I am trying to configure data source for "cisco SG300 small bussniss switch". I have configured the syslog settings in the switch to point the syslogs to my ERC Server on port 514.
Following is the data source settings I have configured in the ESM.
Data Source Vendor : Generic
Data Source Model : Advance Syslog Parser
Data Format : Default
Data Retrieval : Syslog (Default)
Enabled : parsing (Checked)
Name : SW1
IP Address : 192.168.2.6
Syslog Relay : None
Mask : 32
Require Syslog TLS : Unchecked
Port : 514
Support Generic Syslogs : Do Nothing
Generic rule assignment : Greyed Out
Time Zone : Jerusalem
But still I am unable to receive logs from the switch. On the ERC I have checked whether switch is sending syslog messages or not by
tcpdump -nni eth1 host 192.168.2.6
It is showing that the Switch is sending the syslog messages.
change Support Generic syslog to log unknown events. Why don't you use Cisco data source types?