Question about Syslog Log Ingesting

[mnaut]

Hello!
I am an undergrad university student, and I am setting up a distributed security onion infrastructure for my capstone project. Currently, I am running Security Onion 2.3 with a manager, search, and sensor that is connected to our test network. Our test machines are in a closed network and currently run Rsyslog for log collection. Upon opening the port up to send logs to the manager node, do I need to do anything else to see logs in Kibana? Do I need to add a way to ingest the logs at all? At the moment parsing isn't super important, we just want to see the logs show up in Kibana.
Currently I have the tests computers configured to send the logs to the manager node but can't see them in Kibana, and wasn't sure if it was something I needed to configure or an issue with the logs being received.
Thanks!

[cm-ops]

Did you allow the sending server(s) syslog in the firewall using so-allow? https://docs.securityonion.net/en/2.3/so-allow.html#so-allow

[mnaut]

Hello! I double checked that it is allowed through the firewall using so-firewall. Additionally, I ensured that the sending server has *.* @MANAGER.IP.ADDRESS.HERE:514 in the "50-default.conf" file. I can't find the logs being sent in the "/var/log" folder on the manager so I wouldn't be suprised if that was the issue still.
Thanks!

Edit: In Kibana I can see the logs being sent over port 514 to the manager but the /var/log/messages/ folder is still yielding no results.

[cm-ops]

If you are sending syslog to the manager, they will go through the pipeline and end up in the so-syslog index. It won't write to the manager's /var/log/messages file.

You would search in SOC and you should see syslog as the module.

[samuel809]

do a tcpdump -i any host "x.x.x.x" where x is your sending syslog on the manager to confirm so is receiving...