tcpdump confirms valid syslog is coming in from multiple remote systems - servers and Cisco network equipment.
The servers all come in fine and write to disk, and are shown as being local1:info, but none of the Cisco devices will write to disk. Cisco all shows as being local7:info in tcpdump.
I'm thinking there is a kernel filter or something that is telling Rsyslog to discard/ignore the local7 stuff, but I don't know how to verify that.
I've run this but found nothing suspicious: grep -r 'local7' /etc/
How can I troubleshoot this further and find out what is happening to these Cisco logs? I've never seen this before.
The Rsyslog configs are fine, they are just set for *.* to go to /var/log/remote/00514/%fromhost-ip%/syslog.log and that works for everything so far but Cisco.
The IPs or hostnames for Cisco do not show up in the Rsyslog debug log either.
Thanks!
Tried tcpdump, don't know what else to try to troubleshoot why local7:* might get filtered