Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
j0sa1ac1 Absent Member.
Absent Member.
783 views

Can't receive syslog via udp 515, udp 517

Hi guys,

I'm having issues receiving logs via syslog daemon connectors on the ports udp515,517. My connector server is based on Centos. iptables have been configured to allow traffic destined for my connector server via these ports. I'm listening on udp514,515,517 for syslogs. I'm configuring log sources to send the syslogs to different connectors to avoid overloading issues.

The weird thing is that every device that is sending syslog to my connector server has tcpdump traffic records to the correct ports, with no indication that it is blocked. However no syslogs was received by these 2 connectors. I double checked this on the agent.log, but grep'ing a couple of log source IP addresses. But no line were found. No "fatal, "error" or "warn" lines were found on the agent.log either.

The syslog daemon connector that is listening on udp514 has no such issue.

Anyone successfully forwarded syslogs via these ports? And is there anywhere I can check for mis-configurations and is there anything I can try to troubleshoot the issue?

Labels (1)
0 Likes
8 Replies
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Can't receive syslog via udp 515, udp 517

Hi Joel,

Did you try stopping connector 1 by 1?

Cheers

Gayan

Mr
0 Likes
j0sa1ac1 Absent Member.
Absent Member.

Re: Can't receive syslog via udp 515, udp 517

Hi Gayan,

I'm not sure what will that achieve. Could you clarify?

Regards,

Joel

0 Likes
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Can't receive syslog via udp 515, udp 517

My two Cents for Debugging:

(sudo) netstat -anp --inet on the connector server. Is a Java-process listening to each of the desired udp-ports?

tcpdump on the connector server. Are the udp datagrams really arriving at the server? As udp is fire and forget, you might miss that info on sources.

0 Likes
Answer Honored Contributor.
Honored Contributor.

Re: Can't receive syslog via udp 515, udp 517

We are doing it on ArcMCs without problems. Make sure the firewall is off (not just iptables) if using RHEL/CentOS 7.

Also make sure the source servers are routable since there's a anti-spoofing protection built-in.

Anything in var/log/messages or dmesg?

0 Likes
j0sa1ac1 Absent Member.
Absent Member.

Re: Can't receive syslog via udp 515, udp 517

Thanks for the input. The issue has been resolved and had something to do with the IPtables not retaining changes after a restart.

0 Likes
dhiraj Absent Member.
Absent Member.

Re: Can't receive syslog via udp 515, udp 517

Hi Joel,

    If possible, please share steps that you have performed to allow listening of port 515 on server since we are also facing the same issue with RHEL 7.x.

0 Likes
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Can't receive syslog via udp 515, udp 517

Disable firewalld and install / configure iptables in the right way.

0 Likes
Highlighted
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Can't receive syslog via udp 515, udp 517

On RHEL 7 firewall-cmd ist the way to go. Issue two commands (one for imediate update one for persistent rule)

sudo firewall-cmd --add-port=515/udp

sudo firewall-cmd --add-port=515/udp --permanent

You might have to deal with zones (depending on your setup) and you might want to define services rather than adding each single port. I kindly refer you to the man page.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.