Yes, it does, we don't use CVS on this one!

If you're confident about config under "config log syslogd override-filter", I would just sniff port 514 traffic on the vdom interfaces (I assume those are different because the server IPs are public and private) if it's actually sending log out.

Thank you for your support and patience on this! The filter goes to all servers I am assuming as well as port 514 ?

See bellow possible configuration:

config log syslogd override-setting set status enable set server "209.134.187.181" set port 514 >>>>>>>>>>>>>>>>>>>>. set facility local1 end config log syslogd override-filter     set severity information     set forward-traffic enable     set local-traffic enable     set multicast-traffic enable     set sniffer-traffic enable     set anomaly enable     set voip enable     set dns enable     set ssh enable     set ssl enable end config log syslogd4 override-setting set status enable set server "10.4.213.7" set port 514 >>>>>>>>>>>>>>>>>>>>> set facility local1 set source-ip "10.11.1.164" end config log syslogd syslogd4 override-filter     set severity information     set forward-traffic enable     set local-traffic enable     set multicast-traffic enable     set sniffer-traffic enable     set anomaly enable     set voip enable     set dns enable     set ssh enable     set ssl enable end

filters are separated under

  config log syslogd override-filter

  config log syslogd4 override-filter

Again, if you do

  diag sniffer packet any 'port 514" 4

you would see both log packets including the interface names they're going out.