Lab 5.2

Hi Luis ! Thank you for pointing this out.
In the non-encrypted steps we opened listeners on [main] for both TCP and UDP on port 514. It should not have mattered where we ran Wireshark from (main or secondary) as the traffic should be apperant on both systems. As an extra credit fot the un-encrypted lab, you should be able to configure either or both TCP and UDP depending on your local requirements.
Now, the encrypted steps, generate & configure the keys and rsyslog should function the same. The lab steps show a listener on TCP port 6514 on [main] and [secondary] is sending to TCP on port 6514.
We should see a listener on [main] with "ss -lutn | grep 514". The command should show ports 6514 and 514 for either/both TCP and UDP.

The wire shark bit;
If we are on [secondary] monotoring the private network, we should see connection requests going from [secondary ] to [main] and hopefully the reply from [main] to [secondary.
If we are on [main] listening on the private network we should see the incomming connection request from [secondary] to [main] along with the required responses.
One could have Wireshark running on both systems and watch the packets from both systems.

If you see only one half of the connection conversation it it likely that the firewall is misconfigured, try stopping the firewall and re-test. If theat works, you have confirmed a firewall issue.

Let me know if this helps, Regards Lee

By the way, After setting in this Lab, I observed "secondary" tried to connect via 6514/tcp, not UDP. because "secondary" cannot send rsyslog packet to main. sor I added firewall rule to 6514/TCP, seemed to work fine.

[main]

#firewall-cmd --zone=public --add-port=6514/tcp --permanent
#firewall-cmd --reload

It's weird that why secondary and main' firewall is set to 6514/UDP, while main is set to 6514/tcp .
Something wrong?