I have several routerboards that I setup for remote logging and none of them work. On the same network I have an HP switch and Cisco router that are working to send syslog messages. I also have other devices on other networks using this syslog server just fine. I am using Splunk. The firewall into the syslog server is wide open for UDP 514.
I tweaked every setting available. I used the default rules and actions, added the source IP, disabled all local logging so everything was going to remote. Tried custom rules and actions, and I am not getting a single message in from my routerboards.
I figured it out. The issue was with my firewall going to my syslog server. I was restricting based on source and destination port UDP/514 which obviously is incorrect. Interestingly, HP switches do send syslog messages FROM UDP/514 as well, but apparently nothing else does.
I spoke too soon. Most of my Mikrotiks are working, but some are not. All RB2011’s are working, but the 3 RB435G’s are not working. I have checked and re-checked the settings, and setup packet sniffer and no syslog messages go out at all. I have one 435 on v5.22 and the other two are on v5.21.
