I setup a Syslog UDP input, so I’m receiving a lot of syslog messages at UDP/514 local port.
I have 2 Cisco ASA firewalls that point to my Graylog server, from one of themn I’m receiving OK but from the second one I don’t receive any syslog message at all and I can see errors like this at /var/log/graylog-server/server.log:
Is the remote address /192.168.0.100:514 from the Switch not showing messages?
We had a couple Cisco ASA switch with similar problems. I had to create a new Input using Raw/Plaintext UDP with port 1514.
Syslog by default is UDP/514 (Priviliged port), but you would need to run Graylog as root to have the listener bind to anything below 1024. It is recommended to start it at 1514. Maybe give that a try.
I collect logs from about 20 asa’s so I’ve seen it all. My advice is always to use the plain UDP input and avoid the syslog. This is so you have full control of what data is coming in from the ASA.
Once you have data come in, finally you can get to parsing but not until then. I also recommend against listening on the base port. I use a completely random port port above 10000 to listen for data requests. This way you avoid the privileged port issue mentioned above.
