. 
     • Note: No packets indicates that the logs are not being received by the Aria Operations for Logs application, you should review with your network team for issues within the networking environment.

  
  
  

The following link lists the options for the pktcap command so you can modify the options as needed:

Capture and Trace Network Packets by Using the pktcap-uw Utility (vmware.com)