is your Datasource configured with Log "unkown syslog" event?
Yes it is.
If unknown event is activated and the IP address configured inside the data source is the same one as in your tcpdump you should at least see unknown events in your stream viewer.
You should also check in /var/log/data/inline/thirdparty.logs/$ID/syslogcollector/in
where $ID is id of your data source as reported by the "tq" on the CLI.
Yes I should see unknown events in my stream viewer but I don't see them.
I just checked the folder /var/log/data/inline/thirdparty.logs/$ID/mountcollector/in and there is an empty file named "data.20170314094157000" and there is no events in the esm.
I attach the configuration that I am using.
Ummm... Sorry... I didn't quite see that you are using CIFS. I don't think you will see anything inside stream viewer because they are cifs. Stream viewer as far as I know is for syslog.
Is there anything inside the data file ? You can view the contents with msgdump data.20170314094157000
The data file is empty. There is no content in it.
Thanks Xded but it is suppose to be not the same problem because in version 9.6 access to logs by CIFS using tail is a capability that should been fixed as it is explain in release notes
Does any one config a data source using cifs and tail? Does it works?
Hello to all.
Finally it works . It was an error in the path name. I omitted the "/".
Now my problem is with the Event Deimiter. Which is the character for an apache log? Does anyone have any ideas?
Thank you to all