Due to a bug in the current version, running Set Syslog Forwarding creates /etc/rsyslog.nw.conf with an incorrect string value of "nw" where it is supposed to be "Nw".
# cat /etc/rsyslog.nw.conf
:programname, contains, "nw" @x.x.x.x:514
# This file is generated automatically. Do not edit it!
As the actual log contains a service name (i.e., programname) that starts with Nw as below, the above configuration will not find any event to forward.
May 26 22:53:07 DECODER_HOST NwDecoder: [Scheduler] [info] Running task /database with message dbState (op=save type=session,meta,packet) - 1800 secs waited
The issue is currently under investigation and will be address in the future release. This KB article will be updated once the new release becomes available.
To workaround the issue,
Modify "nw" to "Nw" in /etc/rsyslog.nw.conf. This can be done despite the warning 'Do not edit it!' within the file. If you prefer you can created a backup of the rsyslog.nw.conf prior to making the change.
After saving the file changes, restart the rsyslog service by running the following command: