MWG v 7.3
1. Where can we find logs that MWG has Failed or successfully sent syslog to siem server?
2. Does MWG save the generated syslog to a file? where is it located?
It would be great if you can share to us how to monitor / troubleshoot syslog entry generated from MWG.
Follow up question for yout for verification...
Daemon.info @@[IP address] - is for TCP
Daemon.info [IP address] - is for UDP, is this correct?
What is the recommended protocol to use?
1) When I setup syslog to siem, I saw errors in the Log Files > MWG Errors > mwg.core.errors.log
There were entries such as
[2013-01-17 09:01:05.764 +00:00] [NotificationPlugin] [SyslogError] Dropping syslog entry because queue is full.
NB to fix I restarted the rsyslog service on the MWG
2) Depends on your conf file. If you login via winscp or ssh you can see some logs like cron /messages in /var/log
3) syslog is best supported over udp. be sure to fully research whether your siem support syslog over tcp.
Here's some sites I found useful.
Finally there are loads of posts on this topic if you search for siem
Hope this helps :-)