Hi @thambisetty ,

Here am talking about rsyslog inputs. 

I have declared the ports in rsyslog.conf file for different input types which gets stored under /app/logs folder.

Thanks

Do you mean you tell rsyslog to listen on multiple ports, and write data from specific ports to a specific file?

If its TCP you should see a connection in  netstat from that host, and you would see what port it's connected to. Or you can use tcpdump to see the traffic. However netstat and tcpdump will not be very useful if you use a load-balancer to send the traffic. In that case, something like ngrep would be more useful.

Hi

there are lot of different ways how to configure rsyslog to receive events from other nodes and stores those to local file system or sends those directly to splunk (with or without metadata like sourcehost, source, sourcetype etc. information). You could also use “useACK” feature to ensure that no events have lost even splunk goes down e.g. for maintenance. In those cases rsyslog just spool events to queues and start sendings those when splunk nodes are up again.

It’s up to you how you will configure that, one ore more listening ports etc.

You could send several billions events per day (terabytes ingested) without losing any events with this way. 

r. Ismo

Default syslog port is 514 (udp/tcp).

Your syslog server might be receiving events on port 514.

you can test this if you are sure of any source sending logs to syslog server.

for example you know that server A is sending logs to syslog server B.

you can run tcpdump on server B to see on which port events are received.

tcpdump syntax is as below:

tcpdump -vvv -i “yourinterface ame” srcip

and look for messages, you would see ip:port of server A and ip:port of serverB.